3de01baef40966cf9880425e3b797b71d0ea3ee69ebf148f4487bc343fb99278

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27/03/2023, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3de01baef40966cf9880425e3b797b71d0ea3ee69ebf148f4487bc343fb99278.exe
Size

9.6MB
MD5

61d263a72ff39788624232e40297fbd0
SHA1

2074d989de7ae88eb7f29c1d022f1eae7648c82a
SHA256

3de01baef40966cf9880425e3b797b71d0ea3ee69ebf148f4487bc343fb99278
SHA512

370d7ca630a6aa95b962a108f3838e029c942bbfddc099f6e3305bbd67d1a61ecfc50f7bb0eef9f47c68e71bdce4cbffdf4eca0932972d37f0588b34d5253f2d
SSDEEP

196608:s1szgJohdMpfuQp7xWq9vvYaMm4+fbGclIm9VKYyjQF8I:s1sZuNR7j9YneErMl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1992	bot.exe

Loads dropped DLL 2 IoCs

pid	Process
1200	3de01baef40966cf9880425e3b797b71d0ea3ee69ebf148f4487bc343fb99278.exe
1992	bot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1992	1200	3de01baef40966cf9880425e3b797b71d0ea3ee69ebf148f4487bc343fb99278.exe	28
PID 1200 wrote to memory of 1992	1200	3de01baef40966cf9880425e3b797b71d0ea3ee69ebf148f4487bc343fb99278.exe	28
PID 1200 wrote to memory of 1992	1200	3de01baef40966cf9880425e3b797b71d0ea3ee69ebf148f4487bc343fb99278.exe	28

C:\Users\Admin\AppData\Local\Temp\3de01baef40966cf9880425e3b797b71d0ea3ee69ebf148f4487bc343fb99278.exe
"C:\Users\Admin\AppData\Local\Temp\3de01baef40966cf9880425e3b797b71d0ea3ee69ebf148f4487bc343fb99278.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\onefile_1200_133243731223510000\bot.exe
  "C:\Users\Admin\AppData\Local\Temp\3de01baef40966cf9880425e3b797b71d0ea3ee69ebf148f4487bc343fb99278.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_1200_133243731223510000\bot.exe

Filesize
9.8MB

MD5
1d8d423fcb1c7e33cd391a455e901c73

SHA1
c2f7a2d74c646aebdff17da6e75ac480b7376d55

SHA256
1dcd4e001486a8a7736fc942d8c02b6f34f96368afae7af60d1933d2513bc6ef

SHA512
ab72c355a057b7fccbc20344c3fd94f41324157a9e4df75ab91014ab22b4d26c4683876cd84cb626d8f0ea5d6f79567dd3f4da32cca9b4c63c7a238eeeed66d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1200_133243731223510000\python310.dll

Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1200_133243731223510000\bot.exe

Filesize
9.8MB

MD5
1d8d423fcb1c7e33cd391a455e901c73

SHA1
c2f7a2d74c646aebdff17da6e75ac480b7376d55

SHA256
1dcd4e001486a8a7736fc942d8c02b6f34f96368afae7af60d1933d2513bc6ef

SHA512
ab72c355a057b7fccbc20344c3fd94f41324157a9e4df75ab91014ab22b4d26c4683876cd84cb626d8f0ea5d6f79567dd3f4da32cca9b4c63c7a238eeeed66d3

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1200_133243731223510000\python310.dll

Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
memory/1200-153-0x000000013FED0000-0x000000013FF0C000-memory.dmp

Filesize
240KB

Download
memory/1200-154-0x000000013FED0000-0x000000013FF0C000-memory.dmp

Filesize
240KB

Download
memory/1992-106-0x000000013FE80000-0x000000014088F000-memory.dmp

Filesize
10.1MB

Download