0b2a869538b0dae56ae80ba7a68baef4a2199c4883de2564ef433690142a1dec

Analysis

max time kernel
281s
max time network
309s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2023 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b2a869538b0dae56ae80ba7a68baef4a2199c4883de2564ef433690142a1dec.exe
Size

414KB
MD5

a6b99250e1a387291a22be6e12a22f13
SHA1

a33c3a5a752a4c72413846a6fc60a5efc2b610c8
SHA256

0b2a869538b0dae56ae80ba7a68baef4a2199c4883de2564ef433690142a1dec
SHA512

3063437ef2777b6e19bbb92890eb02c36cf71fa4a7b11f19cd9b9448739351ae92cad61aa8b65f925faa493a719eeaff471f181bb92134e3c3af9fa75317c523
SSDEEP

6144:ITNE3ZRrnaBVlvphVxmP+6CiejgcME1cwYfU+va+RUt:ITNYrnE3bm/CiejewY5vO

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0b2a869538b0dae56ae80ba7a68baef4a2199c4883de2564ef433690142a1dec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c5e4gxfvd4v = "C:\\Users\\Admin\\AppData\\Roaming\\c5e4gxfvd4v\\ximo2ubzn1i.exe"	0b2a869538b0dae56ae80ba7a68baef4a2199c4883de2564ef433690142a1dec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\0b2a869538b0dae56ae80ba7a68baef4a2199c4883de2564ef433690142a1dec.exe
"C:\Users\Admin\AppData\Local\Temp\0b2a869538b0dae56ae80ba7a68baef4a2199c4883de2564ef433690142a1dec.exe"
1⤵
- Adds Run key to start application
PID:2212

C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe
"C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe"
2⤵
PID:4604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe
Filesize
414KB

MD5
157dfbcec8e509e1bcf3fb665292cc5c

SHA1
0f66749bba5aebb544b99369231c8eb38d1bce8e

SHA256
4e1c18f97583f23a1cea94cda1bed8e1dde7999fb1819290146bbf81a65777d3

SHA512
55646fdb09cb4c953f9be4ce3254f8103ed49abe33abf6d23511f97920ccbb38d7259d18915988bc79f3d6e18176faf77dda5f849d8170cf7e2c207241df3e20

Download Submit
C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe
Filesize
414KB

MD5
157dfbcec8e509e1bcf3fb665292cc5c

SHA1
0f66749bba5aebb544b99369231c8eb38d1bce8e

SHA256
4e1c18f97583f23a1cea94cda1bed8e1dde7999fb1819290146bbf81a65777d3

SHA512
55646fdb09cb4c953f9be4ce3254f8103ed49abe33abf6d23511f97920ccbb38d7259d18915988bc79f3d6e18176faf77dda5f849d8170cf7e2c207241df3e20

Download Submit
C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe
Filesize
414KB

MD5
157dfbcec8e509e1bcf3fb665292cc5c

SHA1
0f66749bba5aebb544b99369231c8eb38d1bce8e

SHA256
4e1c18f97583f23a1cea94cda1bed8e1dde7999fb1819290146bbf81a65777d3

SHA512
55646fdb09cb4c953f9be4ce3254f8103ed49abe33abf6d23511f97920ccbb38d7259d18915988bc79f3d6e18176faf77dda5f849d8170cf7e2c207241df3e20

Download Submit
memory/2212-133-0x0000000000D80000-0x0000000000DEE000-memory.dmp

Filesize
440KB

Download
memory/2212-134-0x0000000005DF0000-0x0000000006394000-memory.dmp

Filesize
5.6MB

Download
memory/2212-135-0x0000000001650000-0x00000000016E2000-memory.dmp

Filesize
584KB

Download
memory/2212-136-0x0000000001700000-0x000000000170A000-memory.dmp

Filesize
40KB

Download
memory/2212-137-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/2212-138-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download