69aa4a9c2bdf619abd8bd9c0511334eaeb344f9059e91232babd452494338b6d

Analysis

max time kernel
11s
max time network
110s
platform
windows10_x64
resource
win10v20210410
submitted
06-05-2021 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DelDir.exe
Size

21KB
MD5

17fbb192a61c48baae90bbe30e347004
SHA1

9c4844d4ec152e91aba1667505e83aef03cc9003
SHA256

69aa4a9c2bdf619abd8bd9c0511334eaeb344f9059e91232babd452494338b6d
SHA512

6a5ccb946f189ce459effa012a78cfec1d7d3337f09420fa15ceab4ffdd3ee17c8ecc22eec027202d683bf29ad01fefe98404f3f0e3f5f9cda68f35baebcfa91

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

DelDir.execmd.exe

description	pid	process	target process
PID 4008 wrote to memory of 1064	4008	DelDir.exe	cmd.exe
PID 4008 wrote to memory of 1064	4008	DelDir.exe	cmd.exe
PID 4008 wrote to memory of 1064	4008	DelDir.exe	cmd.exe
PID 1064 wrote to memory of 1916	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 1916	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 1916	1064	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\DelDir.exe
"C:\Users\Admin\AppData\Local\Temp\DelDir.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\166C.tmp\DelDir.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c DIR /A:D "{*"
3⤵
PID:1916

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\166C.tmp\DelDir.bat
MD5
f906f10f736ac0d23531d9750fe1630e

SHA1
98c2e1ee04a2f947c321e44becf8bf3bf718180b

SHA256
ce717f2b8c3bc436c534d9d40130c80ef4d5b475dbbdb7a7e345ec9d6a17d36c

SHA512
f399303b31f26e37fe0ca719988ea98e7a70e0277e1234fe67355e91d4a72c5b0926acb47d0d0bef718c9018aeb4a6d13296bb5608261e89b41a754af8b9f95b

Download Submit
memory/1064-114-0x0000000000000000-mapping.dmp

Download
memory/1916-116-0x0000000000000000-mapping.dmp

Download