91f4b7ae747bfd036882e084650f608782b6054ecc8ab32f5fe91b91caf80e5d

Resubmissions

12-08-2021 21:22

12-08-2021 20:38

Target

Uninstall.exe
Size

97KB
MD5

a8c53399726fea24e4af993e971df5af
SHA1

50b4c4d3cf172106417dc0e59eaa63bf7cd0603e
SHA256

6b13a733947bc2395695cc6f9a8b59eae88cf6467e368a810bcac0c10d6c46a6
SHA512

b2159712ecfa8f7e9a75a190e858cc791bcdcd19118a6db40041d7ffbda531343a63244d35012702dda8514191e8bf6e838ab896c9db232f2c163fc4d4cd2bf9

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Uninstall.exe

description	pid	process	target process
PID 1988 wrote to memory of 1760	1988	Uninstall.exe	Uninstall.exe
PID 1988 wrote to memory of 1760	1988	Uninstall.exe	Uninstall.exe
PID 1988 wrote to memory of 1760	1988	Uninstall.exe	Uninstall.exe
PID 1988 wrote to memory of 1760	1988	Uninstall.exe	Uninstall.exe
PID 1988 wrote to memory of 1760	1988	Uninstall.exe	Uninstall.exe
PID 1988 wrote to memory of 1760	1988	Uninstall.exe	Uninstall.exe
PID 1988 wrote to memory of 1760	1988	Uninstall.exe	Uninstall.exe

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
  "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe" end
  2⤵
  PID:1760

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1760-60-0x0000000000000000-mapping.dmp

Download
memory/1988-59-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download