94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-en-20211014
submitted
17-11-2021 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe
Size

256KB
MD5

447af103027bb7cfa1c09538b38a6007
SHA1

f369d25335c9c899f94ee0e2c2e3ac4b09f27812
SHA256

94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb
SHA512

64fb4db381c01e511c7e32871c386bfa70dddaab9e2cd24d4b9cd98913546e92f28dc1e54f6073638bc159f460cdd82978756c4cf1b4b24d0192b62cac2eed24

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1928 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1928	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.execmd.exe

description	pid	process	target process
PID 1092 wrote to memory of 1928	1092	94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe	cmd.exe
PID 1092 wrote to memory of 1928	1092	94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe	cmd.exe
PID 1092 wrote to memory of 1928	1092	94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe	cmd.exe
PID 1092 wrote to memory of 1928	1092	94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe	cmd.exe
PID 1928 wrote to memory of 436	1928	cmd.exe	choice.exe
PID 1928 wrote to memory of 436	1928	cmd.exe	choice.exe
PID 1928 wrote to memory of 436	1928	cmd.exe	choice.exe
PID 1928 wrote to memory of 436	1928	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe
"C:\Users\Admin\AppData\Local\Temp\94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del C:\Users\Admin\AppData\Local\Temp\94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:436

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/436-62-0x0000000000000000-mapping.dmp

Download
memory/1092-55-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1092-57-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1092-58-0x00000000004F0000-0x000000000053C000-memory.dmp

Filesize
304KB

Download
memory/1092-59-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1092-60-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1928-61-0x0000000000000000-mapping.dmp

Download