Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    04-01-2022 16:15

General

  • Target

    RTGS_COPY.cmd.exe

  • Size

    3.7MB

  • MD5

    1cdd2dcf1a3545143dc08e0cd3f3fcc0

  • SHA1

    30e1d553053985d26cb926303e30aaf8f08fe76a

  • SHA256

    b7cd89612804eefbea4cc01513408994f8ea65d03a2cd68d07da77d43afd787c

  • SHA512

    45562075dae952ebe2701d6a7d92b9af15867f306685680c1448592552b674f050ddd34334796e1e523c208bed6796b9c2264f1fef65a7fb7fdbaf61683cf7dd

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RTGS_COPY.cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\RTGS_COPY.cmd.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
      2⤵
        PID:708

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/708-58-0x0000000000000000-mapping.dmp

    • memory/1928-55-0x0000000000220000-0x0000000000226000-memory.dmp

      Filesize

      24KB

    • memory/1928-56-0x0000000000220000-0x000000000022A000-memory.dmp

      Filesize

      40KB

    • memory/1928-57-0x0000000076511000-0x0000000076513000-memory.dmp

      Filesize

      8KB