7zS850A099E.zip

General
Target

7zS850A099E/61e7502f007f3_Tue23d6fecf8c.exe

Filesize

116KB

Completed

19-01-2022 08:13

Score
10/10
MD5

b8ecec542a07067a193637269973c2e8

SHA1

97178479fd0fc608d6c0fbf243a0bb136d7b0ecb

SHA256

fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e

Malware Config
Signatures 6

Filter: none

Defense Evasion
Discovery
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Description

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1592cmd.exe
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    1640PING.EXE
  • Suspicious use of WriteProcessMemory
    61e7502f007f3_Tue23d6fecf8c.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 480 wrote to memory of 159248061e7502f007f3_Tue23d6fecf8c.execmd.exe
    PID 480 wrote to memory of 159248061e7502f007f3_Tue23d6fecf8c.execmd.exe
    PID 480 wrote to memory of 159248061e7502f007f3_Tue23d6fecf8c.execmd.exe
    PID 480 wrote to memory of 159248061e7502f007f3_Tue23d6fecf8c.execmd.exe
    PID 1592 wrote to memory of 16401592cmd.exePING.EXE
    PID 1592 wrote to memory of 16401592cmd.exePING.EXE
    PID 1592 wrote to memory of 16401592cmd.exePING.EXE
    PID 1592 wrote to memory of 16401592cmd.exePING.EXE
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe"
    Suspicious use of WriteProcessMemory
    PID:480
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe" >> NUL
      Deletes itself
      Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        Runs ping.exe
        PID:1640
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/480-55-0x0000000074EC1000-0x0000000074EC3000-memory.dmp