ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c

Analysis

max time kernel
118s
max time network
130s
platform
windows7_x64
resource
win7-en-20211208
submitted
06-03-2022 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe
Size

112KB
MD5

5c281ddacaddf036d2b836b656cc3a8f
SHA1

93c5595c540181395fac196acd3329fde0c1b1fd
SHA256

ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c
SHA512

fb5c92180b2713d92b26a220abd13ff529a2366327c76c84379b2742bb55e456440ce87fd142323e06969c23f973ba011836a29c1c660461b2a4eeb19c508974

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
276	timeout.exe
1516	timeout.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 608 wrote to memory of 2044	608	ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe	27
PID 608 wrote to memory of 2044	608	ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe	27
PID 608 wrote to memory of 2044	608	ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe	27
PID 608 wrote to memory of 2044	608	ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe	27
PID 2044 wrote to memory of 276	2044	cmd.exe	29
PID 2044 wrote to memory of 276	2044	cmd.exe	29
PID 2044 wrote to memory of 276	2044	cmd.exe	29
PID 2044 wrote to memory of 1516	2044	cmd.exe	31
PID 2044 wrote to memory of 1516	2044	cmd.exe	31
PID 2044 wrote to memory of 1516	2044	cmd.exe	31
PID 2044 wrote to memory of 1788	2044	cmd.exe	32
PID 2044 wrote to memory of 1788	2044	cmd.exe	32
PID 2044 wrote to memory of 1788	2044	cmd.exe	32
PID 1788 wrote to memory of 800	1788	WScript.exe	35
PID 1788 wrote to memory of 800	1788	WScript.exe	35
PID 1788 wrote to memory of 800	1788	WScript.exe	35

C:\Users\Admin\AppData\Local\Temp\ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe
"C:\Users\Admin\AppData\Local\Temp\ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:608
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E975.tmp\E976.tmp\E977.bat C:\Users\Admin\AppData\Local\Temp\ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\system32\timeout.exe
    timeout /t 7 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:276
- - C:\Windows\system32\timeout.exe
    timeout /t 10 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1516
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\remove.bat" "
      4⤵
      PID:800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/608-55-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/2044-58-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp

Filesize
8KB

Download