d1625ceced7a2f7dc10f9b06c450f1630696d4aeab6fed741c7baa43099fdd5c

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
16/09/2022, 04:09

Target

d1625ceced7a2f7dc10f9b06c450f1630696d4aeab6fed741c7baa43099fdd5c.exe
Size

309KB
MD5

45f6bc89262662b104a89938cc246601
SHA1

5705ba69b7f7370631f40a86381d2aff6ce8e8a5
SHA256

d1625ceced7a2f7dc10f9b06c450f1630696d4aeab6fed741c7baa43099fdd5c
SHA512

e07fb39c055983f704a002680251e23137964447e9af363bf5b1e8a38e9813f31dbcce11d3a2e6d1456852db0c122f9b60e5d375e31742db5402691e4b5de09b
SSDEEP

6144:EOYGXaPNxdgSdcq2pVZPOJHAbKeT+tMXYOg:oGqN/XdctpVtkOT+tFOg

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 276	992	d1625ceced7a2f7dc10f9b06c450f1630696d4aeab6fed741c7baa43099fdd5c.exe	27
PID 992 wrote to memory of 276	992	d1625ceced7a2f7dc10f9b06c450f1630696d4aeab6fed741c7baa43099fdd5c.exe	27
PID 992 wrote to memory of 276	992	d1625ceced7a2f7dc10f9b06c450f1630696d4aeab6fed741c7baa43099fdd5c.exe	27
PID 992 wrote to memory of 276	992	d1625ceced7a2f7dc10f9b06c450f1630696d4aeab6fed741c7baa43099fdd5c.exe	27

C:\Users\Admin\AppData\Local\Temp\d1625ceced7a2f7dc10f9b06c450f1630696d4aeab6fed741c7baa43099fdd5c.exe
"C:\Users\Admin\AppData\Local\Temp\d1625ceced7a2f7dc10f9b06c450f1630696d4aeab6fed741c7baa43099fdd5c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cp\cp.vbs"
  2⤵
  PID:276

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\cp\cp.vbs

Filesize
3KB

MD5
2956871deed030f811ef532614377c55

SHA1
6c04e3d8930fbd72ae2a3b5e427cd4d1f9191808

SHA256
754cf05f4e55a7aa79dffcc57ecfc862cfd84cbc8bbea83523bd4e744d337999

SHA512
0974eb92e67d4747a937706523cd6e1dffc29ce5738beb29e2e9bc363e5ecf03176fcfc310c53d99af3d87ad822edf3dfbf4f16053623022bfd0d06d291595bd

Download Submit
memory/992-54-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download