bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18/09/2022, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea.exe
Size

75KB
MD5

223a512f5c73433b587cecb1473179c8
SHA1

148a74c051f9db27376635d4c4d130c87460f77b
SHA256

bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea
SHA512

919d0c7af6dbb725df0c77946128b3a0b342acb47a9e3ac0b1851f5202531ceeec8a36b94b87ae61839c8e089995724529dee69c3067bb8fa0325cf3919fe329
SSDEEP

1536:bVN9S4A343LR+u+yEfXPqD+ZTIlG4t2ynLMTZnai:b0aR+u0XPqD+Z8lG4t2ynL4Zai

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\intel\jingling.exe	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 240	1960	bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea.exe	28
PID 1960 wrote to memory of 240	1960	bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea.exe	28
PID 1960 wrote to memory of 240	1960	bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea.exe	28
PID 1960 wrote to memory of 240	1960	bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea.exe	28
PID 240 wrote to memory of 2032	240	WScript.exe	30
PID 240 wrote to memory of 2032	240	WScript.exe	30
PID 240 wrote to memory of 2032	240	WScript.exe	30
PID 240 wrote to memory of 2032	240	WScript.exe	30
PID 2032 wrote to memory of 1172	2032	cmd.exe	32
PID 2032 wrote to memory of 1172	2032	cmd.exe	32
PID 2032 wrote to memory of 1172	2032	cmd.exe	32
PID 2032 wrote to memory of 1172	2032	cmd.exe	32
PID 1172 wrote to memory of 1756	1172	net.exe	33
PID 1172 wrote to memory of 1756	1172	net.exe	33
PID 1172 wrote to memory of 1756	1172	net.exe	33
PID 1172 wrote to memory of 1756	1172	net.exe	33

C:\Users\Admin\AppData\Local\Temp\bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea.exe
"C:\Users\Admin\AppData\Local\Temp\bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abc.vbs"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net stop ATISmart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\net.exe
      net stop ATISmart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ATISmart
        5⤵
        
        PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\abc.vbs

Filesize
1KB

MD5
2a5a8bb0ed289cb4253d2b93d5e63311

SHA1
ebccfdf01b2fcffcb7b92f8bed902b205867a6d4

SHA256
e34b3617c34997ddcd2e32516f2a9227d4e1d9bff24cc6c4dca2d704dd3d1c12

SHA512
c77c4afa558c059fa788f0b49f140d24bbf3f709dcf5ded046cbe89f8910d9b66941a52cb50f39dbe44189efcdae4bb1db3690528517c6b3ad695d7522f8a184

Download Submit
memory/1960-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/1960-55-0x0000000000420000-0x00000000004CC000-memory.dmp

Filesize
688KB

Download