6ce9932e86d667adfe3c2fb2413f4378e63cc5fe5538e9ca81f29acd4169505c

Analysis

max time kernel
70s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ce9932e86d667adfe3c2fb2413f4378e63cc5fe5538e9ca81f29acd4169505c.exe
Size

36KB
MD5

d5f361c17a970d95d85d641c7afccd97
SHA1

532088108e62d7a7301a859f5f2969ccc6c2b044
SHA256

6ce9932e86d667adfe3c2fb2413f4378e63cc5fe5538e9ca81f29acd4169505c
SHA512

39d15522913525430d0fd0aada792995701be87336ed280744542af08d003f66b3f3df68dd0b767824ed565f36fbbe0e3dd8b9f2f743c77efe2645148805b0d4
SSDEEP

384:fc2HOo97fkDASlJc5IB1dBx2SGct9JcInp5wyWq2BzSQEt:E2HOefk8NvSGctDL2Sb

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1496	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
872	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	872	tasklist.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1348	6ce9932e86d667adfe3c2fb2413f4378e63cc5fe5538e9ca81f29acd4169505c.exe
1348	6ce9932e86d667adfe3c2fb2413f4378e63cc5fe5538e9ca81f29acd4169505c.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1496	1348	6ce9932e86d667adfe3c2fb2413f4378e63cc5fe5538e9ca81f29acd4169505c.exe	29
PID 1348 wrote to memory of 1496	1348	6ce9932e86d667adfe3c2fb2413f4378e63cc5fe5538e9ca81f29acd4169505c.exe	29
PID 1348 wrote to memory of 1496	1348	6ce9932e86d667adfe3c2fb2413f4378e63cc5fe5538e9ca81f29acd4169505c.exe	29
PID 1348 wrote to memory of 1496	1348	6ce9932e86d667adfe3c2fb2413f4378e63cc5fe5538e9ca81f29acd4169505c.exe	29
PID 1496 wrote to memory of 872	1496	cmd.exe	31
PID 1496 wrote to memory of 872	1496	cmd.exe	31
PID 1496 wrote to memory of 872	1496	cmd.exe	31
PID 1496 wrote to memory of 872	1496	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\6ce9932e86d667adfe3c2fb2413f4378e63cc5fe5538e9ca81f29acd4169505c.exe
"C:\Users\Admin\AppData\Local\Temp\6ce9932e86d667adfe3c2fb2413f4378e63cc5fe5538e9ca81f29acd4169505c.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 6ce9932e86d667adfe3c2fb2413f4378e63cc5fe5538e9ca81f29acd4169505c.exe
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-57-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1348-58-0x0000000003CD1000-0x000000000421D000-memory.dmp

Filesize
5.3MB

Download