d461272daec0e042004251f13dd72f58713fd9e70412434916a6c8c44579e06c

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 07:35

Target

d461272daec0e042004251f13dd72f58713fd9e70412434916a6c8c44579e06c.exe
Size

167KB
MD5

0d80ce9b4aeef8d265e0d477ce5526bc
SHA1

fa9579bf65b1e10736d0d9a6fcdb36c7ad332931
SHA256

d461272daec0e042004251f13dd72f58713fd9e70412434916a6c8c44579e06c
SHA512

c0169e833c7442041547dd1e9eb1f6ab65aa80d6b872947eb3c4a9374f9c3d55da9029466117e66c1f89c91e2db14c2eb0eb3ee8cfa52225f4363dcb760d148e
SSDEEP

3072:xOMD6Fxmkobg6gR8TBgqCacNN4M8iKmG5tVUF3QR3Lz32AYpQ8PmMwS9PmbZzslx:xMugWTga+vrGPV53HrKlt

Score

7^/10

Deletes itself 1 IoCs

pid	Process
756	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 756	1724	d461272daec0e042004251f13dd72f58713fd9e70412434916a6c8c44579e06c.exe	27
PID 1724 wrote to memory of 756	1724	d461272daec0e042004251f13dd72f58713fd9e70412434916a6c8c44579e06c.exe	27
PID 1724 wrote to memory of 756	1724	d461272daec0e042004251f13dd72f58713fd9e70412434916a6c8c44579e06c.exe	27
PID 1724 wrote to memory of 756	1724	d461272daec0e042004251f13dd72f58713fd9e70412434916a6c8c44579e06c.exe	27

C:\Users\Admin\AppData\Local\Temp\d461272daec0e042004251f13dd72f58713fd9e70412434916a6c8c44579e06c.exe
"C:\Users\Admin\AppData\Local\Temp\d461272daec0e042004251f13dd72f58713fd9e70412434916a6c8c44579e06c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Hnf..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:756

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Hnf..bat

Filesize
274B

MD5
3e0bc59476fe281cfddfbd97189b9388

SHA1
a8a2607b8890343f19535b68c408d1a545d183ed

SHA256
9d9aaa7e0f6bc7de55d174160c67486a192b67c5dd6e0ee4215cfd926d9cc4cb

SHA512
5d6ad1a18924919c2e374349dc11838265ce88b40ef97855178b94653dd707906869d9c30b196e384345590863e7f377ace62b53838407886249a536b9e87b29

Download Submit
memory/1724-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1724-55-0x00000000001B0000-0x00000000001C1000-memory.dmp

Filesize
68KB

Download
memory/1724-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1724-58-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download