c1994e2fd8d5d8cc911b91eb39f717554f9be93394824dbaa91d83ceea86cb73

Analysis

max time kernel
123s
max time network
85s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1994e2fd8d5d8cc911b91eb39f717554f9be93394824dbaa91d83ceea86cb73.exe
Size

76KB
MD5

a3b24083e16b9a964ea6fcbfc931d146
SHA1

711f8274125dc25bd89686acf382b078eaa59ca3
SHA256

c1994e2fd8d5d8cc911b91eb39f717554f9be93394824dbaa91d83ceea86cb73
SHA512

a42d8b23406e4456ff8ff8dacd69e3dce1b29a90de3012c4214cbeb3e78daba52ef10a720d3260921ae32a9697b8bcdd98b13bb826578d724c9d466e6d000ecd
SSDEEP

1536:akV8ybjkBEt8zRd3+NDDKO/puh7PJYCIlrGDDa1EbqqaYxSgpPoKa:agvjkDf3WDDXulGC2ya1Ebqqa8bAH

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1800	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c1994e2fd8d5d8cc911b91eb39f717554f9be93394824dbaa91d83ceea86cb73 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c1994e2fd8d5d8cc911b91eb39f717554f9be93394824dbaa91d83ceea86cb73.exe"	c1994e2fd8d5d8cc911b91eb39f717554f9be93394824dbaa91d83ceea86cb73.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1800	1344	c1994e2fd8d5d8cc911b91eb39f717554f9be93394824dbaa91d83ceea86cb73.exe	29
PID 1344 wrote to memory of 1800	1344	c1994e2fd8d5d8cc911b91eb39f717554f9be93394824dbaa91d83ceea86cb73.exe	29
PID 1344 wrote to memory of 1800	1344	c1994e2fd8d5d8cc911b91eb39f717554f9be93394824dbaa91d83ceea86cb73.exe	29
PID 1344 wrote to memory of 1800	1344	c1994e2fd8d5d8cc911b91eb39f717554f9be93394824dbaa91d83ceea86cb73.exe	29

C:\Users\Admin\AppData\Local\Temp\c1994e2fd8d5d8cc911b91eb39f717554f9be93394824dbaa91d83ceea86cb73.exe
"C:\Users\Admin\AppData\Local\Temp\c1994e2fd8d5d8cc911b91eb39f717554f9be93394824dbaa91d83ceea86cb73.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\07228665.cmd" "
  2⤵
  - Deletes itself
  PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\07228665.cmd

Filesize
375B

MD5
26c09a63561dcd813c9c1e77245bbf06

SHA1
aefd1f6c7449b990f3e170f3ec0e559caa4daef3

SHA256
2acb69a8081705989a5107e0ee4cd8d95384cf7f7c320aa0b06fbbd5b71ae262

SHA512
b921402103652ca8d985986a836ca881ad82e025348acd26171e2fb81404c3909d6756418a685564820617521609a1b846383e6b4959bba037ac6e7a830ffa62

Download Submit
memory/1344-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1344-55-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1344-57-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download