df515e5ca556a4c8312da9f84f40189e4eae44bf9d5c400b9b7714a06eb19f19

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df515e5ca556a4c8312da9f84f40189e4eae44bf9d5c400b9b7714a06eb19f19.exe
Size

200KB
MD5

571a663881bdcb5de18acb78916eb093
SHA1

53b3075760d38ced1234e831f87e9216ebed6f94
SHA256

df515e5ca556a4c8312da9f84f40189e4eae44bf9d5c400b9b7714a06eb19f19
SHA512

7ba23197a829ab32292a6e8b7f4ca6392a224fd4174bc3972b363979c0990af047ec7d9cfe9dff8c102e5a9db0514769a4a6be366f198e9446adc18c23b468d0
SSDEEP

3072:KR6JVPx++LLL7SufZ/MPEBMoFM0Ou5hSr0J5SgT0DbqV:dx+qL7rB/MPGMoFxR5t0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
860	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 860	1920	df515e5ca556a4c8312da9f84f40189e4eae44bf9d5c400b9b7714a06eb19f19.exe	28
PID 1920 wrote to memory of 860	1920	df515e5ca556a4c8312da9f84f40189e4eae44bf9d5c400b9b7714a06eb19f19.exe	28
PID 1920 wrote to memory of 860	1920	df515e5ca556a4c8312da9f84f40189e4eae44bf9d5c400b9b7714a06eb19f19.exe	28
PID 1920 wrote to memory of 860	1920	df515e5ca556a4c8312da9f84f40189e4eae44bf9d5c400b9b7714a06eb19f19.exe	28
PID 1920 wrote to memory of 860	1920	df515e5ca556a4c8312da9f84f40189e4eae44bf9d5c400b9b7714a06eb19f19.exe	28
PID 1920 wrote to memory of 860	1920	df515e5ca556a4c8312da9f84f40189e4eae44bf9d5c400b9b7714a06eb19f19.exe	28
PID 1920 wrote to memory of 860	1920	df515e5ca556a4c8312da9f84f40189e4eae44bf9d5c400b9b7714a06eb19f19.exe	28

C:\Users\Admin\AppData\Local\Temp\df515e5ca556a4c8312da9f84f40189e4eae44bf9d5c400b9b7714a06eb19f19.exe
"C:\Users\Admin\AppData\Local\Temp\df515e5ca556a4c8312da9f84f40189e4eae44bf9d5c400b9b7714a06eb19f19.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Yfj..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Yfj..bat

Filesize
274B

MD5
9d2cf0248730b851dbe9842763c075c7

SHA1
acbb31cc43e10a89ff6e26e29c5036dd69b9cc47

SHA256
4cb58e74c54022ab64b40d950d1726e47b8ab552907746dabcba313ac29d2155

SHA512
c6fce192018fc110633f46abae85e7db8ea93545602a6f4018facbe2e605a55a9a0db78c6a3a0e27beba158d1aba292301b1fc54f8007c08e2c2f37605ecedc1

Download Submit
memory/1920-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1920-55-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/1920-56-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1920-58-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download