30b0663fb782c63658b160f6ebcd042df864076103bbfc415387966af31df72e

Analysis

max time kernel
28s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 08:48

Target

30b0663fb782c63658b160f6ebcd042df864076103bbfc415387966af31df72e.exe
Size

94KB
MD5

b8e930b190c8cd0c50d27b7a61d7c874
SHA1

0fc777e592521db66b191963c70999fbc447dc2e
SHA256

30b0663fb782c63658b160f6ebcd042df864076103bbfc415387966af31df72e
SHA512

09d273d1392a111b66eba43e456957e750d646fc95628619d982e4796a6249c14c995f1c627731b05172060e8fecf80029b3a4469114353bdf945e16c0b560ac
SSDEEP

1536:o9c//cQk4w68KXJnml4KBMrlx764OMGDoFVa2FwFIy:gcMQk431mulRPEiETFIy

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1136	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 1136	872	30b0663fb782c63658b160f6ebcd042df864076103bbfc415387966af31df72e.exe	28
PID 872 wrote to memory of 1136	872	30b0663fb782c63658b160f6ebcd042df864076103bbfc415387966af31df72e.exe	28
PID 872 wrote to memory of 1136	872	30b0663fb782c63658b160f6ebcd042df864076103bbfc415387966af31df72e.exe	28
PID 872 wrote to memory of 1136	872	30b0663fb782c63658b160f6ebcd042df864076103bbfc415387966af31df72e.exe	28

C:\Users\Admin\AppData\Local\Temp\30b0663fb782c63658b160f6ebcd042df864076103bbfc415387966af31df72e.exe
"C:\Users\Admin\AppData\Local\Temp\30b0663fb782c63658b160f6ebcd042df864076103bbfc415387966af31df72e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Adf..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1136

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Adf..bat

Filesize
274B

MD5
3c88f20a439723fc1c4bfbce64e939f0

SHA1
8e326860dde3654b0caabb7bc2113fe78f575266

SHA256
8f57deb31a653fab99e4a842ccb4252437240762e8bc772ba169fd7aaa598ea2

SHA512
3de697b574c5beb973a5ccc27e6beb57d088873cefe255cf3c02fdb0361d6085ce594d8572e60e909683fc1b04c1c7b9449479e18c8717b095edfe96fb8fde54

Download Submit
memory/872-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/872-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/872-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download