4f7c0e76ef36fca9aba1e5236850b5a81543c7f870db919569b59faaa4382e53

Analysis

max time kernel
37s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 08:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4f7c0e76ef36fca9aba1e5236850b5a81543c7f870db919569b59faaa4382e53.exe
Size

79KB
MD5

f811740b781b445d11063f833ef5681a
SHA1

0e25236a5bb3f7d7831b711a44d0932c48e9b242
SHA256

4f7c0e76ef36fca9aba1e5236850b5a81543c7f870db919569b59faaa4382e53
SHA512

1f075a47a8c7e329d011b8807cd2a56cb4d42a65a3ce6883ba57615d850bb63d8b292294993aa5f7cc8a396488152f077bb346f448ee2571049b16bc1f5e7d39
SSDEEP

1536:hxbjg1v2og+uZFtNKiS/xdmc7SAM1Hourc6cPQR108rpKlCTuaLW4Ge599QDa:fjDog5NdS5hSAM1Iur1cPg10QpKlCTp9

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1292	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	4f7c0e76ef36fca9aba1e5236850b5a81543c7f870db919569b59faaa4382e53.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 1292	548	4f7c0e76ef36fca9aba1e5236850b5a81543c7f870db919569b59faaa4382e53.exe	27
PID 548 wrote to memory of 1292	548	4f7c0e76ef36fca9aba1e5236850b5a81543c7f870db919569b59faaa4382e53.exe	27
PID 548 wrote to memory of 1292	548	4f7c0e76ef36fca9aba1e5236850b5a81543c7f870db919569b59faaa4382e53.exe	27
PID 548 wrote to memory of 1292	548	4f7c0e76ef36fca9aba1e5236850b5a81543c7f870db919569b59faaa4382e53.exe	27

C:\Users\Admin\AppData\Local\Temp\4f7c0e76ef36fca9aba1e5236850b5a81543c7f870db919569b59faaa4382e53.exe
"C:\Users\Admin\AppData\Local\Temp\4f7c0e76ef36fca9aba1e5236850b5a81543c7f870db919569b59faaa4382e53.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Ivz..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ivz..bat

Filesize
274B

MD5
934f8425675aa9b7432b6a6e6ed9d970

SHA1
364d680a4cd036cb8a832d72bcb24060ab017d37

SHA256
7a979a1984f16dc630d01a767dcccb6d1d8bf706e3e5bbfb2dadb450bb6d6507

SHA512
a1da610f22d4240664a21af21e142c283935ccd91392b0847c5742ef394609745d4f730243b8ac1f1758aca8135c5d9a8fc521960d4ee04130f6403240113854

Download Submit
memory/548-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/548-55-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/548-56-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/548-58-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download