135bf437da2d614b81e672797dfa56dd570c77c12d12b17207e167d835f049cb

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

135bf437da2d614b81e672797dfa56dd570c77c12d12b17207e167d835f049cb.exe
Size

79KB
MD5

8fa66b27e20ad225504388ffb763239d
SHA1

44f9f6221d38a089da0fa8bd729ee074059d5190
SHA256

135bf437da2d614b81e672797dfa56dd570c77c12d12b17207e167d835f049cb
SHA512

81cd75669c5dcdf718652b4544e3dac45c58844408106bb553a32741e00c3113a18ef4f21c21a4e9af92cadd448dc734335cb4169ecf3c0801b55dce05a177c5
SSDEEP

1536:Lm69tHN0YCeFxJeK30BEGyUUx++TYSmAgCeTR8yEAwot1dh8T:n95NHJeK30Izx+wYtpfT6yESt1dOT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
872	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 872	2020	135bf437da2d614b81e672797dfa56dd570c77c12d12b17207e167d835f049cb.exe	28
PID 2020 wrote to memory of 872	2020	135bf437da2d614b81e672797dfa56dd570c77c12d12b17207e167d835f049cb.exe	28
PID 2020 wrote to memory of 872	2020	135bf437da2d614b81e672797dfa56dd570c77c12d12b17207e167d835f049cb.exe	28
PID 2020 wrote to memory of 872	2020	135bf437da2d614b81e672797dfa56dd570c77c12d12b17207e167d835f049cb.exe	28

C:\Users\Admin\AppData\Local\Temp\135bf437da2d614b81e672797dfa56dd570c77c12d12b17207e167d835f049cb.exe
"C:\Users\Admin\AppData\Local\Temp\135bf437da2d614b81e672797dfa56dd570c77c12d12b17207e167d835f049cb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Ljb..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ljb..bat

Filesize
274B

MD5
caebd7d79f0c48e528af89813754ae7f

SHA1
cd15a5d2cbeab3b025c107c4b171380d19498853

SHA256
bec3d237507db2a999e59bf896652873bce033cf93195dbf3e14d5e6e7c53b71

SHA512
68ec018fb0ff2d34abf1b23c06a9925a82f46c9fbaf25a89595c8f52bcd07abc71b346fb78f7875f01fcd29b0ef6b9762bfce110de6956e9aedbc6c67c873518

Download Submit
memory/872-56-0x0000000000000000-mapping.dmp

Download
memory/2020-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/2020-55-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2020-57-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download