30ab6e1746382932ce68ab404cd73132fdf7bea1a52a11b0d428a97e9a08fe14

Analysis

max time kernel
41s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30ab6e1746382932ce68ab404cd73132fdf7bea1a52a11b0d428a97e9a08fe14.exe
Size

63KB
MD5

5a720e3b33b146eab329aece3540c74c
SHA1

ff3219a259bdcacd48cb7557743712dd2ad6e16b
SHA256

30ab6e1746382932ce68ab404cd73132fdf7bea1a52a11b0d428a97e9a08fe14
SHA512

f593171e1c35b479067efecf105f265398f5f85bc359b9be207474bfebe527376f8368ab0e87c80cbeed89c1005418d95c89c07b767770f318779482cf798755
SSDEEP

1536:uufg6xNUQs0ZEjMPcqHmbBhvI1qWfiuv7tPS0xLDPk:x3xNvaIPk+qWpL1Pk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
668	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 668	992	30ab6e1746382932ce68ab404cd73132fdf7bea1a52a11b0d428a97e9a08fe14.exe	27
PID 992 wrote to memory of 668	992	30ab6e1746382932ce68ab404cd73132fdf7bea1a52a11b0d428a97e9a08fe14.exe	27
PID 992 wrote to memory of 668	992	30ab6e1746382932ce68ab404cd73132fdf7bea1a52a11b0d428a97e9a08fe14.exe	27
PID 992 wrote to memory of 668	992	30ab6e1746382932ce68ab404cd73132fdf7bea1a52a11b0d428a97e9a08fe14.exe	27

C:\Users\Admin\AppData\Local\Temp\30ab6e1746382932ce68ab404cd73132fdf7bea1a52a11b0d428a97e9a08fe14.exe
"C:\Users\Admin\AppData\Local\Temp\30ab6e1746382932ce68ab404cd73132fdf7bea1a52a11b0d428a97e9a08fe14.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Jwp..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jwp..bat

Filesize
274B

MD5
43584461545180c8f466c01e15900c86

SHA1
0dbab9dd9b2f0e380037de9c379111a23078660f

SHA256
f05caf9f7df21920d9ac5a1a32774aec8a74620fbecfb532f442cf2276d68858

SHA512
518464ed9fbfa2795e23fd0c2544502783baa732ce0b35edf952b8b587f4ed306aaba513369eaa0f25e5e384470a025ca7acecc2bd631c1b280454810f2e7978

Download Submit
memory/668-58-0x0000000000000000-mapping.dmp

Download
memory/992-54-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/992-55-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/992-56-0x0000000000220000-0x0000000000241000-memory.dmp

Filesize
132KB

Download
memory/992-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/992-59-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download