76fbe4ee209de07bfc6903e8ea066a3724201c58c39062b689b49bd4e27a4f9b

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 11:58

Target

76fbe4ee209de07bfc6903e8ea066a3724201c58c39062b689b49bd4e27a4f9b.exe
Size

148KB
MD5

3d99a4b373d5e5d9a3f14cd97e0d29fd
SHA1

e89d52aaa8d647975d975b9376ee945c26057793
SHA256

76fbe4ee209de07bfc6903e8ea066a3724201c58c39062b689b49bd4e27a4f9b
SHA512

d35f4bb61421ca01a573aa4161774b009203e63008a8c53e4492a75728060915c876b5253e5d2fd34a593d8d365e6bc14fa03d4e8fc8f0edf600afdb38920a89
SSDEEP

768:p8ATV/MFMDEEx1PAy4jyn5jAI8dbFbshQRbYFKvcwhnbrEJOwOU/Huz8aE:pfl6MoEvw+nFARAhmsidhbrEJ/OzO

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1740-56-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1312	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1740	76fbe4ee209de07bfc6903e8ea066a3724201c58c39062b689b49bd4e27a4f9b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1312	1740	76fbe4ee209de07bfc6903e8ea066a3724201c58c39062b689b49bd4e27a4f9b.exe	28
PID 1740 wrote to memory of 1312	1740	76fbe4ee209de07bfc6903e8ea066a3724201c58c39062b689b49bd4e27a4f9b.exe	28
PID 1740 wrote to memory of 1312	1740	76fbe4ee209de07bfc6903e8ea066a3724201c58c39062b689b49bd4e27a4f9b.exe	28
PID 1740 wrote to memory of 1312	1740	76fbe4ee209de07bfc6903e8ea066a3724201c58c39062b689b49bd4e27a4f9b.exe	28

C:\Users\Admin\AppData\Local\Temp\76fbe4ee209de07bfc6903e8ea066a3724201c58c39062b689b49bd4e27a4f9b.exe
"C:\Users\Admin\AppData\Local\Temp\76fbe4ee209de07bfc6903e8ea066a3724201c58c39062b689b49bd4e27a4f9b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\a..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1312

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\a..bat

Filesize
274B

MD5
bd9226ce79e6f9e4d45e20779ef61145

SHA1
cb3db2c104548664a4a1baf247ad80592c49510c

SHA256
3e4f2c083f28bf11d1ecef67cf931b31f6f3c31edaac4352f25fbd805e322ed5

SHA512
a49ac443e52535f76ea5a5180ab3e253e92412775a8bb7683ab6e2da586a71a5e139b196a45fafa893694bd6c0fc1913f5af017d06d3a4fae88d0c7d18ed1b09

Download Submit
memory/1740-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/1740-56-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download