ca9d22e1b5566e4bc82aceeb6daf66ad2373cb82e01fb88e155ae321cf1042a0

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca9d22e1b5566e4bc82aceeb6daf66ad2373cb82e01fb88e155ae321cf1042a0.exe
Size

144KB
MD5

1957019f1d3b8055eb2a4d2646d8f78e
SHA1

80eb6b93ce410af25e2b702797963ac31677ff26
SHA256

ca9d22e1b5566e4bc82aceeb6daf66ad2373cb82e01fb88e155ae321cf1042a0
SHA512

9f363fcf5dd5b91dfde6026fd9dc8d8ea28741fb36b270f6124380ee12fb1ff31878b40355d16f1ef90de109b754a9850e24ea179c4f2366f7f737723eb7ef07
SSDEEP

3072:V7GeKlHzSvQ0tRpSFsOTHHrdT+cT3B0DBpq7qZ2o2LlmSbReH:Vvsz6HMZHkDBZZ2bLlm

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
948	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 948	1132	ca9d22e1b5566e4bc82aceeb6daf66ad2373cb82e01fb88e155ae321cf1042a0.exe	28
PID 1132 wrote to memory of 948	1132	ca9d22e1b5566e4bc82aceeb6daf66ad2373cb82e01fb88e155ae321cf1042a0.exe	28
PID 1132 wrote to memory of 948	1132	ca9d22e1b5566e4bc82aceeb6daf66ad2373cb82e01fb88e155ae321cf1042a0.exe	28
PID 1132 wrote to memory of 948	1132	ca9d22e1b5566e4bc82aceeb6daf66ad2373cb82e01fb88e155ae321cf1042a0.exe	28

C:\Users\Admin\AppData\Local\Temp\ca9d22e1b5566e4bc82aceeb6daf66ad2373cb82e01fb88e155ae321cf1042a0.exe
"C:\Users\Admin\AppData\Local\Temp\ca9d22e1b5566e4bc82aceeb6daf66ad2373cb82e01fb88e155ae321cf1042a0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Djv..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Djv..bat

Filesize
274B

MD5
e01900da4db38a3aa7f2d55d5a7c36bf

SHA1
36dd395de3a645b41d0b25c9761d4859fa62fecd

SHA256
a45b00feb71b5c309a1ff6828c98c447accfdb16bce86cd2e1cd1f94ed23e132

SHA512
b25eb046dea8f1f809181b54e11dbae2f0f154de10477cb9e183a1f634e648e647c2c9043bf46f3325e8cfb5b170112f64ae6c7d0580ad19beaa0e3d97f8c9db

Download Submit
memory/1132-55-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1132-54-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1132-56-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1132-57-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download