c199997bd88ae6a0349d19866210029292c8216095a33ac163f24a42bfe1fdb8

Analysis

max time kernel
34s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c199997bd88ae6a0349d19866210029292c8216095a33ac163f24a42bfe1fdb8.exe
Size

115KB
MD5

e3613383a42756756f26d63725d8765b
SHA1

2d7755e2823ed1ed46deb2f890c327fe35bb5f13
SHA256

c199997bd88ae6a0349d19866210029292c8216095a33ac163f24a42bfe1fdb8
SHA512

de6e996d273bd90e3a8fda540c20f7275429fe279d264823d41ebf6b6af7f11da47286832ffe1414775608c89c40960871f43a11b85eeb42ca0046ae38440a78
SSDEEP

3072:M5l9A0ajvnxicPMN/B9nG5sELVhngzDa9qkSpZ:kl9RarnxSNnXBfkq

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1892	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1892	1972	c199997bd88ae6a0349d19866210029292c8216095a33ac163f24a42bfe1fdb8.exe	28
PID 1972 wrote to memory of 1892	1972	c199997bd88ae6a0349d19866210029292c8216095a33ac163f24a42bfe1fdb8.exe	28
PID 1972 wrote to memory of 1892	1972	c199997bd88ae6a0349d19866210029292c8216095a33ac163f24a42bfe1fdb8.exe	28
PID 1972 wrote to memory of 1892	1972	c199997bd88ae6a0349d19866210029292c8216095a33ac163f24a42bfe1fdb8.exe	28

C:\Users\Admin\AppData\Local\Temp\c199997bd88ae6a0349d19866210029292c8216095a33ac163f24a42bfe1fdb8.exe
"C:\Users\Admin\AppData\Local\Temp\c199997bd88ae6a0349d19866210029292c8216095a33ac163f24a42bfe1fdb8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Abz..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Abz..bat

Filesize
274B

MD5
4254017e37ffcd604ead159f474aea34

SHA1
d9f3053f5b758a27bc4344bb75476f1614576abd

SHA256
77a2956e5744793b598bc4cf7c07a5f198b86d71f485c1089ced6ab0462b69f1

SHA512
611f525a78a4795bef502841ba01e4e3bfc74682403ddff465597775ef3a1c5ecd49061482a2eef5221a9f8667158514554ed1b525388fbf52026da0191997ae

Download Submit
memory/1892-57-0x0000000000000000-mapping.dmp

Download
memory/1972-54-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1972-55-0x0000000000120000-0x000000000012D000-memory.dmp

Filesize
52KB

Download
memory/1972-56-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1972-58-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download