cb5732aa8982c643e8dbbdc14f655a880e95cff681b8c53300a60ed82f3569be

Analysis

max time kernel
31s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 18:15

Target

cb5732aa8982c643e8dbbdc14f655a880e95cff681b8c53300a60ed82f3569be.exe
Size

94KB
MD5

f9a84c6a32993b5658fe134024723415
SHA1

944b61216fd623bd596e88f3265cc7c1bc3828c5
SHA256

cb5732aa8982c643e8dbbdc14f655a880e95cff681b8c53300a60ed82f3569be
SHA512

f5ea3276b21944b7965b50ea5910726fbb8416740945033b636ec2c38aa1c917a2feb9917c6f0bb9d8befb113493baecc345932518e45a2d3f05596c176884e7
SSDEEP

1536:ZDlk50/EDi5oOmEia6li7rHIDF4W4E0oPEoPxLmi5OS9KJL3em2gSCOkz3LVUxFi:ZqUEDr7ymoo54Wh0osmlKJLe9+z3BUa

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1372	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1372	1940	cb5732aa8982c643e8dbbdc14f655a880e95cff681b8c53300a60ed82f3569be.exe	27
PID 1940 wrote to memory of 1372	1940	cb5732aa8982c643e8dbbdc14f655a880e95cff681b8c53300a60ed82f3569be.exe	27
PID 1940 wrote to memory of 1372	1940	cb5732aa8982c643e8dbbdc14f655a880e95cff681b8c53300a60ed82f3569be.exe	27
PID 1940 wrote to memory of 1372	1940	cb5732aa8982c643e8dbbdc14f655a880e95cff681b8c53300a60ed82f3569be.exe	27

C:\Users\Admin\AppData\Local\Temp\cb5732aa8982c643e8dbbdc14f655a880e95cff681b8c53300a60ed82f3569be.exe
"C:\Users\Admin\AppData\Local\Temp\cb5732aa8982c643e8dbbdc14f655a880e95cff681b8c53300a60ed82f3569be.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Wxv..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1372

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Wxv..bat

Filesize
274B

MD5
e10ee19c2d58903a75491b0971c280b6

SHA1
85e7ef94417784d6d5c421e97468891f68c15b9c

SHA256
700b266dfd7ee978044dace243cfdd0707aa29e23cfc68260f054bce323fe283

SHA512
1d1509cfcfe5bdcb58a4a6e9d40ec73314908d0fed7f9fd1700552531e5a16d93f6bd9eefe070eca264f7fb19616782b8aef8ddd53761a3581ccb3859d10b5a0

Download Submit
memory/1940-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1940-55-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/1940-56-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1940-57-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1940-59-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download