c8ee4749b3241b99cce0ca4df5ef3f76ca667cd6ace3cf7e46a4716dfecc9f07

Analysis

max time kernel
38s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8ee4749b3241b99cce0ca4df5ef3f76ca667cd6ace3cf7e46a4716dfecc9f07.exe
Size

63KB
MD5

6773c9f9784e8146004837f476b32753
SHA1

01ad16f8ef0653acb7d198e8957bcb34a4ce4158
SHA256

c8ee4749b3241b99cce0ca4df5ef3f76ca667cd6ace3cf7e46a4716dfecc9f07
SHA512

72b6f2e4ef5c0e55f242da62fe36f7ca584b1174e83ec87fbed6144f9d985474b367761e124e3d7986741ff872e30ac33aec07c81c19663876ab3f40bd02235e
SSDEEP

1536:V8EPka7+f7u4Q5giHY/6WauOWQASu+U/+ni0JTmv/RxP:VQaKf7R04/6WaupSfU/+jMpV

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1480	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1480	1976	c8ee4749b3241b99cce0ca4df5ef3f76ca667cd6ace3cf7e46a4716dfecc9f07.exe	26
PID 1976 wrote to memory of 1480	1976	c8ee4749b3241b99cce0ca4df5ef3f76ca667cd6ace3cf7e46a4716dfecc9f07.exe	26
PID 1976 wrote to memory of 1480	1976	c8ee4749b3241b99cce0ca4df5ef3f76ca667cd6ace3cf7e46a4716dfecc9f07.exe	26
PID 1976 wrote to memory of 1480	1976	c8ee4749b3241b99cce0ca4df5ef3f76ca667cd6ace3cf7e46a4716dfecc9f07.exe	26

C:\Users\Admin\AppData\Local\Temp\c8ee4749b3241b99cce0ca4df5ef3f76ca667cd6ace3cf7e46a4716dfecc9f07.exe
"C:\Users\Admin\AppData\Local\Temp\c8ee4749b3241b99cce0ca4df5ef3f76ca667cd6ace3cf7e46a4716dfecc9f07.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Mpb..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mpb..bat

Filesize
274B

MD5
eda2e7ff550bd87261e9c12615222d19

SHA1
37b50ec08f2a61990f9e4c85b1cf5c8d8f8dd71b

SHA256
a4712899109a05f7860f8947ddad78a207c4982d2b49e0662ca08acc25e2874f

SHA512
8ff97a962813c8ed1e15b2d8694c52dbb282a66119e00ea6874edf9a0944572b7cfc47efbb091258b1fe73669b110223c827758b760ceea33e52c12c0fea2a41

Download Submit
memory/1480-56-0x0000000000000000-mapping.dmp

Download
memory/1976-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/1976-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download