659782eab979aeb7b09d2b76171776c06b8141048dfca85224627bd00111be7e

Analysis

max time kernel
40s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

659782eab979aeb7b09d2b76171776c06b8141048dfca85224627bd00111be7e.exe
Size

116KB
MD5

3f225d6d4492043a1eeafaacd4f0cb8b
SHA1

de75e29bc7160eb0810fb87adfaf4652b1fa63f6
SHA256

659782eab979aeb7b09d2b76171776c06b8141048dfca85224627bd00111be7e
SHA512

eeb3cda23d4d28118c751988f0ee8ab432891a87947fa2f0082ba52c579ae859a99efcc30c95836c026338145a0020c3d10592a2fb40c08916f9c0bc26a745a3
SSDEEP

1536:FMFwEKzi2EcPPH3BoyeoI/BYEFuZ7AaAxciGXww0nu+JL8z0YfC6jlnV3uuayKXS:OyEA7pPRo34Z0/x4gvnuULSLFAqC0r

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1372	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1372	1928	659782eab979aeb7b09d2b76171776c06b8141048dfca85224627bd00111be7e.exe	27
PID 1928 wrote to memory of 1372	1928	659782eab979aeb7b09d2b76171776c06b8141048dfca85224627bd00111be7e.exe	27
PID 1928 wrote to memory of 1372	1928	659782eab979aeb7b09d2b76171776c06b8141048dfca85224627bd00111be7e.exe	27
PID 1928 wrote to memory of 1372	1928	659782eab979aeb7b09d2b76171776c06b8141048dfca85224627bd00111be7e.exe	27

C:\Users\Admin\AppData\Local\Temp\659782eab979aeb7b09d2b76171776c06b8141048dfca85224627bd00111be7e.exe
"C:\Users\Admin\AppData\Local\Temp\659782eab979aeb7b09d2b76171776c06b8141048dfca85224627bd00111be7e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Tfz..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tfz..bat

Filesize
274B

MD5
5d1b8135d1c56d103c93897b7cea9d2f

SHA1
985e650eb5be75e0772c97612c7dcdbd7d468110

SHA256
083ddd2997bc53d962a7d45fb6c57592ef7fe1320b2e44c86a1be7c2ae5d9f30

SHA512
27936589552d224772e35cea7a88459d636b24803a017f6aebaaa8e6a1fa990918a3f3485be2688e320440992421bb6952514bb25f0fb2bc5d080a4e3d0289a1

Download Submit
memory/1928-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/1928-55-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1928-56-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1928-58-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download