8d279620d50167a20de66ebc7e7d86a8d9d82bd80b2baff4acf2e02dae11396f

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d279620d50167a20de66ebc7e7d86a8d9d82bd80b2baff4acf2e02dae11396f.exe
Size

120KB
MD5

37235dfccecc618f6316c8feb89ae62f
SHA1

d350f475121613f0663eed90ce41a9244b1b3d28
SHA256

8d279620d50167a20de66ebc7e7d86a8d9d82bd80b2baff4acf2e02dae11396f
SHA512

0640b6bc234f012807f277c3bbd2c66dad257809d95fd68fa6a69c6a7c26edcf61a81ffb97b7dcffd5e4b1ad587224e177813911959a9581a8309895971ce47a
SSDEEP

1536:7k1E+9JWdkgXCKw1NoDb6oBWBP+3QLrYdFDVzKJM2Ndj3KXqhRxP:7k1dJ8JXG1W00aJBvjnbV

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1424-55-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
976	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 976	1424	8d279620d50167a20de66ebc7e7d86a8d9d82bd80b2baff4acf2e02dae11396f.exe	26
PID 1424 wrote to memory of 976	1424	8d279620d50167a20de66ebc7e7d86a8d9d82bd80b2baff4acf2e02dae11396f.exe	26
PID 1424 wrote to memory of 976	1424	8d279620d50167a20de66ebc7e7d86a8d9d82bd80b2baff4acf2e02dae11396f.exe	26
PID 1424 wrote to memory of 976	1424	8d279620d50167a20de66ebc7e7d86a8d9d82bd80b2baff4acf2e02dae11396f.exe	26

C:\Users\Admin\AppData\Local\Temp\8d279620d50167a20de66ebc7e7d86a8d9d82bd80b2baff4acf2e02dae11396f.exe
"C:\Users\Admin\AppData\Local\Temp\8d279620d50167a20de66ebc7e7d86a8d9d82bd80b2baff4acf2e02dae11396f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Dxf..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dxf..bat

Filesize
274B

MD5
b0eececead4f0f55a86dd4d824ed09ff

SHA1
3983f4f77dc565cf62f6722b3395cbe32daca220

SHA256
247f06c065cb844081a1d1fc50a4d6f79f262dcbc7cfc49a7d262df483d07f3b

SHA512
9a104ab7654ba6caaf27277b3ff4d1bd324fe4b6e8032d00dbf65c5a9bb1bb252589d69954481d086645514c1c4a143ad65fb68054435331aa90a2849f483989

Download Submit
memory/1424-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1424-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1424-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1424-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1424-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download