082a97b9515842e7135689e57c76fcaaf25cfc626a91c05ea35b546634d4429f

Analysis

max time kernel
22s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 11:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

082a97b9515842e7135689e57c76fcaaf25cfc626a91c05ea35b546634d4429f.exe
Size

7KB
MD5

65a752a456ed880ac827a84dcdd3d9d8
SHA1

025ebdcfc06a1b4984847fe758649ce7245c02db
SHA256

082a97b9515842e7135689e57c76fcaaf25cfc626a91c05ea35b546634d4429f
SHA512

d8c926f94f7c895896ddc274af39fef8a53602666527b30edd18c6045746b37b4441445eb3dab800f268fed9ba2e0f0fdf51b983cefc0932913d8bbef0dafefb
SSDEEP

96:0P67TeuaABBDSyst9pvr51V+65gqTNN081e8eRD:0y7TqABBW517gS0UiD

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	net.exe
File opened (read-only)	\??\Q:	net.exe
File opened (read-only)	\??\S:	net.exe
File opened (read-only)	\??\T:	net.exe
File opened (read-only)	\??\R:	net.exe
File opened (read-only)	\??\V:	net.exe
File opened (read-only)	\??\N:	net.exe
File opened (read-only)	\??\T:	net.exe
File opened (read-only)	\??\U:	net.exe
File opened (read-only)	\??\J:	net.exe
File opened (read-only)	\??\M:	net.exe
File opened (read-only)	\??\O:	net.exe
File opened (read-only)	\??\P:	net.exe
File opened (read-only)	\??\O:	net.exe
File opened (read-only)	\??\P:	net.exe
File opened (read-only)	\??\I:	net.exe
File opened (read-only)	\??\K:	net.exe
File opened (read-only)	\??\N:	net.exe
File opened (read-only)	\??\Y:	net.exe
File opened (read-only)	\??\W:	net.exe
File opened (read-only)	\??\X:	net.exe
File opened (read-only)	\??\Z:	net.exe
File opened (read-only)	\??\H:	net.exe
File opened (read-only)	\??\L:	net.exe
File opened (read-only)	\??\R:	net.exe
File opened (read-only)	\??\U:	net.exe

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 1360	1012	082a97b9515842e7135689e57c76fcaaf25cfc626a91c05ea35b546634d4429f.exe	29
PID 1012 wrote to memory of 1360	1012	082a97b9515842e7135689e57c76fcaaf25cfc626a91c05ea35b546634d4429f.exe	29
PID 1012 wrote to memory of 1360	1012	082a97b9515842e7135689e57c76fcaaf25cfc626a91c05ea35b546634d4429f.exe	29
PID 1012 wrote to memory of 1360	1012	082a97b9515842e7135689e57c76fcaaf25cfc626a91c05ea35b546634d4429f.exe	29
PID 1360 wrote to memory of 1752	1360	cmd.exe	30
PID 1360 wrote to memory of 1752	1360	cmd.exe	30
PID 1360 wrote to memory of 1752	1360	cmd.exe	30
PID 1360 wrote to memory of 1752	1360	cmd.exe	30
PID 1360 wrote to memory of 1272	1360	cmd.exe	31
PID 1360 wrote to memory of 1272	1360	cmd.exe	31
PID 1360 wrote to memory of 1272	1360	cmd.exe	31
PID 1360 wrote to memory of 1272	1360	cmd.exe	31
PID 1360 wrote to memory of 1332	1360	cmd.exe	32
PID 1360 wrote to memory of 1332	1360	cmd.exe	32
PID 1360 wrote to memory of 1332	1360	cmd.exe	32
PID 1360 wrote to memory of 1332	1360	cmd.exe	32
PID 1360 wrote to memory of 2020	1360	cmd.exe	33
PID 1360 wrote to memory of 2020	1360	cmd.exe	33
PID 1360 wrote to memory of 2020	1360	cmd.exe	33
PID 1360 wrote to memory of 2020	1360	cmd.exe	33
PID 1360 wrote to memory of 2028	1360	cmd.exe	34
PID 1360 wrote to memory of 2028	1360	cmd.exe	34
PID 1360 wrote to memory of 2028	1360	cmd.exe	34
PID 1360 wrote to memory of 2028	1360	cmd.exe	34
PID 1360 wrote to memory of 896	1360	cmd.exe	35
PID 1360 wrote to memory of 896	1360	cmd.exe	35
PID 1360 wrote to memory of 896	1360	cmd.exe	35
PID 1360 wrote to memory of 896	1360	cmd.exe	35
PID 1360 wrote to memory of 1532	1360	cmd.exe	36
PID 1360 wrote to memory of 1532	1360	cmd.exe	36
PID 1360 wrote to memory of 1532	1360	cmd.exe	36
PID 1360 wrote to memory of 1532	1360	cmd.exe	36
PID 1360 wrote to memory of 1872	1360	cmd.exe	37
PID 1360 wrote to memory of 1872	1360	cmd.exe	37
PID 1360 wrote to memory of 1872	1360	cmd.exe	37
PID 1360 wrote to memory of 1872	1360	cmd.exe	37
PID 1360 wrote to memory of 1888	1360	cmd.exe	38
PID 1360 wrote to memory of 1888	1360	cmd.exe	38
PID 1360 wrote to memory of 1888	1360	cmd.exe	38
PID 1360 wrote to memory of 1888	1360	cmd.exe	38
PID 1360 wrote to memory of 1784	1360	cmd.exe	39
PID 1360 wrote to memory of 1784	1360	cmd.exe	39
PID 1360 wrote to memory of 1784	1360	cmd.exe	39
PID 1360 wrote to memory of 1784	1360	cmd.exe	39
PID 1360 wrote to memory of 1032	1360	cmd.exe	40
PID 1360 wrote to memory of 1032	1360	cmd.exe	40
PID 1360 wrote to memory of 1032	1360	cmd.exe	40
PID 1360 wrote to memory of 1032	1360	cmd.exe	40
PID 1360 wrote to memory of 760	1360	cmd.exe	41
PID 1360 wrote to memory of 760	1360	cmd.exe	41
PID 1360 wrote to memory of 760	1360	cmd.exe	41
PID 1360 wrote to memory of 760	1360	cmd.exe	41
PID 1360 wrote to memory of 576	1360	cmd.exe	42
PID 1360 wrote to memory of 576	1360	cmd.exe	42
PID 1360 wrote to memory of 576	1360	cmd.exe	42
PID 1360 wrote to memory of 576	1360	cmd.exe	42
PID 1360 wrote to memory of 520	1360	cmd.exe	43
PID 1360 wrote to memory of 520	1360	cmd.exe	43
PID 1360 wrote to memory of 520	1360	cmd.exe	43
PID 1360 wrote to memory of 520	1360	cmd.exe	43
PID 1360 wrote to memory of 1436	1360	cmd.exe	44
PID 1360 wrote to memory of 1436	1360	cmd.exe	44
PID 1360 wrote to memory of 1436	1360	cmd.exe	44
PID 1360 wrote to memory of 1436	1360	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\082a97b9515842e7135689e57c76fcaaf25cfc626a91c05ea35b546634d4429f.exe
"C:\Users\Admin\AppData\Local\Temp\082a97b9515842e7135689e57c76fcaaf25cfc626a91c05ea35b546634d4429f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\SysWOW64\cmd.exe
  /c ""C:\Users\Admin\AppData\Local\Temp\7111789.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\SysWOW64\net.exe
    NET USE H: /delete
    3⤵
    - Enumerates connected drives
    PID:1752
- - C:\Windows\SysWOW64\net.exe
    NET USE I: /delete
    3⤵
    - Enumerates connected drives
    PID:1272
- - C:\Windows\SysWOW64\net.exe
    NET USE J: /delete
    3⤵
    - Enumerates connected drives
    PID:1332
- - C:\Windows\SysWOW64\net.exe
    NET USE K: /delete
    3⤵
    - Enumerates connected drives
    PID:2020
- - C:\Windows\SysWOW64\net.exe
    NET USE L: /delete
    3⤵
    - Enumerates connected drives
    PID:2028
- - C:\Windows\SysWOW64\net.exe
    NET USE M: /delete
    3⤵
    - Enumerates connected drives
    PID:896
- - C:\Windows\SysWOW64\net.exe
    NET USE N: /delete
    3⤵
    - Enumerates connected drives
    PID:1532
- - C:\Windows\SysWOW64\net.exe
    NET USE O: /delete
    3⤵
    - Enumerates connected drives
    PID:1872
- - C:\Windows\SysWOW64\net.exe
    NET USE P: /delete
    3⤵
    - Enumerates connected drives
    PID:1888
- - C:\Windows\SysWOW64\net.exe
    NET USE Q: /delete
    3⤵
    - Enumerates connected drives
    PID:1784
- - C:\Windows\SysWOW64\net.exe
    NET USE R: /delete
    3⤵
    - Enumerates connected drives
    PID:1032
- - C:\Windows\SysWOW64\net.exe
    NET USE S: /delete
    3⤵
    - Enumerates connected drives
    PID:760
- - C:\Windows\SysWOW64\net.exe
    NET USE T: /delete
    3⤵
    - Enumerates connected drives
    PID:576
- - C:\Windows\SysWOW64\net.exe
    NET USE U: /delete
    3⤵
    - Enumerates connected drives
    PID:520
- - C:\Windows\SysWOW64\net.exe
    NET USE V: /delete
    3⤵
    - Enumerates connected drives
    PID:1436
- - C:\Windows\SysWOW64\net.exe
    NET USE W: /delete
    3⤵
    - Enumerates connected drives
    PID:432
- - C:\Windows\SysWOW64\net.exe
    NET USE X: /delete
    3⤵
    - Enumerates connected drives
    PID:1156
- - C:\Windows\SysWOW64\net.exe
    NET USE Y: /delete
    3⤵
    - Enumerates connected drives
    PID:1916
- - C:\Windows\SysWOW64\net.exe
    NET USE Z: /delete
    3⤵
    - Enumerates connected drives
    PID:1556
- - C:\Windows\SysWOW64\cmdkey.exe
    cmdkey /add:192.168.1.206 /user:sgsgictsup /pass:sgictsup-rw33122060afk
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\net.exe
    NET USE N: \\192.168.1.206\Drivers /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:912
- - C:\Windows\SysWOW64\net.exe
    NET USE O: \\192.168.1.206\Information /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:1736
- - C:\Windows\SysWOW64\net.exe
    NET USE P: \\192.168.1.206\privacy /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:1124
- - C:\Windows\SysWOW64\net.exe
    NET USE R: \\192.168.1.206\è╟ù¥òö /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:1500
- - C:\Windows\SysWOW64\net.exe
    NET USE S: \\192.168.1.206\îoù¥Ä║ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:1816
- - C:\Windows\SysWOW64\net.exe
    NET USE T: \\192.168.1.206\É}ÅæÄ║ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:2040
- - C:\Windows\SysWOW64\net.exe
    NET USE U: \\192.168.1.206\ôîï₧ò█êτÉΩû
    3⤵
    - Enumerates connected drives
    PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7111789.bat

Filesize
1KB

MD5
60ec40eac92ae3470a8eb7eb715b2472

SHA1
0afeb264f50da70626c5c1686d7906474a1baee9

SHA256
00e9de57fc8370063ac015b1d9428e38d51f4a8093cc223c610b7d46ed9c45e4

SHA512
90a46044abb99d7456a71e8c0fece91d7943e092099e0332c43ccc6c213c3db51eb463ddc729c5bae27b11d3d9caf648d6ee228af5440597c3abe3a78e72697b

Download Submit