5f5b15141c38643173b3fc1b7733597aff00fb588efefdeced86da0bbc2e6f77

Analysis

max time kernel
35s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 05:36

Target

5f5b15141c38643173b3fc1b7733597aff00fb588efefdeced86da0bbc2e6f77.exe
Size

160KB
MD5

69be634fa2439c30089c3564b011b250
SHA1

24af7422fdb8b3973c1ca4796108f1ecd217d231
SHA256

5f5b15141c38643173b3fc1b7733597aff00fb588efefdeced86da0bbc2e6f77
SHA512

bd2d964b67626fcbc974306b02e52731bc5a62c4ea979e89c2277806f339ac937770e504beb21b0cdd2392786d64def2660dafa0ea1159d3258904d5ced471b8
SSDEEP

1536:Jo/NHMoEPPNG0ApEXif5preEmcK0S+nQ:SwqpWif5pBzQ

Score

8^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1880-55-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1880-57-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1772	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1880	5f5b15141c38643173b3fc1b7733597aff00fb588efefdeced86da0bbc2e6f77.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1772	1880	5f5b15141c38643173b3fc1b7733597aff00fb588efefdeced86da0bbc2e6f77.exe	28
PID 1880 wrote to memory of 1772	1880	5f5b15141c38643173b3fc1b7733597aff00fb588efefdeced86da0bbc2e6f77.exe	28
PID 1880 wrote to memory of 1772	1880	5f5b15141c38643173b3fc1b7733597aff00fb588efefdeced86da0bbc2e6f77.exe	28
PID 1880 wrote to memory of 1772	1880	5f5b15141c38643173b3fc1b7733597aff00fb588efefdeced86da0bbc2e6f77.exe	28

C:\Users\Admin\AppData\Local\Temp\5f5b15141c38643173b3fc1b7733597aff00fb588efefdeced86da0bbc2e6f77.exe
"C:\Users\Admin\AppData\Local\Temp\5f5b15141c38643173b3fc1b7733597aff00fb588efefdeced86da0bbc2e6f77.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\a..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1772

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\a..bat

Filesize
274B

MD5
766911f70273e3921fb836d6a80f3b27

SHA1
12feb058517c7002eab11a8befdab45395f9756d

SHA256
422dab6936eaf75ae39d16b29507c503b4de74be13869a82bd2d076eb10472ba

SHA512
84b582b511821db237661af39a1dc65f26d459eafd5dece1274a7251294a9fb500ed7bb7ebd64efab975b6265208301fe92f048cfb08d52f0e3c2df2028330d9

Download Submit
memory/1880-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/1880-55-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1880-57-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download