Analysis
-
max time kernel
40s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11-10-2022 05:39
Static task
static1
Behavioral task
behavioral1
Sample
3cc8bb1d22ceb04fa6820c35dc48c88c6512894fe3fb1567404f4993f83e574a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3cc8bb1d22ceb04fa6820c35dc48c88c6512894fe3fb1567404f4993f83e574a.exe
Resource
win10v2004-20220812-en
General
-
Target
3cc8bb1d22ceb04fa6820c35dc48c88c6512894fe3fb1567404f4993f83e574a.exe
-
Size
107KB
-
MD5
6065456312bdefe0f7c067dbcf0f92e7
-
SHA1
762b89aa84ae26823da2765f0f55d00d3fa0a84d
-
SHA256
3cc8bb1d22ceb04fa6820c35dc48c88c6512894fe3fb1567404f4993f83e574a
-
SHA512
8a6428d52d727516f89bd7b722e2de12c4d6166c2112f27d6e635a4e44d759d4ce5f779c5a9cf42ac7ca662028df8e532387fbef357a1499310e96a0bd701eb9
-
SSDEEP
1536:d1SSkGfIaS9Tjs+a9etxAH7mkhI5VOF0orKpo85Vcpp4M7LiNqq3:LS7c2VdgHQ/fgmGLiN1
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1528 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1488 wrote to memory of 1528 1488 3cc8bb1d22ceb04fa6820c35dc48c88c6512894fe3fb1567404f4993f83e574a.exe 26 PID 1488 wrote to memory of 1528 1488 3cc8bb1d22ceb04fa6820c35dc48c88c6512894fe3fb1567404f4993f83e574a.exe 26 PID 1488 wrote to memory of 1528 1488 3cc8bb1d22ceb04fa6820c35dc48c88c6512894fe3fb1567404f4993f83e574a.exe 26 PID 1488 wrote to memory of 1528 1488 3cc8bb1d22ceb04fa6820c35dc48c88c6512894fe3fb1567404f4993f83e574a.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cc8bb1d22ceb04fa6820c35dc48c88c6512894fe3fb1567404f4993f83e574a.exe"C:\Users\Admin\AppData\Local\Temp\3cc8bb1d22ceb04fa6820c35dc48c88c6512894fe3fb1567404f4993f83e574a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Tmp..bat" > nul 2> nul2⤵
- Deletes itself
PID:1528
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274B
MD517cb9dea4e43c03200b1c3fa4b5d608f
SHA1524144b49a30d83751cc4d1a50d139481c18afcc
SHA25689e77a357c4194b2a526482b70a2771da46a0426f5b6865cbca4047e1ccb2ba5
SHA512973b5115ff913a32530e3b1830145ca03835734e1d54724a877b9a90026fcabe60c3735cbbf4b1e2350535480307ac3d274bb536065fad067aad99b17a405c12