5c85d4494797ea58bf865b5738cb1cea99bb06e887b5f2dda0e0d6779d1961ca

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 06:52

Target

5c85d4494797ea58bf865b5738cb1cea99bb06e887b5f2dda0e0d6779d1961ca.exe
Size

89KB
MD5

c3cf25f2f22db8531746e05ab27d2077
SHA1

75cabc0d9337465dce8901d3e97fca8cedfacf75
SHA256

5c85d4494797ea58bf865b5738cb1cea99bb06e887b5f2dda0e0d6779d1961ca
SHA512

346e763e02cfbf1faff0424a5669c92028c53b7b287cbe0553cd948cbe27d47bd5a86fb481701cb455a8be0f1b6bab9892c52fabe44b01fdebb084f9d85825a4
SSDEEP

1536:Awh1oDCl94obAAHYS7+MAwep6m0AiiipzG0ZJyHn53HMNeb8LfxUjnr:cCl94YVFleTiiipzG0ZEH5HMw8L+jnr

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 984	852	5c85d4494797ea58bf865b5738cb1cea99bb06e887b5f2dda0e0d6779d1961ca.exe	27
PID 852 wrote to memory of 984	852	5c85d4494797ea58bf865b5738cb1cea99bb06e887b5f2dda0e0d6779d1961ca.exe	27
PID 852 wrote to memory of 984	852	5c85d4494797ea58bf865b5738cb1cea99bb06e887b5f2dda0e0d6779d1961ca.exe	27
PID 852 wrote to memory of 984	852	5c85d4494797ea58bf865b5738cb1cea99bb06e887b5f2dda0e0d6779d1961ca.exe	27
PID 852 wrote to memory of 984	852	5c85d4494797ea58bf865b5738cb1cea99bb06e887b5f2dda0e0d6779d1961ca.exe	27
PID 852 wrote to memory of 984	852	5c85d4494797ea58bf865b5738cb1cea99bb06e887b5f2dda0e0d6779d1961ca.exe	27
PID 852 wrote to memory of 984	852	5c85d4494797ea58bf865b5738cb1cea99bb06e887b5f2dda0e0d6779d1961ca.exe	27

C:\Users\Admin\AppData\Local\Temp\5c85d4494797ea58bf865b5738cb1cea99bb06e887b5f2dda0e0d6779d1961ca.exe
"C:\Users\Admin\AppData\Local\Temp\5c85d4494797ea58bf865b5738cb1cea99bb06e887b5f2dda0e0d6779d1961ca.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.vbs"
  2⤵
  PID:984

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\run.vbs

Filesize
277B

MD5
83a24ad445b2834c201bc07426e15e18

SHA1
49c0e5bae07b299a4889e5bd3f130b54aac7f64c

SHA256
4ed79fc7695059b6c79e059f93dc7ebdec7376bbdbdb7b34ee56ad7cc8cb97da

SHA512
1ef0e162929fc53e955c2d1319197a4be7ba1c4ef1fd97516a130c2688f1461ba75cd635cc8bbcbc68139ac83476c7a7222c7c2493d6cc08b8e013798810a978

Download Submit
memory/852-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download