1c58bc166b4137c0043ba472c937c97395ab0aef73973a1e8edd6db777323aad

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c58bc166b4137c0043ba472c937c97395ab0aef73973a1e8edd6db777323aad.exe
Size

243KB
MD5

7cc08801e1489d8020083c2c0d8e328b
SHA1

cf0dcbaf7dc1c0f230356506a8e04dcfcdd321df
SHA256

1c58bc166b4137c0043ba472c937c97395ab0aef73973a1e8edd6db777323aad
SHA512

2ed40c6362d8b82f526a8bfbce9ef3acc36b04d2eddf47cf4c0533a9363013927b4e8fb78046dcb69d42ddd8f366879087bb6b4575e26b465a48c59dad563878
SSDEEP

3072:TYhnikwbzyE8/psSLv+DVSzUTr3WUxbg7YgVlFBIiGHqXpNyFmj4P+eWbfHjvsE1:TYhnxrqeuVc4ElBPGIDdNH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1380	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1380	1048	1c58bc166b4137c0043ba472c937c97395ab0aef73973a1e8edd6db777323aad.exe	27
PID 1048 wrote to memory of 1380	1048	1c58bc166b4137c0043ba472c937c97395ab0aef73973a1e8edd6db777323aad.exe	27
PID 1048 wrote to memory of 1380	1048	1c58bc166b4137c0043ba472c937c97395ab0aef73973a1e8edd6db777323aad.exe	27
PID 1048 wrote to memory of 1380	1048	1c58bc166b4137c0043ba472c937c97395ab0aef73973a1e8edd6db777323aad.exe	27
PID 1048 wrote to memory of 1380	1048	1c58bc166b4137c0043ba472c937c97395ab0aef73973a1e8edd6db777323aad.exe	27
PID 1048 wrote to memory of 1380	1048	1c58bc166b4137c0043ba472c937c97395ab0aef73973a1e8edd6db777323aad.exe	27
PID 1048 wrote to memory of 1380	1048	1c58bc166b4137c0043ba472c937c97395ab0aef73973a1e8edd6db777323aad.exe	27

C:\Users\Admin\AppData\Local\Temp\1c58bc166b4137c0043ba472c937c97395ab0aef73973a1e8edd6db777323aad.exe
"C:\Users\Admin\AppData\Local\Temp\1c58bc166b4137c0043ba472c937c97395ab0aef73973a1e8edd6db777323aad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Ncv..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ncv..bat

Filesize
274B

MD5
a420430790de5cc1477523b60bd9663d

SHA1
7411ce311099179fa80579ab04e29d9894dfe8a6

SHA256
610c3d4baed66e47df98d923c6243d8a84e4bb6def81ad9ebb0728f60fa4daf4

SHA512
365d8e1edff08b958ecf80b436692622f59d93e886fc50e003f374e52fb0f880b9f18b895fe1f66e855d386775153bd563957f31e8adafa64934e272acc3e2e0

Download Submit
memory/1048-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1048-55-0x00000000029F0000-0x0000000002A1D000-memory.dmp

Filesize
180KB

Download
memory/1048-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1048-58-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download