1db7b96b2c93399b95963a8594e89ca757788bc43cb3e4c350d7357b26616c08

Analysis

max time kernel
47s
max time network
64s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-10-2022 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1db7b96b2c93399b95963a8594e89ca757788bc43cb3e4c350d7357b26616c08.exe
Size

98KB
MD5

0fe5a46cd6ca71005c698b525634b700
SHA1

fdbb0b5e7bc1b3a95967816dd8efeaec4b89c2a5
SHA256

1db7b96b2c93399b95963a8594e89ca757788bc43cb3e4c350d7357b26616c08
SHA512

f0b24747fd3c184007ebb9ad45eb76e0dac685a4844cb40c1d265083ddb41fe1a39bdbd43895108aa645b6c532d9cdb8056acfa1973458dc0d49a3eba6e5837c
SSDEEP

768:Pcatsv4OwO7PFPrXWWX90LsJ7sJWl8+1avyTRYw/aTR847KVwKpAn5rhN:jsvbfJrGCdVsM8+16kaO47KVwKSnT

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1508-58-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1752	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1752	1508	1db7b96b2c93399b95963a8594e89ca757788bc43cb3e4c350d7357b26616c08.exe	29
PID 1508 wrote to memory of 1752	1508	1db7b96b2c93399b95963a8594e89ca757788bc43cb3e4c350d7357b26616c08.exe	29
PID 1508 wrote to memory of 1752	1508	1db7b96b2c93399b95963a8594e89ca757788bc43cb3e4c350d7357b26616c08.exe	29
PID 1508 wrote to memory of 1752	1508	1db7b96b2c93399b95963a8594e89ca757788bc43cb3e4c350d7357b26616c08.exe	29

C:\Users\Admin\AppData\Local\Temp\1db7b96b2c93399b95963a8594e89ca757788bc43cb3e4c350d7357b26616c08.exe
"C:\Users\Admin\AppData\Local\Temp\1db7b96b2c93399b95963a8594e89ca757788bc43cb3e4c350d7357b26616c08.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\a..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a..bat

Filesize
274B

MD5
6c3ef683b327446a3284241c66a3efa1

SHA1
b1e7742665a7fb43d5d54176750d7f5b3402e5fb

SHA256
cf1d209ebc99a164f3720b69ee0e7cc67fada47ad0a19da77d05920e6a502072

SHA512
4c060b647dea32910a8d564819d67adad67c6f69b122086f4db8c0b6b8e94195ac26aa3cb00ee970e0fe4eb5cc4eacbcfe9dd8e747cd9e469dc563d7f46a7a46

Download Submit
memory/1508-54-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1508-55-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1508-56-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1508-58-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download