a65dad97c62353bf09dadcd8f1e358bd0c49eeed9da821f6a37fc22dc8007613

Analysis

max time kernel
40s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/10/2022, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a65dad97c62353bf09dadcd8f1e358bd0c49eeed9da821f6a37fc22dc8007613.exe
Size

212KB
MD5

0afdb2075f819723c98c1c5fda02c96a
SHA1

7dbd34922856f96399450221b1930684e947d9d8
SHA256

a65dad97c62353bf09dadcd8f1e358bd0c49eeed9da821f6a37fc22dc8007613
SHA512

34f8a68eb34fb6a3a843c6d0a7ce84b8a11eecd506f3d6703e51e717318429b5152404a7498518adb3e687e69fc0720b24e504b80c2be3231faf17e7f0114831
SSDEEP

3072:8C0Xa/hdOJjDQarQGDvSwjb8gdcSx0e96tXzqTKg5xAg3HZkXCA:6CcZsqGGTAg3Oy

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1800	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1800	1148	a65dad97c62353bf09dadcd8f1e358bd0c49eeed9da821f6a37fc22dc8007613.exe	27
PID 1148 wrote to memory of 1800	1148	a65dad97c62353bf09dadcd8f1e358bd0c49eeed9da821f6a37fc22dc8007613.exe	27
PID 1148 wrote to memory of 1800	1148	a65dad97c62353bf09dadcd8f1e358bd0c49eeed9da821f6a37fc22dc8007613.exe	27
PID 1148 wrote to memory of 1800	1148	a65dad97c62353bf09dadcd8f1e358bd0c49eeed9da821f6a37fc22dc8007613.exe	27

C:\Users\Admin\AppData\Local\Temp\a65dad97c62353bf09dadcd8f1e358bd0c49eeed9da821f6a37fc22dc8007613.exe
"C:\Users\Admin\AppData\Local\Temp\a65dad97c62353bf09dadcd8f1e358bd0c49eeed9da821f6a37fc22dc8007613.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Kxv..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Kxv..bat

Filesize
274B

MD5
7a4fe169d1d9a472ba174c46fd3194bf

SHA1
51988a8cc62970d0a6bf3fa0ab98b830a66479ad

SHA256
be3baa2d209f5199775d6b9d2c23127e8f2bf9708dc7d3498112a1067b8b72d0

SHA512
7bf5941dc498f65f33ff3290ca6a09822815381b9b694059154197732cc5e97e168b85f9cb7255aa4e16d510af427bb855765b8de7cfc718b26e61d9ef1d17e9

Download Submit
memory/1148-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1148-55-0x0000000000130000-0x000000000014A000-memory.dmp

Filesize
104KB

Download
memory/1148-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1148-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download