aa48b91791187ad07e44c309ef5070129a6dd5ab7e6f6c36d02785fd94a0b000

Analysis

max time kernel
29s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa48b91791187ad07e44c309ef5070129a6dd5ab7e6f6c36d02785fd94a0b000.exe
Size

77KB
MD5

288d3d20f027f63ebf8fab334a1f9b75
SHA1

f4d8067cf376c44a3b5ba683ef369d3cb83a1ca5
SHA256

aa48b91791187ad07e44c309ef5070129a6dd5ab7e6f6c36d02785fd94a0b000
SHA512

eb21bea9b4c4fc8b23e87733bf7481d488940170d23c4341670a8ce08ec2772eb9f95fda30ec5f87dfc637724f12dde072880fad53ceac22f40a110ff124b79a
SSDEEP

1536:AiQgzHtbseQi4C9bnWe7z9EQ3G2e7JqSbk4p:lQgzHuCNhWSGXVqz4p

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2044	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 2044	1012	aa48b91791187ad07e44c309ef5070129a6dd5ab7e6f6c36d02785fd94a0b000.exe	28
PID 1012 wrote to memory of 2044	1012	aa48b91791187ad07e44c309ef5070129a6dd5ab7e6f6c36d02785fd94a0b000.exe	28
PID 1012 wrote to memory of 2044	1012	aa48b91791187ad07e44c309ef5070129a6dd5ab7e6f6c36d02785fd94a0b000.exe	28
PID 1012 wrote to memory of 2044	1012	aa48b91791187ad07e44c309ef5070129a6dd5ab7e6f6c36d02785fd94a0b000.exe	28
PID 1012 wrote to memory of 2044	1012	aa48b91791187ad07e44c309ef5070129a6dd5ab7e6f6c36d02785fd94a0b000.exe	28
PID 1012 wrote to memory of 2044	1012	aa48b91791187ad07e44c309ef5070129a6dd5ab7e6f6c36d02785fd94a0b000.exe	28
PID 1012 wrote to memory of 2044	1012	aa48b91791187ad07e44c309ef5070129a6dd5ab7e6f6c36d02785fd94a0b000.exe	28

C:\Users\Admin\AppData\Local\Temp\aa48b91791187ad07e44c309ef5070129a6dd5ab7e6f6c36d02785fd94a0b000.exe
"C:\Users\Admin\AppData\Local\Temp\aa48b91791187ad07e44c309ef5070129a6dd5ab7e6f6c36d02785fd94a0b000.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Jbp..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jbp..bat

Filesize
274B

MD5
73e4ff2b8c95cec6d549e086412ec379

SHA1
1bfbfdd669c0075a0941d3e12f354a9297cd4b9d

SHA256
97c2a952b59fca8f7196525e3ce84072c5c6843c46e3ab593d48e6b4ad37a3c2

SHA512
5f17bcb78df42e7d1a972936aa2f923862dd05fbb52a301f1d2ec12833a3e5c9fd71b8fbf4966e8292d2f4e798bd1b94484c73fe935bca4eb3b3fbaaf7e349e0

Download Submit
memory/1012-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1012-55-0x0000000000310000-0x000000000032C000-memory.dmp

Filesize
112KB

Download
memory/1012-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1012-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1012-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download