10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe
Size

111KB
MD5

5b3e0d9d8e5b8c6382491e6676a92e20
SHA1

0c1bec3d03128e3a1c73502073e6501c14cd71d3
SHA256

10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52
SHA512

b36135192d5b754743ecd2674b297060ea4c1d20ca20192f0b215ab1e8afa35219f70bc7b2b2be91d762e162e410b1dbbbff8bed1d5d4e94d7e50eda9785441c
SSDEEP

3072:nemS6MwVQCGo4qiRlUE0aWQ4K9NIgjdswyMRFIb:6CGVLUE0a9RNIg2w0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1364	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
864	10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1364	864	10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe	27
PID 864 wrote to memory of 1364	864	10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe	27
PID 864 wrote to memory of 1364	864	10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe	27
PID 864 wrote to memory of 1364	864	10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe	27

C:\Users\Admin\AppData\Local\Temp\10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe
"C:\Users\Admin\AppData\Local\Temp\10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Tnj..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tnj..bat

Filesize
274B

MD5
fc7be8efa830be554b0d37347d2fef82

SHA1
dec6edb5da391e959cf152ba634eb2d8da6d6963

SHA256
5b3326cc8f66580b4087c76c598f0ef09e79aa8228d50a0977163fbc2cc8570f

SHA512
6c9e2b13b62c4633a3e820242a4957b1468f401ff8ccbea5363cee1409fba5ee0b672011cfb29ed73811718d7784b9d6d2f32ab96709d89b97f2b074e4eecaf5

Download Submit
memory/864-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/864-55-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/864-56-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/864-58-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1364-57-0x0000000000000000-mapping.dmp

Download