c89b1b8c7678fd19f82c8f6169517d29aea5d8de1dac14f30e5e79ba178ad957

Analysis

max time kernel
41s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 20:34

Target

c89b1b8c7678fd19f82c8f6169517d29aea5d8de1dac14f30e5e79ba178ad957.exe
Size

85KB
MD5

843bb4bf71d8cb81a9222f9a1653dd81
SHA1

b517e6ae8c806d75a9652a40484392c73de14c5e
SHA256

c89b1b8c7678fd19f82c8f6169517d29aea5d8de1dac14f30e5e79ba178ad957
SHA512

e28c1c2baf35b2333513dcf62e51fe45211d5f69cfe26217d7fad95542ba884a81c3821d339d5a3b3731687a0c8f87b99b02a829c81eb42231fe8e78be3956ff
SSDEEP

1536:v6tLTUdt0v09m23CDj7+STN05xiSLRs4m8:StLYdt08m23M7+6GD3l

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1732	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1732	1632	c89b1b8c7678fd19f82c8f6169517d29aea5d8de1dac14f30e5e79ba178ad957.exe	28
PID 1632 wrote to memory of 1732	1632	c89b1b8c7678fd19f82c8f6169517d29aea5d8de1dac14f30e5e79ba178ad957.exe	28
PID 1632 wrote to memory of 1732	1632	c89b1b8c7678fd19f82c8f6169517d29aea5d8de1dac14f30e5e79ba178ad957.exe	28
PID 1632 wrote to memory of 1732	1632	c89b1b8c7678fd19f82c8f6169517d29aea5d8de1dac14f30e5e79ba178ad957.exe	28
PID 1632 wrote to memory of 1732	1632	c89b1b8c7678fd19f82c8f6169517d29aea5d8de1dac14f30e5e79ba178ad957.exe	28
PID 1632 wrote to memory of 1732	1632	c89b1b8c7678fd19f82c8f6169517d29aea5d8de1dac14f30e5e79ba178ad957.exe	28
PID 1632 wrote to memory of 1732	1632	c89b1b8c7678fd19f82c8f6169517d29aea5d8de1dac14f30e5e79ba178ad957.exe	28

C:\Users\Admin\AppData\Local\Temp\c89b1b8c7678fd19f82c8f6169517d29aea5d8de1dac14f30e5e79ba178ad957.exe
"C:\Users\Admin\AppData\Local\Temp\c89b1b8c7678fd19f82c8f6169517d29aea5d8de1dac14f30e5e79ba178ad957.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Sxb..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1732

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Sxb..bat

Filesize
274B

MD5
fa8cbbd05f6e1cb4900bf529a883e4a2

SHA1
3679bcae593c53a6fd4d44911cbec87bcf06f980

SHA256
a22149562f00e2415e24b1ef7c02b8a9544f850c209c3efb3268204ad8069178

SHA512
56c5eae2b589e3bf2b28d042f4d45ceab12ce56799862ab3871d47a455529bf06ff8957ea34ac7a89da0d593e1cf1a3310bbcceb036efa79d5b0cbcc51eb372f

Download Submit
memory/1632-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1632-56-0x0000000000360000-0x0000000000374000-memory.dmp

Filesize
80KB

Download
memory/1632-57-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download