94a919616e22396d32d3ab4b172bce542c34bce4c94f58171a5ad76126567ef9

Analysis

max time kernel
42s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94a919616e22396d32d3ab4b172bce542c34bce4c94f58171a5ad76126567ef9.exe
Size

996KB
MD5

a27661aefb31bf758ea6492405fb662a
SHA1

da633413cce8629b1d23d9760a336368f7e735fe
SHA256

94a919616e22396d32d3ab4b172bce542c34bce4c94f58171a5ad76126567ef9
SHA512

ed54abcafec081f2f8f2a7dfe2e4af975802e2a4a2a2e098d5b69fb0397017dddaef2cd732788fc7ff0ff8c44a3fb4e5dd4417e859f432a6252bddc162c2466e
SSDEEP

12288:Z6SKqT31T6WpJY6V765jKqostkm3ObxSt18NnQEWmp+ccO:oxqT31T6WE6I5jKqosOm+bxST8NnJSE

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1724	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 272 wrote to memory of 1724	272	94a919616e22396d32d3ab4b172bce542c34bce4c94f58171a5ad76126567ef9.exe	28
PID 272 wrote to memory of 1724	272	94a919616e22396d32d3ab4b172bce542c34bce4c94f58171a5ad76126567ef9.exe	28
PID 272 wrote to memory of 1724	272	94a919616e22396d32d3ab4b172bce542c34bce4c94f58171a5ad76126567ef9.exe	28
PID 272 wrote to memory of 1724	272	94a919616e22396d32d3ab4b172bce542c34bce4c94f58171a5ad76126567ef9.exe	28

C:\Users\Admin\AppData\Local\Temp\94a919616e22396d32d3ab4b172bce542c34bce4c94f58171a5ad76126567ef9.exe
"C:\Users\Admin\AppData\Local\Temp\94a919616e22396d32d3ab4b172bce542c34bce4c94f58171a5ad76126567ef9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\s.cmd
  2⤵
  - Deletes itself
  PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s.cmd

Filesize
285B

MD5
9d4d6bd71ad07abd6f3327d37c9efd41

SHA1
994806ea4dfb6080abbc4502910b91159a35b31d

SHA256
86381c478932ea96b5556ce09726c54c1ca3a0e45fd29428a02b135496980b7c

SHA512
60740248d00e49ed017ebef7a1f3af57201c73c5b64381f6dc0fb41570b47bbb5d2c29bac0879e98f43eff9909a4be2763ddd0ba20e1cc0e3f6f1ee074779174

Download Submit
memory/272-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download