9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301

Analysis

max time kernel
32s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 06:11

Target

9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301.exe
Size

99KB
MD5

5f7bceb83bb21ffe32f8ff07e072cdaa
SHA1

b79da590a6ebe212ded4eb5e7d21402bd0d040cb
SHA256

9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301
SHA512

59199106ca59a0abba6efc9072af588e71fe79011555d368d0e626835a9b318f403c21766e3c4334b53ba27c9039f003107a78085a1d94548447cf5c5b104ac1
SSDEEP

1536:UhhYzHQxhu1h7evMhuEanToEN+ROqzUDCkmWPVj1B6CnWkiUw4an0FHKrYPkfWQI:U8DQT+7Vhf3NpYt1tWkNNFHKr1WWiJ

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1944	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1944	1612	9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301.exe	26
PID 1612 wrote to memory of 1944	1612	9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301.exe	26
PID 1612 wrote to memory of 1944	1612	9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301.exe	26
PID 1612 wrote to memory of 1944	1612	9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301.exe	26

C:\Users\Admin\AppData\Local\Temp\9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301.exe
"C:\Users\Admin\AppData\Local\Temp\9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Dgz..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1944

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Dgz..bat

Filesize
274B

MD5
95a4aa2066c824c27ba8bed2cd952a38

SHA1
0ef5a9c7f02d8466feaa07e018a1cc3d976705d9

SHA256
1fa1c9952bfedc89cab70f6bdb2a1cdd41fc0145e4f2a98b38686798f53bb352

SHA512
a976912d272a0cb0c37dc08e013487a828788043ac7cafa8bd7345c20ec209a47bffa39f7e50e836ed3eecb93e75b766fa1d22e1ffea76e66d63cb2d342d001b

Download Submit
memory/1612-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1612-55-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/1612-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1612-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download