a4915b0db0d400666c090dad1a6e9c81e3942834e07f0b53541c7f460762f04b

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/11/2022, 05:36

Target

a4915b0db0d400666c090dad1a6e9c81e3942834e07f0b53541c7f460762f04b.exe
Size

2.2MB
MD5

ec9e29c8330e717ccaf7e11f6baf6f22
SHA1

d9224cf44dba1aad3fb633407bc17dc4776ae0ab
SHA256

a4915b0db0d400666c090dad1a6e9c81e3942834e07f0b53541c7f460762f04b
SHA512

e518397710109673dab7d79b87d55b55e271a0642f7007a682decff42b47e3f01f98999ac457b1fb28ed67a9cab07f7b54ddff95d8786cc0bc7f79eeb8bd57d3
SSDEEP

49152:jB3S17FKwAVikABu3YREjcdaO1mezjsQXVMURB3SvaA8vZ9AT2+:dIKRi1BuoREjkaKaQXaUfGwvZU2+

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1972	1896	a4915b0db0d400666c090dad1a6e9c81e3942834e07f0b53541c7f460762f04b.exe	28
PID 1896 wrote to memory of 1972	1896	a4915b0db0d400666c090dad1a6e9c81e3942834e07f0b53541c7f460762f04b.exe	28
PID 1896 wrote to memory of 1972	1896	a4915b0db0d400666c090dad1a6e9c81e3942834e07f0b53541c7f460762f04b.exe	28
PID 1896 wrote to memory of 1972	1896	a4915b0db0d400666c090dad1a6e9c81e3942834e07f0b53541c7f460762f04b.exe	28
PID 1896 wrote to memory of 1972	1896	a4915b0db0d400666c090dad1a6e9c81e3942834e07f0b53541c7f460762f04b.exe	28
PID 1896 wrote to memory of 1972	1896	a4915b0db0d400666c090dad1a6e9c81e3942834e07f0b53541c7f460762f04b.exe	28
PID 1896 wrote to memory of 1972	1896	a4915b0db0d400666c090dad1a6e9c81e3942834e07f0b53541c7f460762f04b.exe	28
PID 1972 wrote to memory of 1208	1972	cmd.exe	30
PID 1972 wrote to memory of 1208	1972	cmd.exe	30
PID 1972 wrote to memory of 1208	1972	cmd.exe	30
PID 1972 wrote to memory of 1208	1972	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\a4915b0db0d400666c090dad1a6e9c81e3942834e07f0b53541c7f460762f04b.exe
"C:\Users\Admin\AppData\Local\Temp\a4915b0db0d400666c090dad1a6e9c81e3942834e07f0b53541c7f460762f04b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO ªbªw╕╦º╣ª¿½eñ┼├÷│¼╡°╡ííAº╣ª¿½ß╖"
    3⤵
    PID:1208

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
5KB

MD5
032844b360340dceee46dc61404b0c25

SHA1
f2ecd23e8af44426d2a3bc056953e2f367d91443

SHA256
522799f16c3ccc3d2b5337b8f50c076d1b341a218ba0e736e29e0661a57b59fa

SHA512
e375285c996ceb4a755ca47bb7d4557fce5e5d93fb15816dcfcf02e0e3cdfcea8a63ccb410407d082a792f736d55d83ef75d831a2fa5877cb4183d7f943cf915

Download Submit
memory/1896-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download