62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9

Analysis

max time kernel
91s
max time network
131s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:46

Target

62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9.exe
Size

113KB
MD5

ce04be5ea49bf4b2bb1824f94349bcfe
SHA1

fb3d596a4fd5f501c2b4b042a12b7208c1d13e30
SHA256

62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9
SHA512

0dc46a16efec9b449cbe5b52a7175fca0e7c12c88f3fbeecf5bc1eafa3e102ee8f33bd28c8cb9455e38f8c3d233c65abd3e4c7d701c15cd6e41f8b7726fee22b
SSDEEP

3072:JemcyqFcEJrRL5JbfHmTy6ol2M5bh85VN+umgLFIq:Ji1Fz7mMkc18PNIgJ

Score

7^/10

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1116 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1116	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9.exe

description	pid	process	target process
PID 2008 wrote to memory of 1116	2008	62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9.exe	cmd.exe
PID 2008 wrote to memory of 1116	2008	62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9.exe	cmd.exe
PID 2008 wrote to memory of 1116	2008	62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9.exe	cmd.exe
PID 2008 wrote to memory of 1116	2008	62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9.exe
"C:\Users\Admin\AppData\Local\Temp\62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Ppb..bat" > nul 2> nul
2⤵
- Deletes itself
PID:1116

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Ppb..bat

Filesize
274B

MD5
dea8ace5ec168e7f709aadb49f34a688

SHA1
57f7d979fd9f48075149847e48e5bb679ad42fd8

SHA256
fb44593f09f5674f8a60d812179871625322604b470514600a88096f27272406

SHA512
2b8370d58ca32e46feb4336b80702485404676eaa2fb4d8e7eab480c7f91a1128c54009b79ef8d79da23a432aa2b0fcaa490651844f85be173b68d084083788f

Download Submit
memory/1116-57-0x0000000000000000-mapping.dmp

Download
memory/2008-54-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/2008-55-0x0000000000400000-0x0000000000420A00-memory.dmp

Filesize
130KB

Download
memory/2008-56-0x0000000000400000-0x0000000000420A00-memory.dmp

Filesize
130KB

Download
memory/2008-58-0x0000000000400000-0x0000000000420A00-memory.dmp

Filesize
130KB

Download