Analysis
-
max time kernel
17s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 13:32
Static task
static1
Behavioral task
behavioral1
Sample
9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exe
Resource
win10v2004-20221111-en
General
-
Target
9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exe
-
Size
126KB
-
MD5
a3a8a45aa25e6171e33634e32a431683
-
SHA1
4888cfd6834a6171d82305a952592bcf5c089257
-
SHA256
9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6
-
SHA512
0ba4235532c5cf471f9a25ff121df185b216aba87aef21a8adf415e01042ea26b94ab6aa178f45f1ac80c3cf2a8d330bcb04643b8446495c247e614eb488ce62
-
SSDEEP
1536:13L71KeIPYaNJwPDoDMhFaddOyaVqEUG/eVReZWhn0ranFw1JqtFuWScsY9MGMwS:13hIwErDVaVNkDEmFwit3lTS
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1992 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exedescription pid process target process PID 1776 wrote to memory of 1992 1776 9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exe cmd.exe PID 1776 wrote to memory of 1992 1776 9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exe cmd.exe PID 1776 wrote to memory of 1992 1776 9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exe cmd.exe PID 1776 wrote to memory of 1992 1776 9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exe"C:\Users\Admin\AppData\Local\Temp\9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Mcf..bat" > nul 2> nul2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Mcf..batFilesize
274B
MD58d400b9dbac262a7583eb105faf6f37a
SHA1197fa63c0e21693f57aab21442f0f929aac9af05
SHA2568d203e14a123ab00f1ae96502b20d16cd8afc31e6d4b4e49b42892c774311f92
SHA512165637e89f04820167aac9e69f546a9d4ac6db6910c5a500af7e287a576bd42c2a71f5b7c23760de68e6a89585a1904e3cfe30af9ebe4b8f0347f502d3e0d46f
-
memory/1776-54-0x00000000005C0000-0x00000000005ED000-memory.dmpFilesize
180KB
-
memory/1776-55-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1776-56-0x0000000076321000-0x0000000076323000-memory.dmpFilesize
8KB
-
memory/1776-57-0x00000000005C0000-0x00000000005ED000-memory.dmpFilesize
180KB
-
memory/1992-58-0x0000000000000000-mapping.dmp