9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6

Analysis

max time kernel
17s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 13:32

Target

9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exe
Size

126KB
MD5

a3a8a45aa25e6171e33634e32a431683
SHA1

4888cfd6834a6171d82305a952592bcf5c089257
SHA256

9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6
SHA512

0ba4235532c5cf471f9a25ff121df185b216aba87aef21a8adf415e01042ea26b94ab6aa178f45f1ac80c3cf2a8d330bcb04643b8446495c247e614eb488ce62
SSDEEP

1536:13L71KeIPYaNJwPDoDMhFaddOyaVqEUG/eVReZWhn0ranFw1JqtFuWScsY9MGMwS:13hIwErDVaVNkDEmFwit3lTS

Score

7^/10

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1992 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1992	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exe

description	pid	process	target process
PID 1776 wrote to memory of 1992	1776	9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exe	cmd.exe
PID 1776 wrote to memory of 1992	1776	9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exe	cmd.exe
PID 1776 wrote to memory of 1992	1776	9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exe	cmd.exe
PID 1776 wrote to memory of 1992	1776	9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exe
"C:\Users\Admin\AppData\Local\Temp\9ec589231b7c2adf087d65f496c6ef04f5fa2d51850d026cdca4b57a3a0ec3a6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Mcf..bat" > nul 2> nul
2⤵
- Deletes itself
PID:1992

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Local\Temp\Mcf..bat
Filesize
274B

MD5
8d400b9dbac262a7583eb105faf6f37a

SHA1
197fa63c0e21693f57aab21442f0f929aac9af05

SHA256
8d203e14a123ab00f1ae96502b20d16cd8afc31e6d4b4e49b42892c774311f92

SHA512
165637e89f04820167aac9e69f546a9d4ac6db6910c5a500af7e287a576bd42c2a71f5b7c23760de68e6a89585a1904e3cfe30af9ebe4b8f0347f502d3e0d46f

Download Submit
memory/1776-54-0x00000000005C0000-0x00000000005ED000-memory.dmp

Filesize
180KB

Download
memory/1776-55-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1776-56-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1776-57-0x00000000005C0000-0x00000000005ED000-memory.dmp

Filesize
180KB

Download
memory/1992-58-0x0000000000000000-mapping.dmp

Download