f1d6fd98189b1971608a6dde289d4f0aad44f53085cd128a94fa0210fb28061b

Analysis

max time kernel
41s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:30

Target

f1d6fd98189b1971608a6dde289d4f0aad44f53085cd128a94fa0210fb28061b.exe
Size

233KB
MD5

886c3b47d9d7ddbf672b5fa8c5b24f1d
SHA1

feb6d91615abf6adaf614222b0fcb85e2482bff2
SHA256

f1d6fd98189b1971608a6dde289d4f0aad44f53085cd128a94fa0210fb28061b
SHA512

a7e4909529717ff940467ea42e21d7eb2ed9950293c2ac4c564209dcc43e98c521c39915103bf032827e606397fce173578cf660197ba7e6a020e1fb929897af
SSDEEP

6144:SX1v8IrIGYZ4CsUnK2wh4eSmGE1OzJO6nl:mh8IrIGYZ1skQNp1OzD

Score

8^/10

upx

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/1668-55-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1668-58-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1668-60-0x0000000000400000-0x0000000000464000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1820 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1820	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f1d6fd98189b1971608a6dde289d4f0aad44f53085cd128a94fa0210fb28061b.exe

description	pid	process	target process
PID 1668 wrote to memory of 1820	1668	f1d6fd98189b1971608a6dde289d4f0aad44f53085cd128a94fa0210fb28061b.exe	cmd.exe
PID 1668 wrote to memory of 1820	1668	f1d6fd98189b1971608a6dde289d4f0aad44f53085cd128a94fa0210fb28061b.exe	cmd.exe
PID 1668 wrote to memory of 1820	1668	f1d6fd98189b1971608a6dde289d4f0aad44f53085cd128a94fa0210fb28061b.exe	cmd.exe
PID 1668 wrote to memory of 1820	1668	f1d6fd98189b1971608a6dde289d4f0aad44f53085cd128a94fa0210fb28061b.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f1d6fd98189b1971608a6dde289d4f0aad44f53085cd128a94fa0210fb28061b.exe
"C:\Users\Admin\AppData\Local\Temp\f1d6fd98189b1971608a6dde289d4f0aad44f53085cd128a94fa0210fb28061b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\d.bat" "
  2⤵
  - Deletes itself
  PID:1820

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\d.bat

Filesize
163B

MD5
7af0fb0ea4a29ce0745218cafe964905

SHA1
a947e30f09d8bc9f7c24bc898a2ec223c28aa412

SHA256
570d68536c1ab0c0e4493218329e93091af5bf4f4280f0dddfb6ffc3978f2d97

SHA512
206955d52129c2a670993387105c550dc43af2f4c0cf525f1f799ee0213daa89a89b0a7416bb31fe18e6af20ee0461f068175f81d2a91f041cbb0c499c30dc11

Download Submit
memory/1668-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1668-55-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1668-57-0x0000000002120000-0x00000000021B5000-memory.dmp

Filesize
596KB

Download
memory/1668-58-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1668-60-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1820-59-0x0000000000000000-mapping.dmp

Download