12bf0ffad64011452112e5825f9161e6b79479c39e0f9b15daad5937d43f8f0b

Analysis

max time kernel
22s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12bf0ffad64011452112e5825f9161e6b79479c39e0f9b15daad5937d43f8f0b.exe
Size

456KB
MD5

059af5b26ac60c50f7a919064bbeba8c
SHA1

8130b46634aec48c54c1bb6d06582f92746adc5b
SHA256

12bf0ffad64011452112e5825f9161e6b79479c39e0f9b15daad5937d43f8f0b
SHA512

cdd4afdfb677f029bd71ea52a21808e16369ad9332d1bd8e50b3ebf1b33cdeaf9cb4b3bed063975a9fedac66c991f8941d8413802e23ea35d1b6142f88233758
SSDEEP

3072:4tZYmy5Jk7dRz1iASs/rYo752KsCp7a/EliKxfJkxbPL1dypZQaSJVr+1O/:eYmy5JmRz1iAJByGxw1dy7QaSDrY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1556 cmd.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

File opened (read-only) \??\D: cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1452 PING.EXE
1744 PING.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

12bf0ffad64011452112e5825f9161e6b79479c39e0f9b15daad5937d43f8f0b.exe

pid process

1928 12bf0ffad64011452112e5825f9161e6b79479c39e0f9b15daad5937d43f8f0b.exe

pid	process
1556	cmd.exe

description	ioc	process
File opened (read-only)	\??\D:	cmd.exe

pid	process
1452	PING.EXE
1744	PING.EXE

pid	process
1928	12bf0ffad64011452112e5825f9161e6b79479c39e0f9b15daad5937d43f8f0b.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

12bf0ffad64011452112e5825f9161e6b79479c39e0f9b15daad5937d43f8f0b.execmd.exe

description	pid	process	target process
PID 1928 wrote to memory of 1556	1928	12bf0ffad64011452112e5825f9161e6b79479c39e0f9b15daad5937d43f8f0b.exe	cmd.exe
PID 1928 wrote to memory of 1556	1928	12bf0ffad64011452112e5825f9161e6b79479c39e0f9b15daad5937d43f8f0b.exe	cmd.exe
PID 1928 wrote to memory of 1556	1928	12bf0ffad64011452112e5825f9161e6b79479c39e0f9b15daad5937d43f8f0b.exe	cmd.exe
PID 1928 wrote to memory of 1556	1928	12bf0ffad64011452112e5825f9161e6b79479c39e0f9b15daad5937d43f8f0b.exe	cmd.exe
PID 1556 wrote to memory of 1452	1556	cmd.exe	PING.EXE
PID 1556 wrote to memory of 1452	1556	cmd.exe	PING.EXE
PID 1556 wrote to memory of 1452	1556	cmd.exe	PING.EXE
PID 1556 wrote to memory of 1452	1556	cmd.exe	PING.EXE
PID 1556 wrote to memory of 1744	1556	cmd.exe	PING.EXE
PID 1556 wrote to memory of 1744	1556	cmd.exe	PING.EXE
PID 1556 wrote to memory of 1744	1556	cmd.exe	PING.EXE
PID 1556 wrote to memory of 1744	1556	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\12bf0ffad64011452112e5825f9161e6b79479c39e0f9b15daad5937d43f8f0b.exe
"C:\Users\Admin\AppData\Local\Temp\12bf0ffad64011452112e5825f9161e6b79479c39e0f9b15daad5937d43f8f0b.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\\MoveFile.bat
2⤵
- Deletes itself
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\PING.EXE
ping -a 127.1
3⤵
- Runs ping.exe
PID:1452

C:\Windows\SysWOW64\PING.EXE
ping 127.1
3⤵
- Runs ping.exe
PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MoveFile.bat

Filesize
339B

MD5
c8521b781ceb07f2d798b6a915a4f687

SHA1
3a97eedea8620d08c117027ce9192bd3e4bbb27d

SHA256
ce39e0f34714e2deaec3acf7377cce6ed536ae425172988c3e4c7dd5a47aec21

SHA512
286215702f860fe4ca2aa9329c9e40aa77c8b4b75b627f8bf6f42da1e923b8d70408235e9428a22aca6c3e82db4f0fd7357889ab5b02e82ad0bded8d16e01b9e

Download Submit
memory/1452-61-0x0000000000000000-mapping.dmp

Download
memory/1556-57-0x0000000000000000-mapping.dmp

Download
memory/1744-63-0x0000000000000000-mapping.dmp

Download
memory/1928-56-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/1928-58-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1928-59-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download