72ea5bb81d525bd82656b23b120ad8fea5c8e2dabf8b37adabf6b0e17092a646

Analysis

max time kernel
29s
max time network
37s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:11

Target

72ea5bb81d525bd82656b23b120ad8fea5c8e2dabf8b37adabf6b0e17092a646.exe
Size

63KB
MD5

43488d923724b5c5a9d1d7cd13b5a57f
SHA1

9c7d417cabee196c01feeb6ecff7a26f8085957d
SHA256

72ea5bb81d525bd82656b23b120ad8fea5c8e2dabf8b37adabf6b0e17092a646
SHA512

2468df3140d500c02688b99e8ee14dd8c081f383a687ba29851764ea8f2bc82caaad30e4ba08cae499e79d41e7a14874d1d4422dde081277c014d9a4f1673f9e
SSDEEP

1536:/VNCBe5SPg3OpydRAwGO2vywOO2YlwBkayqyFA37LT:db5SPByrlOawL69yqyFAL/

Score

7^/10

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1472 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1472	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

72ea5bb81d525bd82656b23b120ad8fea5c8e2dabf8b37adabf6b0e17092a646.exe

description	pid	process	target process
PID 1808 wrote to memory of 1472	1808	72ea5bb81d525bd82656b23b120ad8fea5c8e2dabf8b37adabf6b0e17092a646.exe	cmd.exe
PID 1808 wrote to memory of 1472	1808	72ea5bb81d525bd82656b23b120ad8fea5c8e2dabf8b37adabf6b0e17092a646.exe	cmd.exe
PID 1808 wrote to memory of 1472	1808	72ea5bb81d525bd82656b23b120ad8fea5c8e2dabf8b37adabf6b0e17092a646.exe	cmd.exe
PID 1808 wrote to memory of 1472	1808	72ea5bb81d525bd82656b23b120ad8fea5c8e2dabf8b37adabf6b0e17092a646.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\72ea5bb81d525bd82656b23b120ad8fea5c8e2dabf8b37adabf6b0e17092a646.exe
"C:\Users\Admin\AppData\Local\Temp\72ea5bb81d525bd82656b23b120ad8fea5c8e2dabf8b37adabf6b0e17092a646.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Xxp..bat" > nul 2> nul
2⤵
- Deletes itself
PID:1472

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Xxp..bat

Filesize
274B

MD5
5a57defdf91614a99c2306f7d9f11d59

SHA1
0f0fa5ad2fac59e9e4ab9b86945f14dbc617f125

SHA256
7efe2084dd0b8777f3b021d68d8fd833a560c573e56dc4bebfb3999ac85d5c43

SHA512
ee96fd8bad8c8e46d26d397e10a16acb596bc132a599966ee0edeb3a24924643ddfb8662994aa2e4e467fd3b52b51b34e565a22e6c3474267b6733c261ab2c6a

Download Submit
memory/1472-59-0x0000000000000000-mapping.dmp

Download
memory/1808-55-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1808-54-0x0000000075991000-0x0000000075993000-memory.dmp

Filesize
8KB

Download
memory/1808-56-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/1808-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1808-58-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1808-60-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download