91c47cf21d339ab7ec06da4aad03317d87775382570edc61e5bfe6c12fcd1bbe

Analysis

max time kernel
31s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:15

Target

91c47cf21d339ab7ec06da4aad03317d87775382570edc61e5bfe6c12fcd1bbe.exe
Size

101KB
MD5

1725035b197fa46cb9da27fe3d4b87c1
SHA1

3f7ddf82ee935780739769308929a0a2bb3b5428
SHA256

91c47cf21d339ab7ec06da4aad03317d87775382570edc61e5bfe6c12fcd1bbe
SHA512

84fe91a3e37576bf2de41aeaed1904f54bba4decd6b1635d384064b99af65f441a253384c154a2fc3662b41e42204c09b3361f0d8651b1310d37162a7f7b28f6
SSDEEP

1536:7P4mQ+W4hKwHCtjeWQuhrzb8yUNKAbbzCwHzx5e6ywv77St+iyYzDzRvD3:7Pil4YXBFmxN/fXx5ehwSt+iyYDztD

Score

7^/10

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1856 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1856	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

91c47cf21d339ab7ec06da4aad03317d87775382570edc61e5bfe6c12fcd1bbe.exe

description	pid	process	target process
PID 1720 wrote to memory of 1856	1720	91c47cf21d339ab7ec06da4aad03317d87775382570edc61e5bfe6c12fcd1bbe.exe	cmd.exe
PID 1720 wrote to memory of 1856	1720	91c47cf21d339ab7ec06da4aad03317d87775382570edc61e5bfe6c12fcd1bbe.exe	cmd.exe
PID 1720 wrote to memory of 1856	1720	91c47cf21d339ab7ec06da4aad03317d87775382570edc61e5bfe6c12fcd1bbe.exe	cmd.exe
PID 1720 wrote to memory of 1856	1720	91c47cf21d339ab7ec06da4aad03317d87775382570edc61e5bfe6c12fcd1bbe.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\91c47cf21d339ab7ec06da4aad03317d87775382570edc61e5bfe6c12fcd1bbe.exe
"C:\Users\Admin\AppData\Local\Temp\91c47cf21d339ab7ec06da4aad03317d87775382570edc61e5bfe6c12fcd1bbe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Kpj..bat" > nul 2> nul
2⤵
- Deletes itself
PID:1856

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Kpj..bat

Filesize
274B

MD5
504768dcdf41653b9c73bbd240f76c34

SHA1
4928ca9f8f1d910c0dfd64bf9994322c613daf24

SHA256
2568b487e7a84c5f7acaf04d96fbff8958493ff25da5e261a11252707979ff15

SHA512
58ad4ed1f05893bcfe5269f6afa2ea1c55321b48d1c9af46de488f600e0ed622043def7878fedc8196b63b3516cede507d7f31b27234de1e384351374d83ca5e

Download Submit
memory/1720-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1720-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1720-56-0x0000000000120000-0x0000000000139000-memory.dmp

Filesize
100KB

Download
memory/1720-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1720-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1856-58-0x0000000000000000-mapping.dmp

Download