b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97

Analysis

max time kernel
38s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 20:43

Target

b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97.exe
Size

113KB
MD5

483f9ca4dc8862b4c1d082fa2fbc62e3
SHA1

b09e81d95c334950f8fad48bbe3b9b6bb027c9b0
SHA256

b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97
SHA512

482fdd7afcb4c3d6e7ed80d65d19e133a61f478a43d2af77531b53ae42d441c2b15e8b49b7da6c58c3c7cd1bae28cb64f98b3792e062714a20ac775032669623
SSDEEP

3072:XemcyqFcEJrRL5JbfHmTy6ol2M5bh85VN+umgLFIq:Xi1Fz7mMkc18PNIgJ

Score

7^/10

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1092 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1092	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97.exe

description	pid	process	target process
PID 1672 wrote to memory of 1092	1672	b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97.exe	cmd.exe
PID 1672 wrote to memory of 1092	1672	b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97.exe	cmd.exe
PID 1672 wrote to memory of 1092	1672	b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97.exe	cmd.exe
PID 1672 wrote to memory of 1092	1672	b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97.exe
"C:\Users\Admin\AppData\Local\Temp\b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Czb..bat" > nul 2> nul
2⤵
- Deletes itself
PID:1092

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Local\Temp\Czb..bat
Filesize
274B

MD5
7e2400b6495e21c2b5aa77fea01795dd

SHA1
2b6ff08e4158c601c653650d76f587aa31d291ea

SHA256
5a8afc0bb4df765c602d7192f6e3b57b9e08c4cd1924d38bac57b996c74e1634

SHA512
9e0c52c0f0a25a47d184a0019b9aa789b0959b91473c505cc30cd33b26970ee8dea41da1bef7258fdee39030e1229f24d49aa5215c8bc0185ed49ad5083f232a

Download Submit
memory/1092-57-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000000400000-0x0000000000420A00-memory.dmp

Filesize
130KB

Download
memory/1672-56-0x0000000000400000-0x0000000000420A00-memory.dmp

Filesize
130KB

Download
memory/1672-58-0x0000000000400000-0x0000000000420A00-memory.dmp

Filesize
130KB

Download