4d171cff0fff3828b1f6eb716096a9c227658053b5bb5f4c0dede977ba1c0781

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d171cff0fff3828b1f6eb716096a9c227658053b5bb5f4c0dede977ba1c0781.exe
Size

111KB
MD5

433543b000e1657334d2a24664338a3f
SHA1

1ec1127d3db4ac167852212b534cbeb9da4dcd46
SHA256

4d171cff0fff3828b1f6eb716096a9c227658053b5bb5f4c0dede977ba1c0781
SHA512

ace37c7b5218c4039de5fe5e32aa03b9325bbd032569891673d11886b542adf1ef6c8b5290e43da5f6adcda544e4d8002405351d88173e646a02a39d3a14ea56
SSDEEP

1536:nW/S+WgcqUms6I3lVmSO29KDMw3+qtU9VG978iqLTFFIb:avsLo29kMw3+Q978iqFFIb

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1424	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1424	1808	4d171cff0fff3828b1f6eb716096a9c227658053b5bb5f4c0dede977ba1c0781.exe	27
PID 1808 wrote to memory of 1424	1808	4d171cff0fff3828b1f6eb716096a9c227658053b5bb5f4c0dede977ba1c0781.exe	27
PID 1808 wrote to memory of 1424	1808	4d171cff0fff3828b1f6eb716096a9c227658053b5bb5f4c0dede977ba1c0781.exe	27
PID 1808 wrote to memory of 1424	1808	4d171cff0fff3828b1f6eb716096a9c227658053b5bb5f4c0dede977ba1c0781.exe	27

C:\Users\Admin\AppData\Local\Temp\4d171cff0fff3828b1f6eb716096a9c227658053b5bb5f4c0dede977ba1c0781.exe
"C:\Users\Admin\AppData\Local\Temp\4d171cff0fff3828b1f6eb716096a9c227658053b5bb5f4c0dede977ba1c0781.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Mbp..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mbp..bat

Filesize
274B

MD5
fcddb20305f55131474b6190455797e6

SHA1
a913eea46b1bd66541531e8e1afdfc7ddedc0585

SHA256
4dd52263aca4089162ee61395770242dc764b94a8a86d60316b504316568679b

SHA512
9a5a26cc477b84f4d271c377ea76662ce305450cd51058ee77954af0c342cce52956833f2cbeabd6000b82a16da69765e3f590d85c74f8af5fd13a34c1b7afe0

Download Submit
memory/1808-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1808-55-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1808-57-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download