baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3

Analysis

max time kernel
42s
max time network
72s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 20:54

Target

baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exe
Size

113KB
MD5

1b6e444ba7241ccaed3fb67e191cf605
SHA1

885b749ced5993737081b47dcb490cce18498af9
SHA256

baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3
SHA512

eb4c6a3d5f91b5851808124b6f4d5437988c26136c78ea1b7e9d64e107e6a2d04a442955dfae57be18cebbfabbdee3e7bdcd6116bd32c1538c2b1070ee694f67
SSDEEP

3072:QuiBG6IggKenHasq9y25XquxAzflFEHURitEHyp+xAFSdsmFIb:hggKen6sQy+quegw1AF/1

Score

7^/10

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

844 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
844	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exe

description	pid	process	target process
PID 1496 wrote to memory of 844	1496	baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exe	cmd.exe
PID 1496 wrote to memory of 844	1496	baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exe	cmd.exe
PID 1496 wrote to memory of 844	1496	baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exe	cmd.exe
PID 1496 wrote to memory of 844	1496	baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exe
"C:\Users\Admin\AppData\Local\Temp\baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Vcz..bat" > nul 2> nul
2⤵
- Deletes itself
PID:844

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Vcz..bat

Filesize
274B

MD5
6c4ed9ea110c21ddb5be5ce3de3d486f

SHA1
57b12daf9794f7c2c0beda37c730e5a218ce746d

SHA256
ea2f43a7c94c8659e961207bf79c082b575f3c3916d475128557568cc5600a57

SHA512
1382c265baadba4170e98d59f479e6e98d08e01e4d8818dad655ffe29337e345dfcb84553869b00e41ea65c95bec3e56cac29f0a9fee7fa060830eb7c2a7894c

Download Submit
memory/844-57-0x0000000000000000-mapping.dmp

Download
memory/1496-54-0x0000000076161000-0x0000000076163000-memory.dmp

Filesize
8KB

Download
memory/1496-55-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1496-56-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1496-58-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download