abe928dc362e04e409a379aaef0e8baa18a2a0f1a6b4947e0210c4d52a49bcb5

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 04:10

Target

abe928dc362e04e409a379aaef0e8baa18a2a0f1a6b4947e0210c4d52a49bcb5.exe
Size

1.5MB
MD5

a96924b7816273f2c877cd3d3801a773
SHA1

1a33a95f2d2adee5ca7f46c690ce7cd80fde0144
SHA256

abe928dc362e04e409a379aaef0e8baa18a2a0f1a6b4947e0210c4d52a49bcb5
SHA512

ea03bc26fe01fc9f59b652e59e69d77cf1d917c5e4ac543a4edaa16c0276c1f2a44cd754ba47060094fbbe1c17db0311c7ba163d4a1bd810c5b26544c960b4d2
SSDEEP

24576:4CRVw6CR1Lh55olWkfjRPaxVsjobB/Tg7z+M466ZD5bXMUfhRF22wNydyuuAagkC:hMRXvoJrZUss/Ts+M46ubXlfQ2S+y79C

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

abe928dc362e04e409a379aaef0e8baa18a2a0f1a6b4947e0210c4d52a49bcb5.exe

description	pid	process	target process
PID 1460 wrote to memory of 908	1460	abe928dc362e04e409a379aaef0e8baa18a2a0f1a6b4947e0210c4d52a49bcb5.exe	mshta.exe
PID 1460 wrote to memory of 908	1460	abe928dc362e04e409a379aaef0e8baa18a2a0f1a6b4947e0210c4d52a49bcb5.exe	mshta.exe
PID 1460 wrote to memory of 908	1460	abe928dc362e04e409a379aaef0e8baa18a2a0f1a6b4947e0210c4d52a49bcb5.exe	mshta.exe
PID 1460 wrote to memory of 908	1460	abe928dc362e04e409a379aaef0e8baa18a2a0f1a6b4947e0210c4d52a49bcb5.exe	mshta.exe
PID 1460 wrote to memory of 908	1460	abe928dc362e04e409a379aaef0e8baa18a2a0f1a6b4947e0210c4d52a49bcb5.exe	mshta.exe
PID 1460 wrote to memory of 908	1460	abe928dc362e04e409a379aaef0e8baa18a2a0f1a6b4947e0210c4d52a49bcb5.exe	mshta.exe
PID 1460 wrote to memory of 908	1460	abe928dc362e04e409a379aaef0e8baa18a2a0f1a6b4947e0210c4d52a49bcb5.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\abe928dc362e04e409a379aaef0e8baa18a2a0f1a6b4947e0210c4d52a49bcb5.exe
"C:\Users\Admin\AppData\Local\Temp\abe928dc362e04e409a379aaef0e8baa18a2a0f1a6b4947e0210c4d52a49bcb5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCriPt: cLosE ( creAteObjEcT( "WScRiPT.shEll" ). run ( "CmD /q /c copy /Y ""C:\Users\Admin\AppData\Local\Temp\abe928dc362e04e409a379aaef0e8baa18a2a0f1a6b4947e0210c4d52a49bcb5.exe"" AQoSO5L7O~oMAYY.EXe && start AQOSO5L7O~OmAyy.exe /pPmdKlUHn~2WTCEUERxZ & IF """"== """" for %r iN ( ""C:\Users\Admin\AppData\Local\Temp\abe928dc362e04e409a379aaef0e8baa18a2a0f1a6b4947e0210c4d52a49bcb5.exe"") do taskkill -iM ""%~Nxr"" /f " , 0,TrUE))
2⤵
PID:908

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/908-55-0x0000000000000000-mapping.dmp

Download
memory/1460-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download