7ce3fe0dd754559504e26ead6e8d4e07da833e8912ab2220bf2f0b70c30847a0

Analysis

max time kernel
122s
max time network
213s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 08:52

Target

7ce3fe0dd754559504e26ead6e8d4e07da833e8912ab2220bf2f0b70c30847a0.exe
Size

312KB
MD5

1844991ceb39cc126d5c988602af4e86
SHA1

09bc29fc6937383eb3c02c6ae261bd562ecd8c96
SHA256

7ce3fe0dd754559504e26ead6e8d4e07da833e8912ab2220bf2f0b70c30847a0
SHA512

1b3cdacdd86263baf9ad3831ebe2f989c4db20480c410a044088a95b277ebca7ae2d6d9113b85ec268a02a4d37fea9a3a067767905db449f839f1df50551c370
SSDEEP

3072:iQUmZVX/L7wxxxfrjPUs7Q+KYpOzn1nUn1SBlwbYEnW:imXz7w7xzjPUyQlYpOz1UnkARnW

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 576	1260	7ce3fe0dd754559504e26ead6e8d4e07da833e8912ab2220bf2f0b70c30847a0.exe	28
PID 1260 wrote to memory of 576	1260	7ce3fe0dd754559504e26ead6e8d4e07da833e8912ab2220bf2f0b70c30847a0.exe	28
PID 1260 wrote to memory of 576	1260	7ce3fe0dd754559504e26ead6e8d4e07da833e8912ab2220bf2f0b70c30847a0.exe	28
PID 1260 wrote to memory of 576	1260	7ce3fe0dd754559504e26ead6e8d4e07da833e8912ab2220bf2f0b70c30847a0.exe	28
PID 1260 wrote to memory of 576	1260	7ce3fe0dd754559504e26ead6e8d4e07da833e8912ab2220bf2f0b70c30847a0.exe	28
PID 1260 wrote to memory of 576	1260	7ce3fe0dd754559504e26ead6e8d4e07da833e8912ab2220bf2f0b70c30847a0.exe	28
PID 1260 wrote to memory of 576	1260	7ce3fe0dd754559504e26ead6e8d4e07da833e8912ab2220bf2f0b70c30847a0.exe	28

C:\Users\Admin\AppData\Local\Temp\7ce3fe0dd754559504e26ead6e8d4e07da833e8912ab2220bf2f0b70c30847a0.exe
"C:\Users\Admin\AppData\Local\Temp\7ce3fe0dd754559504e26ead6e8d4e07da833e8912ab2220bf2f0b70c30847a0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\7ce3fe0dd754559504e26ead6e8d4e07da833e8912ab2220bf2f0b70c30847a0.exe
  "C:\Users\Admin\AppData\Local\Temp\7ce3fe0dd754559504e26ead6e8d4e07da833e8912ab2220bf2f0b70c30847a0.exe" ADMIN
  2⤵
  PID:576

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1260-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download