Analysis
-
max time kernel
40s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 19:30
Static task
static1
Behavioral task
behavioral1
Sample
c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exe
Resource
win10v2004-20221111-en
General
-
Target
c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exe
-
Size
126KB
-
MD5
f935e1d087a0b0462f9d65da12f9d632
-
SHA1
42dcb1ac8599ff93f60a3e20d35e5dac42c4fd21
-
SHA256
c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297
-
SHA512
24fcf6f53435d9b277fa87e9000306a66eaccdf9271e86dde1f99a4ffb111a69c68e8c0cec00dc9966d308d6aecd999095f8b4ef9271924c0aea0667d9c67a81
-
SSDEEP
1536:13L71KeIP5aNJwPDoDMhFaddOyaVqEUG/eVReZWhn0ranFw1JqtFuWScsY9MGMwS:13hIhErDVaVNkDEmFwit3lTS
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1972 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exedescription pid process target process PID 1112 wrote to memory of 1972 1112 c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exe cmd.exe PID 1112 wrote to memory of 1972 1112 c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exe cmd.exe PID 1112 wrote to memory of 1972 1112 c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exe cmd.exe PID 1112 wrote to memory of 1972 1112 c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exe"C:\Users\Admin\AppData\Local\Temp\c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Nhv..bat" > nul 2> nul2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Nhv..batFilesize
274B
MD513ec7540d54d036bbea6864f279cc63c
SHA1fe7dc327f83a6194f9ab1a83d48f98dd21d4511d
SHA2563e0c6c25855397bb3039d19c9600b27c9a7bdd711d17bb3d47fc68f0da78e003
SHA512d1f5faabbb2fa27f03e9c190b0fa5a25bb108bb7fb1eeaffb410f89a9793e7fb6b2367fb463030f52e8164da34508b3435691ab656a9e2dc620966794fee9687
-
memory/1112-54-0x0000000000230000-0x000000000025D000-memory.dmpFilesize
180KB
-
memory/1112-55-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1112-56-0x0000000075351000-0x0000000075353000-memory.dmpFilesize
8KB
-
memory/1112-57-0x0000000000230000-0x000000000025D000-memory.dmpFilesize
180KB
-
memory/1972-58-0x0000000000000000-mapping.dmp