c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297

Analysis

max time kernel
40s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 19:30

Target

c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exe
Size

126KB
MD5

f935e1d087a0b0462f9d65da12f9d632
SHA1

42dcb1ac8599ff93f60a3e20d35e5dac42c4fd21
SHA256

c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297
SHA512

24fcf6f53435d9b277fa87e9000306a66eaccdf9271e86dde1f99a4ffb111a69c68e8c0cec00dc9966d308d6aecd999095f8b4ef9271924c0aea0667d9c67a81
SSDEEP

1536:13L71KeIP5aNJwPDoDMhFaddOyaVqEUG/eVReZWhn0ranFw1JqtFuWScsY9MGMwS:13hIhErDVaVNkDEmFwit3lTS

Score

7^/10

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1972 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1972	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exe

description	pid	process	target process
PID 1112 wrote to memory of 1972	1112	c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exe	cmd.exe
PID 1112 wrote to memory of 1972	1112	c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exe	cmd.exe
PID 1112 wrote to memory of 1972	1112	c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exe	cmd.exe
PID 1112 wrote to memory of 1972	1112	c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exe
"C:\Users\Admin\AppData\Local\Temp\c6510b303e97410644414ac73e1c39856a9c83695306be5a1522fb0101320297.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Nhv..bat" > nul 2> nul
2⤵
- Deletes itself
PID:1972

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Local\Temp\Nhv..bat
Filesize
274B

MD5
13ec7540d54d036bbea6864f279cc63c

SHA1
fe7dc327f83a6194f9ab1a83d48f98dd21d4511d

SHA256
3e0c6c25855397bb3039d19c9600b27c9a7bdd711d17bb3d47fc68f0da78e003

SHA512
d1f5faabbb2fa27f03e9c190b0fa5a25bb108bb7fb1eeaffb410f89a9793e7fb6b2367fb463030f52e8164da34508b3435691ab656a9e2dc620966794fee9687

Download Submit
memory/1112-54-0x0000000000230000-0x000000000025D000-memory.dmp

Filesize
180KB

Download
memory/1112-55-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1112-56-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1112-57-0x0000000000230000-0x000000000025D000-memory.dmp

Filesize
180KB

Download
memory/1972-58-0x0000000000000000-mapping.dmp

Download