f9aae9546b380eda15c79a539f9db2985c424529bd7e9684100dd3eb0a4801e0

Analysis

max time kernel
85s
max time network
113s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 23:08

Target

f9aae9546b380eda15c79a539f9db2985c424529bd7e9684100dd3eb0a4801e0.exe
Size

99KB
MD5

9c97f4c3840a29ceb39b21d22ee30803
SHA1

776c833477bf9f1f79bd611ae8539c80d83255d9
SHA256

f9aae9546b380eda15c79a539f9db2985c424529bd7e9684100dd3eb0a4801e0
SHA512

8b8133b4169bb1b8250c53d000731e82c5a4d4dcd4e387361950af54c70955065d515afb9a944106262777450739ceae7738f668d2334e0f7a7a6490d0fb7d16
SSDEEP

1536:zwvkNOWFnmocWP0aCgaGlmo3fyvIN+NcN26viABQGkllL5Psv5bY55B8:zjO8lm74BdiR5O5bC7

Score

7^/10

Deletes itself 1 IoCs

pid	Process
332	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sysWOW32	f9aae9546b380eda15c79a539f9db2985c424529bd7e9684100dd3eb0a4801e0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2024	f9aae9546b380eda15c79a539f9db2985c424529bd7e9684100dd3eb0a4801e0.exe
2024	f9aae9546b380eda15c79a539f9db2985c424529bd7e9684100dd3eb0a4801e0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 332	2024	f9aae9546b380eda15c79a539f9db2985c424529bd7e9684100dd3eb0a4801e0.exe	30
PID 2024 wrote to memory of 332	2024	f9aae9546b380eda15c79a539f9db2985c424529bd7e9684100dd3eb0a4801e0.exe	30
PID 2024 wrote to memory of 332	2024	f9aae9546b380eda15c79a539f9db2985c424529bd7e9684100dd3eb0a4801e0.exe	30
PID 2024 wrote to memory of 332	2024	f9aae9546b380eda15c79a539f9db2985c424529bd7e9684100dd3eb0a4801e0.exe	30

C:\Users\Admin\AppData\Local\Temp\f9aae9546b380eda15c79a539f9db2985c424529bd7e9684100dd3eb0a4801e0.exe
"C:\Users\Admin\AppData\Local\Temp\f9aae9546b380eda15c79a539f9db2985c424529bd7e9684100dd3eb0a4801e0.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\killfile.bat" "
  2⤵
  - Deletes itself
  PID:332

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\killfile.bat

Filesize
301B

MD5
90a813dd397870b3b58f2cd4e81df19a

SHA1
20be57c3b429f87693d08c0a58ccc00eb880dfc0

SHA256
6351fc3d30e50a32b69a68473e27cc39d6c4f0d79a9491cf7abe6009d240b885

SHA512
dc340fd357be3b12b253e10c9e13e6ee4cdc6da2b8f5c51e5fecaf35666a34a47584ec32bc9573357c41f807573e402f2a1405cbed593968cae7f273e113d2f5

Download Submit
memory/2024-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download