73fc2fb8349b1c2b7a831e0f1f43ad64c02bb3ebfd873c22b35c8d8f092e000e

Analysis

max time kernel
147s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 09:36 UTC

Target

73fc2fb8349b1c2b7a831e0f1f43ad64c02bb3ebfd873c22b35c8d8f092e000e.exe
Size

556KB
MD5

0bbdaceeebb606006fc67540bbfab1e6
SHA1

e03c3bf053446c549bfd079e7c2211db3666c1f7
SHA256

73fc2fb8349b1c2b7a831e0f1f43ad64c02bb3ebfd873c22b35c8d8f092e000e
SHA512

1f13cd2ae0432631b4e7b825a0cb9568948eccd8aa539ac8b28fc35fb1eb2ab710a27b11e33319efed97667b295b94f8d6382a9247d63456e4798320ff68e393
SSDEEP

12288:8RZ+IoG/n9IQxW3OBsevLdocVDhLpWNLdocVDhLpWq+tGPbi:G2G/nvxW3Wbhp4hpxTi

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 812	1460	73fc2fb8349b1c2b7a831e0f1f43ad64c02bb3ebfd873c22b35c8d8f092e000e.exe	27
PID 1460 wrote to memory of 812	1460	73fc2fb8349b1c2b7a831e0f1f43ad64c02bb3ebfd873c22b35c8d8f092e000e.exe	27
PID 1460 wrote to memory of 812	1460	73fc2fb8349b1c2b7a831e0f1f43ad64c02bb3ebfd873c22b35c8d8f092e000e.exe	27
PID 1460 wrote to memory of 812	1460	73fc2fb8349b1c2b7a831e0f1f43ad64c02bb3ebfd873c22b35c8d8f092e000e.exe	27

C:\Users\Admin\AppData\Local\Temp\73fc2fb8349b1c2b7a831e0f1f43ad64c02bb3ebfd873c22b35c8d8f092e000e.exe
"C:\Users\Admin\AppData\Local\Temp\73fc2fb8349b1c2b7a831e0f1f43ad64c02bb3ebfd873c22b35c8d8f092e000e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rp privatev.vbs"
  2⤵
  PID:812

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rp privatev.vbs

Filesize
255B

MD5
4f04e837c51bbacffc7f01b119ef6f52

SHA1
6087cbe385f2ddcfa36b3d6dac567cc20b1ea16c

SHA256
a95739812ce59bb85631ee6d6417287fd0bf0f999691a648e76be6d6711d55e5

SHA512
5b720c54882c1b8748d731c14709292ebd19f8668b791396a54a7dbfdba51618a7e473884d45079f4fa6a899c4f36d091475d71e64298915a8950eb48e246391

Download Submit
memory/1460-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download