c2b00a42f210757d900e89de7301dabbb18217f56048f5f7092071afbc880dc7

Analysis

max time kernel
134s
max time network
137s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26/11/2022, 01:35

Target

c2b00a42f210757d900e89de7301dabbb18217f56048f5f7092071afbc880dc7.exe
Size

152KB
MD5

aaf919767eca2896dec901c2efd0a4e6
SHA1

5bc47d09165f321103329dbd362575b040142077
SHA256

c2b00a42f210757d900e89de7301dabbb18217f56048f5f7092071afbc880dc7
SHA512

6480ea93443351af156db6259b3a48c0f9bf5c70d386200837faf480733db975e9efcaef8850d19d7a0893631ba4dacf1020a14be76f1dd98f0f959dc9afcbe9
SSDEEP

3072:D0d3mlWAMWo80tjerMHNWL3Hx+vLQfqvs1C8/ehoraNUXhnQPL8u:D0pmletjSFyvs1C8/ehoraNUXRQz

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1080	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 1080	1440	c2b00a42f210757d900e89de7301dabbb18217f56048f5f7092071afbc880dc7.exe	31
PID 1440 wrote to memory of 1080	1440	c2b00a42f210757d900e89de7301dabbb18217f56048f5f7092071afbc880dc7.exe	31
PID 1440 wrote to memory of 1080	1440	c2b00a42f210757d900e89de7301dabbb18217f56048f5f7092071afbc880dc7.exe	31
PID 1440 wrote to memory of 1080	1440	c2b00a42f210757d900e89de7301dabbb18217f56048f5f7092071afbc880dc7.exe	31

C:\Users\Admin\AppData\Local\Temp\c2b00a42f210757d900e89de7301dabbb18217f56048f5f7092071afbc880dc7.exe
"C:\Users\Admin\AppData\Local\Temp\c2b00a42f210757d900e89de7301dabbb18217f56048f5f7092071afbc880dc7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2749.bat" "C:\Users\Admin\AppData\Local\Temp\c2b00a42f210757d900e89de7301dabbb18217f56048f5f7092071afbc880dc7.exe""
  2⤵
  - Deletes itself
  PID:1080

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\2749.bat

Filesize
204B

MD5
488e09571f2daf9e1a4ec6403ea16354

SHA1
ab2988d7bb94e455c959561f5b400bae7cd3d7a5

SHA256
3efb581736a88b36cccd25bd7f4be2462bb719f021a4b454023d2ba10603aa96

SHA512
1036ddcc4a21c33f8dd60b03d306e28e6ab31aa4eebf0f6cf95a059ff669676807720041b1aa9af49ce835a6d55502fc763bb926e65955daf711854c818d0c6e

Download Submit
memory/1440-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download