cdf5027b1bfe45ae7361fc4ec4e09118d6c8884bbfcb3dcae0e5eec4e4810825

Analysis

max time kernel
38s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 00:55

Target

cdf5027b1bfe45ae7361fc4ec4e09118d6c8884bbfcb3dcae0e5eec4e4810825.exe
Size

77KB
MD5

7c94c7270ca140081e8477a0302840cf
SHA1

f9038f0a31aa7acdb6c03ac389e092fe0c28b645
SHA256

cdf5027b1bfe45ae7361fc4ec4e09118d6c8884bbfcb3dcae0e5eec4e4810825
SHA512

66b1bbb58661ce05cee1b807cfd17cdf5f6b6098ced8ee8c7bce318ceaf4886cfd37f64084e0c847fa35e938722482069708eb22cb399de2c779a980c763be20
SSDEEP

1536:AiQgzHtbheQi4C9bnWe7z9EQ3G2e7JqSbk4p:lQgzHnCNhWSGXVqz4p

Score

7^/10

Deletes itself 1 IoCs

pid	Process
828	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 828	1408	cdf5027b1bfe45ae7361fc4ec4e09118d6c8884bbfcb3dcae0e5eec4e4810825.exe	26
PID 1408 wrote to memory of 828	1408	cdf5027b1bfe45ae7361fc4ec4e09118d6c8884bbfcb3dcae0e5eec4e4810825.exe	26
PID 1408 wrote to memory of 828	1408	cdf5027b1bfe45ae7361fc4ec4e09118d6c8884bbfcb3dcae0e5eec4e4810825.exe	26
PID 1408 wrote to memory of 828	1408	cdf5027b1bfe45ae7361fc4ec4e09118d6c8884bbfcb3dcae0e5eec4e4810825.exe	26
PID 1408 wrote to memory of 828	1408	cdf5027b1bfe45ae7361fc4ec4e09118d6c8884bbfcb3dcae0e5eec4e4810825.exe	26
PID 1408 wrote to memory of 828	1408	cdf5027b1bfe45ae7361fc4ec4e09118d6c8884bbfcb3dcae0e5eec4e4810825.exe	26
PID 1408 wrote to memory of 828	1408	cdf5027b1bfe45ae7361fc4ec4e09118d6c8884bbfcb3dcae0e5eec4e4810825.exe	26

C:\Users\Admin\AppData\Local\Temp\cdf5027b1bfe45ae7361fc4ec4e09118d6c8884bbfcb3dcae0e5eec4e4810825.exe
"C:\Users\Admin\AppData\Local\Temp\cdf5027b1bfe45ae7361fc4ec4e09118d6c8884bbfcb3dcae0e5eec4e4810825.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Jnj..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:828

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Jnj..bat

Filesize
274B

MD5
b63c93f2a575e8ba8ece80afb3fa1d27

SHA1
4ae53fd900f95cd11f4a2b7c39e53a62b537c986

SHA256
1e79a2549a595331c800279f4f8b3fcc8d189b5efbcf5ec68742147bc2b06a33

SHA512
06761191bac5fb28238d584fb74b310aa311254f4230c0af86ed1ec47f4b0869e534cb90a4a7b6333422f326ed79cd76bf1dee29c4eb3355a62e32d2d9143dc3

Download Submit
memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1408-55-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/1408-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1408-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download