16dee09bc5ae2617c95ded2d55104a6d94c61677e1d6bf4a583adceaa8e9e023

Analysis

max time kernel
62s
max time network
69s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 04:01

Target

16dee09bc5ae2617c95ded2d55104a6d94c61677e1d6bf4a583adceaa8e9e023.exe
Size

121KB
MD5

0a3d6a2ee3fe3961ceefe68391557613
SHA1

f090f47a47af1eb777ea942e93c4cfd88873af91
SHA256

16dee09bc5ae2617c95ded2d55104a6d94c61677e1d6bf4a583adceaa8e9e023
SHA512

344d46fa335f7a459d4b0720c0ea3c70bacf011b5b7c32ab47fe2e7b7d8b40ac7788056296cec1b59acb3f187239dadf87e5dff3c987334b568260435afe2e8f
SSDEEP

1536:iUK3ATn6Q1w6ZnBbWxu5hb86HTU879i0PORJrqpzuQf5H+:SwTJPl9Wxuw6HTqR4p5

Score

7^/10

Deletes itself 1 IoCs

pid	Process
764	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 764	1192	16dee09bc5ae2617c95ded2d55104a6d94c61677e1d6bf4a583adceaa8e9e023.exe	27
PID 1192 wrote to memory of 764	1192	16dee09bc5ae2617c95ded2d55104a6d94c61677e1d6bf4a583adceaa8e9e023.exe	27
PID 1192 wrote to memory of 764	1192	16dee09bc5ae2617c95ded2d55104a6d94c61677e1d6bf4a583adceaa8e9e023.exe	27
PID 1192 wrote to memory of 764	1192	16dee09bc5ae2617c95ded2d55104a6d94c61677e1d6bf4a583adceaa8e9e023.exe	27

C:\Users\Admin\AppData\Local\Temp\16dee09bc5ae2617c95ded2d55104a6d94c61677e1d6bf4a583adceaa8e9e023.exe
"C:\Users\Admin\AppData\Local\Temp\16dee09bc5ae2617c95ded2d55104a6d94c61677e1d6bf4a583adceaa8e9e023.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Jlb..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:764

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Jlb..bat

Filesize
274B

MD5
158f2fd1115e4638825d929e9302df47

SHA1
ce3ff66fd10fa50f5105c897206b1c0a135caf7c

SHA256
61110a8f50d8899f3f6094e228f13b2a6dc8834aac0fe48b004a050057d292a6

SHA512
485aa4fa2189eb4bb43659715776e0d78be30ee0816f8ab2be72e63df45752c4bce18ffb7d06b0898dcbae9480b81a7702a4b90faf22f0a2004320ae17339b9c

Download Submit
memory/1192-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1192-55-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1192-56-0x00000000003B0000-0x00000000003BF000-memory.dmp

Filesize
60KB

Download
memory/1192-57-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1192-58-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1192-60-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download