4d51c44cfdbdf3247cb2472f5af6ab748d3c9c4eb81d077ae7c3680e2fb480bd

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 09:14

Target

4d51c44cfdbdf3247cb2472f5af6ab748d3c9c4eb81d077ae7c3680e2fb480bd.exe
Size

80KB
MD5

39e756a9210ee1dbfb9d51cabb9cf930
SHA1

57376434a78fe266ece8492b7f7ebfa3552f9f0f
SHA256

4d51c44cfdbdf3247cb2472f5af6ab748d3c9c4eb81d077ae7c3680e2fb480bd
SHA512

9ad21d34ff14700328da016b7e5cbff3c8742cae4cc295e0c790143919da2319473535da24cc77d63dbcea5dea80a62ea417a130eb035970b7d6c1dae2382cf3
SSDEEP

1536:EgyNXqjFRsQN9NkcIYkWOyuHDSwcX+2eZdU4mr:Eg8QTr3LfuHWwH2ehe

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1616	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1616	1644	4d51c44cfdbdf3247cb2472f5af6ab748d3c9c4eb81d077ae7c3680e2fb480bd.exe	28
PID 1644 wrote to memory of 1616	1644	4d51c44cfdbdf3247cb2472f5af6ab748d3c9c4eb81d077ae7c3680e2fb480bd.exe	28
PID 1644 wrote to memory of 1616	1644	4d51c44cfdbdf3247cb2472f5af6ab748d3c9c4eb81d077ae7c3680e2fb480bd.exe	28
PID 1644 wrote to memory of 1616	1644	4d51c44cfdbdf3247cb2472f5af6ab748d3c9c4eb81d077ae7c3680e2fb480bd.exe	28
PID 1644 wrote to memory of 1616	1644	4d51c44cfdbdf3247cb2472f5af6ab748d3c9c4eb81d077ae7c3680e2fb480bd.exe	28
PID 1644 wrote to memory of 1616	1644	4d51c44cfdbdf3247cb2472f5af6ab748d3c9c4eb81d077ae7c3680e2fb480bd.exe	28
PID 1644 wrote to memory of 1616	1644	4d51c44cfdbdf3247cb2472f5af6ab748d3c9c4eb81d077ae7c3680e2fb480bd.exe	28

C:\Users\Admin\AppData\Local\Temp\4d51c44cfdbdf3247cb2472f5af6ab748d3c9c4eb81d077ae7c3680e2fb480bd.exe
"C:\Users\Admin\AppData\Local\Temp\4d51c44cfdbdf3247cb2472f5af6ab748d3c9c4eb81d077ae7c3680e2fb480bd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Ypz..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1616

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Ypz..bat

Filesize
274B

MD5
5341383963325afa29f70b97e1b9eb8e

SHA1
bce9e617ac3229f956b1638ca5638eb65249a767

SHA256
2adf2974c1a06f65315735e0d18bfd6576bcee85e9623fb667afe4dba1c76a84

SHA512
c7931d8280becf3e3072f4317a3e0cedaaa9196201f8eefef7aa815618861af93313130b361ab85192be74d5d69c4d4107a76071f28f910a26f553273b9a744a

Download Submit
memory/1644-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1644-55-0x0000000000350000-0x0000000000373000-memory.dmp

Filesize
140KB

Download
memory/1644-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1644-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download