c22f364f72567cbf7754526c3e3a121e66ccf22c5df34d8bbb646070320b4794

Analysis

max time kernel
34s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 12:03

Target

c22f364f72567cbf7754526c3e3a121e66ccf22c5df34d8bbb646070320b4794.exe
Size

552KB
MD5

9e6a397372c1d9fa9e46a0b8c62b9dc1
SHA1

40709668310509c3f4035e7b5b10acd3ba2b282c
SHA256

c22f364f72567cbf7754526c3e3a121e66ccf22c5df34d8bbb646070320b4794
SHA512

04b0de72bc1a8667575e9139d708a0ee19611d9bb32889607bead41721bb63f7876c4496c0c6e5c5185d15eb824fc6795dfd3b910cfa356a426fdedac42048e9
SSDEEP

12288:1c9JkIYrzuUmTNBKec8GN2n99LNWmQdNLIt1b1dEwb7:WIIGFmTNBKec92nPLNWmQdNK15dL

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2008	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 2008	872	c22f364f72567cbf7754526c3e3a121e66ccf22c5df34d8bbb646070320b4794.exe	29
PID 872 wrote to memory of 2008	872	c22f364f72567cbf7754526c3e3a121e66ccf22c5df34d8bbb646070320b4794.exe	29
PID 872 wrote to memory of 2008	872	c22f364f72567cbf7754526c3e3a121e66ccf22c5df34d8bbb646070320b4794.exe	29
PID 872 wrote to memory of 2008	872	c22f364f72567cbf7754526c3e3a121e66ccf22c5df34d8bbb646070320b4794.exe	29

C:\Users\Admin\AppData\Local\Temp\c22f364f72567cbf7754526c3e3a121e66ccf22c5df34d8bbb646070320b4794.exe
"C:\Users\Admin\AppData\Local\Temp\c22f364f72567cbf7754526c3e3a121e66ccf22c5df34d8bbb646070320b4794.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$336699.bat
  2⤵
  - Deletes itself
  PID:2008

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\$$336699.bat

Filesize
294B

MD5
e6787395f2daabe1c6cf65b739526487

SHA1
c851267a4f0d71aea0411c71b288e48d41f6f775

SHA256
107736261c055847bcd47f5e7649c8d61c2b10f3b86e1dbcb8cf4c56cadcc18d

SHA512
8d7073aadfc1da6452b4dc4838a1263d7f1dd7b183e0b58370aa0c0ff9eecbf749d7b5f7ce0141ef09dccf342236d2801af512dba567d2cbf1b0642b3083807a

Download Submit
memory/872-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download