a81219b51f0dc7f516fbce7017649433af768da5851d1f917fd585f2fbdbc95a

Analysis

max time kernel
42s
max time network
51s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 12:29

Target

a81219b51f0dc7f516fbce7017649433af768da5851d1f917fd585f2fbdbc95a.exe
Size

76KB
MD5

7dc62c8344915cf2050173852e04701d
SHA1

bcc38d454f46bffaa064e9e5609ee561fcb8e9c6
SHA256

a81219b51f0dc7f516fbce7017649433af768da5851d1f917fd585f2fbdbc95a
SHA512

926f7cdd7c326b4dc4ef250b3b4b63e11dbed6a702da601bb86ea83e331df5b1c5a04a943b39511ea6f4c70634356152b40651a4ca5ce3dbd73b0a153b0e5621
SSDEEP

1536:Pnd47nXPeFCi0Jn+mIeTs3xEXf6/Dj6r/q97vKux7N+bpAn1gAL:Pdk9Q8sSv6D2rCvXx5+beL

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1324	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1324	1296	a81219b51f0dc7f516fbce7017649433af768da5851d1f917fd585f2fbdbc95a.exe	27
PID 1296 wrote to memory of 1324	1296	a81219b51f0dc7f516fbce7017649433af768da5851d1f917fd585f2fbdbc95a.exe	27
PID 1296 wrote to memory of 1324	1296	a81219b51f0dc7f516fbce7017649433af768da5851d1f917fd585f2fbdbc95a.exe	27
PID 1296 wrote to memory of 1324	1296	a81219b51f0dc7f516fbce7017649433af768da5851d1f917fd585f2fbdbc95a.exe	27

C:\Users\Admin\AppData\Local\Temp\a81219b51f0dc7f516fbce7017649433af768da5851d1f917fd585f2fbdbc95a.exe
"C:\Users\Admin\AppData\Local\Temp\a81219b51f0dc7f516fbce7017649433af768da5851d1f917fd585f2fbdbc95a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Hmf..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1324

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Hmf..bat

Filesize
274B

MD5
c3765b56f227a03260f30ac0cc2ff50e

SHA1
3973ba5f41448319c615f41692c9f56a4e8edf66

SHA256
08c7db578379975bdc770dddfceae1e10d7ec42ff3e2322e28d7f0ef04a2c017

SHA512
e7a251ad14e4467f95bf163eb48b9691dfa040756f7701d072eb48c55127309f63f786a6dc31769407a6d4aaa38a806d919e6723023be6e72e47e88e3c71a037

Download Submit
memory/1296-54-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download
memory/1296-55-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1296-56-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1296-58-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download