b01964c1f3a03cd2dfbf38b0a338fea8d7acc134bede135eaf818b4170e45418

Analysis

max time kernel
30s
max time network
55s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b01964c1f3a03cd2dfbf38b0a338fea8d7acc134bede135eaf818b4170e45418.exe
Size

72KB
MD5

9aef2d2ea0fa8446b88256730ce3a64c
SHA1

205dd5c584fac8427b702aad89547118e0692119
SHA256

b01964c1f3a03cd2dfbf38b0a338fea8d7acc134bede135eaf818b4170e45418
SHA512

839c9b0f12090519b5c3b51a4722622194b93683d5c61ed01904d322d8330d464fe5a635dbb5b97411d7537b5e0fff0892c332bfb10c248ef110072dbd336983
SSDEEP

1536:K1UfG4FtE/r/I6uVOrFeGEIIwodsohNt4ZMwyVt:S4/2r/InpfINoz5wu

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
576	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 576	2036	b01964c1f3a03cd2dfbf38b0a338fea8d7acc134bede135eaf818b4170e45418.exe	28
PID 2036 wrote to memory of 576	2036	b01964c1f3a03cd2dfbf38b0a338fea8d7acc134bede135eaf818b4170e45418.exe	28
PID 2036 wrote to memory of 576	2036	b01964c1f3a03cd2dfbf38b0a338fea8d7acc134bede135eaf818b4170e45418.exe	28
PID 2036 wrote to memory of 576	2036	b01964c1f3a03cd2dfbf38b0a338fea8d7acc134bede135eaf818b4170e45418.exe	28

C:\Users\Admin\AppData\Local\Temp\b01964c1f3a03cd2dfbf38b0a338fea8d7acc134bede135eaf818b4170e45418.exe
"C:\Users\Admin\AppData\Local\Temp\b01964c1f3a03cd2dfbf38b0a338fea8d7acc134bede135eaf818b4170e45418.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Mmp..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mmp..bat

Filesize
274B

MD5
73fbc0a751ef53341ed1812b21eb188b

SHA1
3326f6b29ee7eb07a3dfed2842ecf71c5fae9d37

SHA256
eba348486a112ebfffd8bd4ff14e5599621d207d9fdb508425a31958b29c602b

SHA512
218e649c14324fef641bff8c64294cac7eaac958a8e37717991c9c0d2d4f42675323c5b47bd7cb455e32329a1c70cab696ec851b670f7d8529530561f63e5550

Download Submit
memory/2036-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2036-55-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/2036-56-0x00000000002B0000-0x00000000002CB000-memory.dmp

Filesize
108KB

Download
memory/2036-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2036-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2036-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download