579d13f3cd7acab8f6b9711c99fef396a325efad3a11a6cccb261437af1619a9

Analysis

max time kernel
227s
max time network
335s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 15:46

Target

579d13f3cd7acab8f6b9711c99fef396a325efad3a11a6cccb261437af1619a9.exe
Size

1.6MB
MD5

9f9ff2c8998e81058d583369b7a496de
SHA1

8fc0b5f4d6100e438fc734eb2082ba237efe0652
SHA256

579d13f3cd7acab8f6b9711c99fef396a325efad3a11a6cccb261437af1619a9
SHA512

98235d57d8395d89e9da377a48129aaf97640ea4fdddae65c4b5e1ae330d4b6911272ac953284fa8e752e28e3e0075b0dc153393c587c9a04ac24ac5481697bc
SSDEEP

12288:8WHyGfJqDJLZCpzeCptoDFjmjRPTjRPyjBjjijBjBjBjBjLjVA7nNi6HCZoU9+kw:rqqNeK2DgA7nNxCZLYHkgiPgp

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1820 schtasks.exe

pid	process
1820	schtasks.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

579d13f3cd7acab8f6b9711c99fef396a325efad3a11a6cccb261437af1619a9.exe

description	pid	process	target process
PID 468 wrote to memory of 1820	468	579d13f3cd7acab8f6b9711c99fef396a325efad3a11a6cccb261437af1619a9.exe	schtasks.exe
PID 468 wrote to memory of 1820	468	579d13f3cd7acab8f6b9711c99fef396a325efad3a11a6cccb261437af1619a9.exe	schtasks.exe
PID 468 wrote to memory of 1820	468	579d13f3cd7acab8f6b9711c99fef396a325efad3a11a6cccb261437af1619a9.exe	schtasks.exe
PID 468 wrote to memory of 1820	468	579d13f3cd7acab8f6b9711c99fef396a325efad3a11a6cccb261437af1619a9.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\579d13f3cd7acab8f6b9711c99fef396a325efad3a11a6cccb261437af1619a9.exe
"C:\Users\Admin\AppData\Local\Temp\579d13f3cd7acab8f6b9711c99fef396a325efad3a11a6cccb261437af1619a9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\puJzcbEe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD07A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1820

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1656

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\tmpD07A.tmp

Filesize
1KB

MD5
5a73095591ba33b9067666d80f95caf6

SHA1
e65fd1b4ad01f57fa92d0841b22552934d71f740

SHA256
632eeb86ee5313279e65c1f93fef4f787bffe727b9ea06896ca2a4a0ac1b68ed

SHA512
daa44d28b881d06e45f0f9d27b6665cd275bd43a38fab116b80f1bff790a4cf3031a0f0be33aeff0d17a68f8696aee0bdfcc65943912dc73e4735a7143375137

Download Submit
memory/468-54-0x0000000000890000-0x0000000000A38000-memory.dmp

Filesize
1.7MB

Download
memory/468-55-0x00000000763D1000-0x00000000763D3000-memory.dmp

Filesize
8KB

Download
memory/468-56-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/468-57-0x00000000074B0000-0x000000000750C000-memory.dmp

Filesize
368KB

Download
memory/1820-58-0x0000000000000000-mapping.dmp

Download