eabf5a09203b25a4aed5409e14d4892d1e359ee8bd47da76930fe487c78981b5

Analysis

max time kernel
31s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 10:41

Target

eabf5a09203b25a4aed5409e14d4892d1e359ee8bd47da76930fe487c78981b5.exe
Size

2.5MB
MD5

5c082e71b91173e82a3818b6f767dc33
SHA1

7aadd7cc1ffe12cdc824aa7c4bc536aedd8149cd
SHA256

eabf5a09203b25a4aed5409e14d4892d1e359ee8bd47da76930fe487c78981b5
SHA512

5d8fd2a64cbf39d4ccc6b39af97ee74f2f8b774836e9ed4fe606d4ee62db2dfe77405fb1d5b329ed3a92d31f0cfcf80cc486f58ea1209bf9ba07ba498d0b706d
SSDEEP

49152:fzi2s06WKGTbG7TMpRVO45FJxYM300G3PJxdO3uc9/2Y2:fzi9J7wPVL5FhcPJO3ucIY2

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1284	1780	eabf5a09203b25a4aed5409e14d4892d1e359ee8bd47da76930fe487c78981b5.exe	28
PID 1780 wrote to memory of 1284	1780	eabf5a09203b25a4aed5409e14d4892d1e359ee8bd47da76930fe487c78981b5.exe	28
PID 1780 wrote to memory of 1284	1780	eabf5a09203b25a4aed5409e14d4892d1e359ee8bd47da76930fe487c78981b5.exe	28
PID 1780 wrote to memory of 1284	1780	eabf5a09203b25a4aed5409e14d4892d1e359ee8bd47da76930fe487c78981b5.exe	28
PID 1780 wrote to memory of 1284	1780	eabf5a09203b25a4aed5409e14d4892d1e359ee8bd47da76930fe487c78981b5.exe	28
PID 1780 wrote to memory of 1284	1780	eabf5a09203b25a4aed5409e14d4892d1e359ee8bd47da76930fe487c78981b5.exe	28
PID 1780 wrote to memory of 1284	1780	eabf5a09203b25a4aed5409e14d4892d1e359ee8bd47da76930fe487c78981b5.exe	28
PID 1284 wrote to memory of 1340	1284	Net.exe	30
PID 1284 wrote to memory of 1340	1284	Net.exe	30
PID 1284 wrote to memory of 1340	1284	Net.exe	30
PID 1284 wrote to memory of 1340	1284	Net.exe	30
PID 1284 wrote to memory of 1340	1284	Net.exe	30
PID 1284 wrote to memory of 1340	1284	Net.exe	30
PID 1284 wrote to memory of 1340	1284	Net.exe	30

C:\Users\Admin\AppData\Local\Temp\eabf5a09203b25a4aed5409e14d4892d1e359ee8bd47da76930fe487c78981b5.exe
"C:\Users\Admin\AppData\Local\Temp\eabf5a09203b25a4aed5409e14d4892d1e359ee8bd47da76930fe487c78981b5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:1340

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1284-55-0x0000000000000000-mapping.dmp

Download
memory/1340-57-0x0000000000000000-mapping.dmp

Download
memory/1780-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download