71d15e98af0ba3e5a5a4e6fded0145808f2d4ed846526cc8be249aedffae7366

Analysis

max time kernel
41s
max time network
106s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 10:41

Target

71d15e98af0ba3e5a5a4e6fded0145808f2d4ed846526cc8be249aedffae7366.exe
Size

3.7MB
MD5

bd061674235730624699848d45c83285
SHA1

8b4954ba4424609971f9eb0350474282b6bb9ec6
SHA256

71d15e98af0ba3e5a5a4e6fded0145808f2d4ed846526cc8be249aedffae7366
SHA512

98dc129ce8dcdb38b22ef9f8fe6b0a8dc59d23c61a7c941a7873a7fda89a11b743d49f1ce558913746431e2ad8dd334f9ac740fc8f97e1def849919b1f270a8e
SSDEEP

49152:fzi2s06WYGT1IBFSOBTHjCqb5UFlc93+0gKrWL4oTr9kVh6juFxFkSy7lK6w1zOD:fzirbM4qFe9nrWxqzFYXwoMpheH

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1004	1388	71d15e98af0ba3e5a5a4e6fded0145808f2d4ed846526cc8be249aedffae7366.exe	27
PID 1388 wrote to memory of 1004	1388	71d15e98af0ba3e5a5a4e6fded0145808f2d4ed846526cc8be249aedffae7366.exe	27
PID 1388 wrote to memory of 1004	1388	71d15e98af0ba3e5a5a4e6fded0145808f2d4ed846526cc8be249aedffae7366.exe	27
PID 1388 wrote to memory of 1004	1388	71d15e98af0ba3e5a5a4e6fded0145808f2d4ed846526cc8be249aedffae7366.exe	27
PID 1388 wrote to memory of 1004	1388	71d15e98af0ba3e5a5a4e6fded0145808f2d4ed846526cc8be249aedffae7366.exe	27
PID 1388 wrote to memory of 1004	1388	71d15e98af0ba3e5a5a4e6fded0145808f2d4ed846526cc8be249aedffae7366.exe	27
PID 1388 wrote to memory of 1004	1388	71d15e98af0ba3e5a5a4e6fded0145808f2d4ed846526cc8be249aedffae7366.exe	27
PID 1004 wrote to memory of 1168	1004	Net.exe	29
PID 1004 wrote to memory of 1168	1004	Net.exe	29
PID 1004 wrote to memory of 1168	1004	Net.exe	29
PID 1004 wrote to memory of 1168	1004	Net.exe	29
PID 1004 wrote to memory of 1168	1004	Net.exe	29
PID 1004 wrote to memory of 1168	1004	Net.exe	29
PID 1004 wrote to memory of 1168	1004	Net.exe	29

C:\Users\Admin\AppData\Local\Temp\71d15e98af0ba3e5a5a4e6fded0145808f2d4ed846526cc8be249aedffae7366.exe
"C:\Users\Admin\AppData\Local\Temp\71d15e98af0ba3e5a5a4e6fded0145808f2d4ed846526cc8be249aedffae7366.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:1168

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1388-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download