329e752c0998fc15ed6f12f49565d1f5ea5796aca1f238ce7fa1581ba6dd99d7

Analysis

max time kernel
2s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 10:41

Target

329e752c0998fc15ed6f12f49565d1f5ea5796aca1f238ce7fa1581ba6dd99d7.exe
Size

2.5MB
MD5

098c1975009ed8ed21c5231b5cee246c
SHA1

9b10095a5a0289b2bd68812082ae05686c1dd5b2
SHA256

329e752c0998fc15ed6f12f49565d1f5ea5796aca1f238ce7fa1581ba6dd99d7
SHA512

8808b84a03032ea1e1603654694f4713ba690958a9d3f1a98c9301521223ea792a17cc9b8120a22e8095bcce3bb8a9fb81ca73149a99471208d888591281d15e
SSDEEP

49152:fzi2s06WmGTlGlJfsrCgK+hz+luMCWumjv//la3nx5dlLuCL3pSBs5cljx8Ez:fziRrqi+hCluMCUE3HPuCL5Saajxdz

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1272	1772	329e752c0998fc15ed6f12f49565d1f5ea5796aca1f238ce7fa1581ba6dd99d7.exe	28
PID 1772 wrote to memory of 1272	1772	329e752c0998fc15ed6f12f49565d1f5ea5796aca1f238ce7fa1581ba6dd99d7.exe	28
PID 1772 wrote to memory of 1272	1772	329e752c0998fc15ed6f12f49565d1f5ea5796aca1f238ce7fa1581ba6dd99d7.exe	28
PID 1772 wrote to memory of 1272	1772	329e752c0998fc15ed6f12f49565d1f5ea5796aca1f238ce7fa1581ba6dd99d7.exe	28
PID 1772 wrote to memory of 1272	1772	329e752c0998fc15ed6f12f49565d1f5ea5796aca1f238ce7fa1581ba6dd99d7.exe	28
PID 1772 wrote to memory of 1272	1772	329e752c0998fc15ed6f12f49565d1f5ea5796aca1f238ce7fa1581ba6dd99d7.exe	28
PID 1772 wrote to memory of 1272	1772	329e752c0998fc15ed6f12f49565d1f5ea5796aca1f238ce7fa1581ba6dd99d7.exe	28
PID 1272 wrote to memory of 2044	1272	Net.exe	30
PID 1272 wrote to memory of 2044	1272	Net.exe	30
PID 1272 wrote to memory of 2044	1272	Net.exe	30
PID 1272 wrote to memory of 2044	1272	Net.exe	30
PID 1272 wrote to memory of 2044	1272	Net.exe	30
PID 1272 wrote to memory of 2044	1272	Net.exe	30
PID 1272 wrote to memory of 2044	1272	Net.exe	30

C:\Users\Admin\AppData\Local\Temp\329e752c0998fc15ed6f12f49565d1f5ea5796aca1f238ce7fa1581ba6dd99d7.exe
"C:\Users\Admin\AppData\Local\Temp\329e752c0998fc15ed6f12f49565d1f5ea5796aca1f238ce7fa1581ba6dd99d7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:2044

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1772-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download