798ffd3ac9479390a0db05d616713d76827d45db3ea05b71b4ff97436ae623dc

Analysis

max time kernel
11s
max time network
49s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 10:42

Target

798ffd3ac9479390a0db05d616713d76827d45db3ea05b71b4ff97436ae623dc.exe
Size

2.9MB
MD5

4bb879e0dc5dbdb274a4bd6469e07ce6
SHA1

8cf7427f0e317cfaa315fb265d6c6c22e53586df
SHA256

798ffd3ac9479390a0db05d616713d76827d45db3ea05b71b4ff97436ae623dc
SHA512

dcc572df3b01359d44a5000c377e962025339719e34d396f5d210304ca9d286d10dcbefb4020b810fafc9f695cb11f0dfc356135e62f2590b727dbcd72f040ff
SSDEEP

49152:Ycy52F1BcT8Jhdk0DR3sTT269x5IoJhsUqhVIiExSJ4vb4MQ5mz:Yc3hjDR8n26h3EVpQH1Qo

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 1208	936	798ffd3ac9479390a0db05d616713d76827d45db3ea05b71b4ff97436ae623dc.exe	28
PID 936 wrote to memory of 1208	936	798ffd3ac9479390a0db05d616713d76827d45db3ea05b71b4ff97436ae623dc.exe	28
PID 936 wrote to memory of 1208	936	798ffd3ac9479390a0db05d616713d76827d45db3ea05b71b4ff97436ae623dc.exe	28
PID 936 wrote to memory of 1208	936	798ffd3ac9479390a0db05d616713d76827d45db3ea05b71b4ff97436ae623dc.exe	28
PID 936 wrote to memory of 1208	936	798ffd3ac9479390a0db05d616713d76827d45db3ea05b71b4ff97436ae623dc.exe	28
PID 936 wrote to memory of 1208	936	798ffd3ac9479390a0db05d616713d76827d45db3ea05b71b4ff97436ae623dc.exe	28
PID 936 wrote to memory of 1208	936	798ffd3ac9479390a0db05d616713d76827d45db3ea05b71b4ff97436ae623dc.exe	28
PID 1208 wrote to memory of 316	1208	Net.exe	30
PID 1208 wrote to memory of 316	1208	Net.exe	30
PID 1208 wrote to memory of 316	1208	Net.exe	30
PID 1208 wrote to memory of 316	1208	Net.exe	30
PID 1208 wrote to memory of 316	1208	Net.exe	30
PID 1208 wrote to memory of 316	1208	Net.exe	30
PID 1208 wrote to memory of 316	1208	Net.exe	30

C:\Users\Admin\AppData\Local\Temp\798ffd3ac9479390a0db05d616713d76827d45db3ea05b71b4ff97436ae623dc.exe
"C:\Users\Admin\AppData\Local\Temp\798ffd3ac9479390a0db05d616713d76827d45db3ea05b71b4ff97436ae623dc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:316

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/936-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download