a1fb9295e18211bc2c527dffa792b3b54d23e7d9e65e70bbb4e3d25563482e81

Analysis

max time kernel
42s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 10:42

Target

a1fb9295e18211bc2c527dffa792b3b54d23e7d9e65e70bbb4e3d25563482e81.exe
Size

1.7MB
MD5

30f51801540205082b7de656892e25c1
SHA1

49ab51fd81796ce7504adec703ea5fe7860ce4d1
SHA256

a1fb9295e18211bc2c527dffa792b3b54d23e7d9e65e70bbb4e3d25563482e81
SHA512

f462ff507ae558258c2f80365ca7699112ae677af70d8633deb76f7811e85cbed20f7bb351be49c4ae6d3b25d59deaaf9131123a3c7fe2ba75f554eba7497512
SSDEEP

49152:Ycy52F1BZTXGvtS05ElScIzyv+QTvG31v4sR11pJ:YccvtStIcP9bIvxVb

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 700	1200	a1fb9295e18211bc2c527dffa792b3b54d23e7d9e65e70bbb4e3d25563482e81.exe	28
PID 1200 wrote to memory of 700	1200	a1fb9295e18211bc2c527dffa792b3b54d23e7d9e65e70bbb4e3d25563482e81.exe	28
PID 1200 wrote to memory of 700	1200	a1fb9295e18211bc2c527dffa792b3b54d23e7d9e65e70bbb4e3d25563482e81.exe	28
PID 1200 wrote to memory of 700	1200	a1fb9295e18211bc2c527dffa792b3b54d23e7d9e65e70bbb4e3d25563482e81.exe	28
PID 1200 wrote to memory of 700	1200	a1fb9295e18211bc2c527dffa792b3b54d23e7d9e65e70bbb4e3d25563482e81.exe	28
PID 1200 wrote to memory of 700	1200	a1fb9295e18211bc2c527dffa792b3b54d23e7d9e65e70bbb4e3d25563482e81.exe	28
PID 1200 wrote to memory of 700	1200	a1fb9295e18211bc2c527dffa792b3b54d23e7d9e65e70bbb4e3d25563482e81.exe	28
PID 700 wrote to memory of 1512	700	Net.exe	30
PID 700 wrote to memory of 1512	700	Net.exe	30
PID 700 wrote to memory of 1512	700	Net.exe	30
PID 700 wrote to memory of 1512	700	Net.exe	30
PID 700 wrote to memory of 1512	700	Net.exe	30
PID 700 wrote to memory of 1512	700	Net.exe	30
PID 700 wrote to memory of 1512	700	Net.exe	30

C:\Users\Admin\AppData\Local\Temp\a1fb9295e18211bc2c527dffa792b3b54d23e7d9e65e70bbb4e3d25563482e81.exe
"C:\Users\Admin\AppData\Local\Temp\a1fb9295e18211bc2c527dffa792b3b54d23e7d9e65e70bbb4e3d25563482e81.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:1512

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1200-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download