eb1588a4579c970c982e09c7bc6e202dbf062f258c34631c4cf35177ba02fb56

Analysis

max time kernel
42s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 10:46

Target

eb1588a4579c970c982e09c7bc6e202dbf062f258c34631c4cf35177ba02fb56.exe
Size

5.4MB
MD5

24bb41007d043046118613ec65190b6c
SHA1

b9acb93636e07a80cd31fb76aa6732c2228d0c7f
SHA256

eb1588a4579c970c982e09c7bc6e202dbf062f258c34631c4cf35177ba02fb56
SHA512

19cbe3eef1953d05ef145d9ea29e5ddbd51feaa63e2d1e4f92c44457b70796fb9eb74223ecaec6adc816b0f9a1dabe10518721b55b210c650c84e05d5225dfe4
SSDEEP

98304:fziEg2WW58QRtdVuTfYxswwptSzioqUrH:LiU8OzVuzKct+qUrH

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1720	1708	eb1588a4579c970c982e09c7bc6e202dbf062f258c34631c4cf35177ba02fb56.exe	27
PID 1708 wrote to memory of 1720	1708	eb1588a4579c970c982e09c7bc6e202dbf062f258c34631c4cf35177ba02fb56.exe	27
PID 1708 wrote to memory of 1720	1708	eb1588a4579c970c982e09c7bc6e202dbf062f258c34631c4cf35177ba02fb56.exe	27
PID 1708 wrote to memory of 1720	1708	eb1588a4579c970c982e09c7bc6e202dbf062f258c34631c4cf35177ba02fb56.exe	27
PID 1708 wrote to memory of 1720	1708	eb1588a4579c970c982e09c7bc6e202dbf062f258c34631c4cf35177ba02fb56.exe	27
PID 1708 wrote to memory of 1720	1708	eb1588a4579c970c982e09c7bc6e202dbf062f258c34631c4cf35177ba02fb56.exe	27
PID 1708 wrote to memory of 1720	1708	eb1588a4579c970c982e09c7bc6e202dbf062f258c34631c4cf35177ba02fb56.exe	27
PID 1720 wrote to memory of 1224	1720	Net.exe	29
PID 1720 wrote to memory of 1224	1720	Net.exe	29
PID 1720 wrote to memory of 1224	1720	Net.exe	29
PID 1720 wrote to memory of 1224	1720	Net.exe	29
PID 1720 wrote to memory of 1224	1720	Net.exe	29
PID 1720 wrote to memory of 1224	1720	Net.exe	29
PID 1720 wrote to memory of 1224	1720	Net.exe	29

C:\Users\Admin\AppData\Local\Temp\eb1588a4579c970c982e09c7bc6e202dbf062f258c34631c4cf35177ba02fb56.exe
"C:\Users\Admin\AppData\Local\Temp\eb1588a4579c970c982e09c7bc6e202dbf062f258c34631c4cf35177ba02fb56.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:1224

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1708-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download