976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92

Analysis

max time kernel
3s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 10:47

Target

976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe
Size

4.2MB
MD5

1f06e8241b23ea4b8d201fe24a226297
SHA1

3af0e57f43026a9a06e55f5c8ab8f57028179b21
SHA256

976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92
SHA512

29639a9e66217f3afc71e89b61d5a1fbaa77a5abb85dd45402e4fcf46a5aec2b47c531b67698fc7274ecb111b4d27452bdace90892674a0a8f11f3b28133b280
SSDEEP

98304:fziRRJruXmuiaT5a45SOmnL0YH/f5jsKZo4ZvygUT/yqlm6+:Li5rMT5ahnLRVsAo4ZvyZTjK

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2028	1228	976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe	28
PID 1228 wrote to memory of 2028	1228	976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe	28
PID 1228 wrote to memory of 2028	1228	976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe	28
PID 1228 wrote to memory of 2028	1228	976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe	28
PID 1228 wrote to memory of 2028	1228	976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe	28
PID 1228 wrote to memory of 2028	1228	976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe	28
PID 1228 wrote to memory of 2028	1228	976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe	28
PID 2028 wrote to memory of 628	2028	Net.exe	30
PID 2028 wrote to memory of 628	2028	Net.exe	30
PID 2028 wrote to memory of 628	2028	Net.exe	30
PID 2028 wrote to memory of 628	2028	Net.exe	30
PID 2028 wrote to memory of 628	2028	Net.exe	30
PID 2028 wrote to memory of 628	2028	Net.exe	30
PID 2028 wrote to memory of 628	2028	Net.exe	30

C:\Users\Admin\AppData\Local\Temp\976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe
"C:\Users\Admin\AppData\Local\Temp\976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:628

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1228-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download