a15adfe1b10333a90c3697c28616fd1f5349081ed6c0ea979b5e6cefebdf16ab

Analysis

max time kernel
47s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 10:46

Target

a15adfe1b10333a90c3697c28616fd1f5349081ed6c0ea979b5e6cefebdf16ab.exe
Size

1.7MB
MD5

365c14d8e4a7e33e0f02d39ace424aa7
SHA1

7f92154de7e33ca2a20fedfbf2c8d8ac87a8849c
SHA256

a15adfe1b10333a90c3697c28616fd1f5349081ed6c0ea979b5e6cefebdf16ab
SHA512

95a341b9eded720f95f33aa51ccfa23649992c4345891857835486f84f833aa57ea6cad7b79419274d985625445860b353239ab2ae5b89332c9dc02ce8a992f1
SSDEEP

49152:fzi2s06W3GT13/HVrENsY+ZZXWS9+rSFx72:fziE0/HV/Z4y1a

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1208	1380	a15adfe1b10333a90c3697c28616fd1f5349081ed6c0ea979b5e6cefebdf16ab.exe	27
PID 1380 wrote to memory of 1208	1380	a15adfe1b10333a90c3697c28616fd1f5349081ed6c0ea979b5e6cefebdf16ab.exe	27
PID 1380 wrote to memory of 1208	1380	a15adfe1b10333a90c3697c28616fd1f5349081ed6c0ea979b5e6cefebdf16ab.exe	27
PID 1380 wrote to memory of 1208	1380	a15adfe1b10333a90c3697c28616fd1f5349081ed6c0ea979b5e6cefebdf16ab.exe	27
PID 1380 wrote to memory of 1208	1380	a15adfe1b10333a90c3697c28616fd1f5349081ed6c0ea979b5e6cefebdf16ab.exe	27
PID 1380 wrote to memory of 1208	1380	a15adfe1b10333a90c3697c28616fd1f5349081ed6c0ea979b5e6cefebdf16ab.exe	27
PID 1380 wrote to memory of 1208	1380	a15adfe1b10333a90c3697c28616fd1f5349081ed6c0ea979b5e6cefebdf16ab.exe	27
PID 1208 wrote to memory of 936	1208	Net.exe	29
PID 1208 wrote to memory of 936	1208	Net.exe	29
PID 1208 wrote to memory of 936	1208	Net.exe	29
PID 1208 wrote to memory of 936	1208	Net.exe	29
PID 1208 wrote to memory of 936	1208	Net.exe	29
PID 1208 wrote to memory of 936	1208	Net.exe	29
PID 1208 wrote to memory of 936	1208	Net.exe	29

C:\Users\Admin\AppData\Local\Temp\a15adfe1b10333a90c3697c28616fd1f5349081ed6c0ea979b5e6cefebdf16ab.exe
"C:\Users\Admin\AppData\Local\Temp\a15adfe1b10333a90c3697c28616fd1f5349081ed6c0ea979b5e6cefebdf16ab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:936

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download