49b50c8bce87ec5552354fe5ee81bf5fe35ba5da312cb7b6683853b770df5b95

Analysis

max time kernel
4s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 10:47

Target

49b50c8bce87ec5552354fe5ee81bf5fe35ba5da312cb7b6683853b770df5b95.exe
Size

2.3MB
MD5

0d019364ff736da70519ab93ada152dc
SHA1

b84b8ebf01fbec78ba116db195fa70d5524bda21
SHA256

49b50c8bce87ec5552354fe5ee81bf5fe35ba5da312cb7b6683853b770df5b95
SHA512

8ea572dfa3dc53c38ca61e963835f88ca6a512e103e394bafc500415c060835b08521babeffb1ab1604949242b69fcaf86b2f75e60108a2ab65b89c49835e6dd
SSDEEP

49152:fzi2s06W1GT4jpa9VHQsXTdF45Vx9syU4OsMvfHRrGe51AaKMsOnqdTRXe:fziGhg9hF4Tg4feGecafsOnATRXe

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 892	944	49b50c8bce87ec5552354fe5ee81bf5fe35ba5da312cb7b6683853b770df5b95.exe	28
PID 944 wrote to memory of 892	944	49b50c8bce87ec5552354fe5ee81bf5fe35ba5da312cb7b6683853b770df5b95.exe	28
PID 944 wrote to memory of 892	944	49b50c8bce87ec5552354fe5ee81bf5fe35ba5da312cb7b6683853b770df5b95.exe	28
PID 944 wrote to memory of 892	944	49b50c8bce87ec5552354fe5ee81bf5fe35ba5da312cb7b6683853b770df5b95.exe	28
PID 944 wrote to memory of 892	944	49b50c8bce87ec5552354fe5ee81bf5fe35ba5da312cb7b6683853b770df5b95.exe	28
PID 944 wrote to memory of 892	944	49b50c8bce87ec5552354fe5ee81bf5fe35ba5da312cb7b6683853b770df5b95.exe	28
PID 944 wrote to memory of 892	944	49b50c8bce87ec5552354fe5ee81bf5fe35ba5da312cb7b6683853b770df5b95.exe	28
PID 892 wrote to memory of 560	892	Net.exe	30
PID 892 wrote to memory of 560	892	Net.exe	30
PID 892 wrote to memory of 560	892	Net.exe	30
PID 892 wrote to memory of 560	892	Net.exe	30
PID 892 wrote to memory of 560	892	Net.exe	30
PID 892 wrote to memory of 560	892	Net.exe	30
PID 892 wrote to memory of 560	892	Net.exe	30

C:\Users\Admin\AppData\Local\Temp\49b50c8bce87ec5552354fe5ee81bf5fe35ba5da312cb7b6683853b770df5b95.exe
"C:\Users\Admin\AppData\Local\Temp\49b50c8bce87ec5552354fe5ee81bf5fe35ba5da312cb7b6683853b770df5b95.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:560

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/944-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download