f00cb4a6a8056029a3cfd5a070a1eeb72a018c3b64523ef050c8008fcc560396

Analysis

max time kernel
47s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 18:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f00cb4a6a8056029a3cfd5a070a1eeb72a018c3b64523ef050c8008fcc560396.exe
Size

21KB
MD5

94e62f52d89f79fc22318b22263b2aae
SHA1

7d3b8570731ca203cd7d07bde27c9582d38e6f2e
SHA256

f00cb4a6a8056029a3cfd5a070a1eeb72a018c3b64523ef050c8008fcc560396
SHA512

ade945f254f497b15afa8ef4281f7813ad3aa4511809c1a6c60421c62b527d799133fe31e50183829ecc7fa0e1d8dc5970f8f112d7a881aa6673757bf706eb10
SSDEEP

384:or9sOcIp6wRcsSYLvKWLWbstQTid6HJyraXkqdkJ7PNWouwpw+aNJawcudoD7U2:0mOhplcsHvKWzX6HJmFqda7koQPnbcut

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/960-59-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1376	960	f00cb4a6a8056029a3cfd5a070a1eeb72a018c3b64523ef050c8008fcc560396.exe	27
PID 960 wrote to memory of 1376	960	f00cb4a6a8056029a3cfd5a070a1eeb72a018c3b64523ef050c8008fcc560396.exe	27
PID 960 wrote to memory of 1376	960	f00cb4a6a8056029a3cfd5a070a1eeb72a018c3b64523ef050c8008fcc560396.exe	27
PID 960 wrote to memory of 1376	960	f00cb4a6a8056029a3cfd5a070a1eeb72a018c3b64523ef050c8008fcc560396.exe	27
PID 960 wrote to memory of 1376	960	f00cb4a6a8056029a3cfd5a070a1eeb72a018c3b64523ef050c8008fcc560396.exe	27
PID 960 wrote to memory of 1376	960	f00cb4a6a8056029a3cfd5a070a1eeb72a018c3b64523ef050c8008fcc560396.exe	27
PID 960 wrote to memory of 1376	960	f00cb4a6a8056029a3cfd5a070a1eeb72a018c3b64523ef050c8008fcc560396.exe	27
PID 1376 wrote to memory of 280	1376	cmd.exe	29
PID 1376 wrote to memory of 280	1376	cmd.exe	29
PID 1376 wrote to memory of 280	1376	cmd.exe	29
PID 1376 wrote to memory of 280	1376	cmd.exe	29
PID 280 wrote to memory of 904	280	net.exe	30
PID 280 wrote to memory of 904	280	net.exe	30
PID 280 wrote to memory of 904	280	net.exe	30
PID 280 wrote to memory of 904	280	net.exe	30

C:\Users\Admin\AppData\Local\Temp\f00cb4a6a8056029a3cfd5a070a1eeb72a018c3b64523ef050c8008fcc560396.exe
"C:\Users\Admin\AppData\Local\Temp\f00cb4a6a8056029a3cfd5a070a1eeb72a018c3b64523ef050c8008fcc560396.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\F5C5.tmp\Windows Update.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\net.exe
    net stop windefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:280
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop windefend
      4⤵
      PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F5C5.tmp\Windows Update.bat

Filesize
39B

MD5
f919170872fda7d58779ca4854c09403

SHA1
749b614186660977d1ddfeee0fd21a2faad01ddc

SHA256
b8f6e7ba63a70910b6369172b918d9af4bbed5c7f16a3e97e2e1c2f85f89bbbe

SHA512
b07458eaf4c785c556e30e49d9831ede3891c50c4c95ae9141585212056fd460fc8edc4dffbe255fa83da0fbc5fb0ef94b0d8313745e6d276770b54b883dfe54

Download Submit
memory/960-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/960-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download