c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f

Analysis

max time kernel
32s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 17:54

Target

c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe
Size

748KB
MD5

301b0dab00fb156f198d5d9d0fb7cf79
SHA1

22598d24d8ce5a3fc6a9ebd17c5efd792121295c
SHA256

c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f
SHA512

d17ce3876368d85cf57a6a10e8d190e52499aac570ba6d8746a52ecea7872fab3321575ce42a63b54654b33765a8c420259544319a1e2bff5cd4b3fab1366240
SSDEEP

12288:JuHnyT6D/ST2vV3tnBTEFqF2RKxBoyVpqyAcEF5SvjVTfAc6Xiy1Bsz:JuHny6/SwtnbFiKxKyVIyUUjNfAc6XjU

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
332	taskkill.exe
576	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
976	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	332	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1896	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
976	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe
976	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 1764	976	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe	28
PID 976 wrote to memory of 1764	976	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe	28
PID 976 wrote to memory of 1764	976	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe	28
PID 976 wrote to memory of 1764	976	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe	28
PID 976 wrote to memory of 1076	976	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe	29
PID 976 wrote to memory of 1076	976	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe	29
PID 976 wrote to memory of 1076	976	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe	29
PID 976 wrote to memory of 1076	976	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe	29
PID 1764 wrote to memory of 332	1764	cmd.exe	32
PID 1764 wrote to memory of 332	1764	cmd.exe	32
PID 1764 wrote to memory of 332	1764	cmd.exe	32
PID 1764 wrote to memory of 332	1764	cmd.exe	32
PID 1076 wrote to memory of 576	1076	cmd.exe	33
PID 1076 wrote to memory of 576	1076	cmd.exe	33
PID 1076 wrote to memory of 576	1076	cmd.exe	33
PID 1076 wrote to memory of 576	1076	cmd.exe	33

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1896

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\Documents\tu.jpg

Filesize
38KB

MD5
334d5e5d0db116e5c7fd436ec423d214

SHA1
427ef99b8db4d8091e05d2577a746448394352ce

SHA256
97c76f952b694e317ce2c650926898b26daf25e47d40d15151edf5c9839dd85a

SHA512
06723d5e3871b569c22bfbc41ed647aab38874df0dfc85ad55121cbd57dfc21b23c64294d77af3d5fdff7ed246fb0356662c0acbee5f5950b7f3ad736b4d9b33

Download Submit
memory/976-54-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/976-55-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/976-61-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download