c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f

Analysis

max time kernel
204s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 17:54

Target

c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe
Size

748KB
MD5

301b0dab00fb156f198d5d9d0fb7cf79
SHA1

22598d24d8ce5a3fc6a9ebd17c5efd792121295c
SHA256

c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f
SHA512

d17ce3876368d85cf57a6a10e8d190e52499aac570ba6d8746a52ecea7872fab3321575ce42a63b54654b33765a8c420259544319a1e2bff5cd4b3fab1366240
SSDEEP

12288:JuHnyT6D/ST2vV3tnBTEFqF2RKxBoyVpqyAcEF5SvjVTfAc6Xiy1Bsz:JuHny6/SwtnbFiKxKyVIyUUjNfAc6XjU

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2144	taskkill.exe
372	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4796	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe
4796	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	372	taskkill.exe
Token: SeDebugPrivilege	2144	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4796	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe
4796	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 3780	4796	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe	83
PID 4796 wrote to memory of 3780	4796	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe	83
PID 4796 wrote to memory of 3780	4796	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe	83
PID 4796 wrote to memory of 3472	4796	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe	84
PID 4796 wrote to memory of 3472	4796	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe	84
PID 4796 wrote to memory of 3472	4796	c7bef02fa90103e9f8dc2240ed8e8ce81cce7b25f3536f6ea8a3279e4c92602f.exe	84
PID 3780 wrote to memory of 372	3780	cmd.exe	89
PID 3780 wrote to memory of 372	3780	cmd.exe	89
PID 3780 wrote to memory of 372	3780	cmd.exe	89
PID 3472 wrote to memory of 2144	3472	cmd.exe	88
PID 3472 wrote to memory of 2144	3472	cmd.exe	88
PID 3472 wrote to memory of 2144	3472	cmd.exe	88

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/4796-132-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/4796-137-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download