b84de1beb359051a0701801812bccfc0d3fb8c8bc17955838535736640615848

Analysis

max time kernel
48s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 18:54

Target

b84de1beb359051a0701801812bccfc0d3fb8c8bc17955838535736640615848.exe
Size

84KB
MD5

b889874bbe13c868bcab88949facc839
SHA1

3f00282ec6b5f6a3300867590dfc2f99311cb361
SHA256

b84de1beb359051a0701801812bccfc0d3fb8c8bc17955838535736640615848
SHA512

0851ad6f9dc3ae455bdacc90810572590737abadb4fe61a70ec02f98d1298cd676cf68d0d164b8ed128be3a5063518af85e42825f06166d32b9338cfda899355
SSDEEP

1536:LqnPLw7EGLz2i+EnbE0Q2bavZFuLOev0NM4UvMLsU2UtgyFvT4JSut:LqPYYvfuep54P

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 816	1288	b84de1beb359051a0701801812bccfc0d3fb8c8bc17955838535736640615848.exe	27
PID 1288 wrote to memory of 816	1288	b84de1beb359051a0701801812bccfc0d3fb8c8bc17955838535736640615848.exe	27
PID 1288 wrote to memory of 816	1288	b84de1beb359051a0701801812bccfc0d3fb8c8bc17955838535736640615848.exe	27
PID 1288 wrote to memory of 816	1288	b84de1beb359051a0701801812bccfc0d3fb8c8bc17955838535736640615848.exe	27
PID 1288 wrote to memory of 816	1288	b84de1beb359051a0701801812bccfc0d3fb8c8bc17955838535736640615848.exe	27
PID 1288 wrote to memory of 816	1288	b84de1beb359051a0701801812bccfc0d3fb8c8bc17955838535736640615848.exe	27
PID 1288 wrote to memory of 816	1288	b84de1beb359051a0701801812bccfc0d3fb8c8bc17955838535736640615848.exe	27

C:\Users\Admin\AppData\Local\Temp\b84de1beb359051a0701801812bccfc0d3fb8c8bc17955838535736640615848.exe
"C:\Users\Admin\AppData\Local\Temp\b84de1beb359051a0701801812bccfc0d3fb8c8bc17955838535736640615848.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s /c ""
  2⤵
  PID:816

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1288-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download