c7020976043d271b52acacb105e20e0f87e07f425144078a1fd9e313df111827

Analysis

max time kernel
55s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7020976043d271b52acacb105e20e0f87e07f425144078a1fd9e313df111827.exe
Size

63KB
MD5

8b9c6e850e1dbbcbfe01da7604a59a07
SHA1

0441e8e7e6721ac818977eefeba241a0c9ecd3a6
SHA256

c7020976043d271b52acacb105e20e0f87e07f425144078a1fd9e313df111827
SHA512

c76a9cacfbf46f7f76e96711a034221df1bbf009e3a58cdb2c7f2220118308df02dc9eb4bd4a123cdbfa78d42bcafa7eac3da9e4835fb6ce04087c6ac5b19cd6
SSDEEP

1536:uufg6xNUQs0ZEjMPcqHmbBhvI1qWfiuv7tPS0xLDLk:x3xNvaIPk+qWpL1Lk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1456	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1456	2008	c7020976043d271b52acacb105e20e0f87e07f425144078a1fd9e313df111827.exe	27
PID 2008 wrote to memory of 1456	2008	c7020976043d271b52acacb105e20e0f87e07f425144078a1fd9e313df111827.exe	27
PID 2008 wrote to memory of 1456	2008	c7020976043d271b52acacb105e20e0f87e07f425144078a1fd9e313df111827.exe	27
PID 2008 wrote to memory of 1456	2008	c7020976043d271b52acacb105e20e0f87e07f425144078a1fd9e313df111827.exe	27

C:\Users\Admin\AppData\Local\Temp\c7020976043d271b52acacb105e20e0f87e07f425144078a1fd9e313df111827.exe
"C:\Users\Admin\AppData\Local\Temp\c7020976043d271b52acacb105e20e0f87e07f425144078a1fd9e313df111827.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Zkv..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Zkv..bat

Filesize
274B

MD5
3630dc35da2f57a9eee83023433c858f

SHA1
1e06fbe9cc0afdc1edb9a17837c3a18fa256575b

SHA256
00a81ebebf457d86ce4fce9bed5b48321d41f680edd57ee23f1bb3ece6e57fda

SHA512
4e768cfb90215cf496b29929a427e775bc168eff80662e80d950d105638167aca2331ea3204c674a7ab772e572ae0703236b97a9c2cd7ab4413ac0ef347946f6

Download Submit
memory/2008-54-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2008-55-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/2008-56-0x0000000000230000-0x0000000000251000-memory.dmp

Filesize
132KB

Download
memory/2008-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2008-58-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2008-60-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download