871e93752c14253b68bb7f106058e536a70b468ab06f8eca41eb315e5c094f72

Analysis

max time kernel
46s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

871e93752c14253b68bb7f106058e536a70b468ab06f8eca41eb315e5c094f72.exe
Size

76KB
MD5

bb8c2a123b389ba4944a2c65559dddd4
SHA1

c0516e496e37fedb164b161d92c946023962ff51
SHA256

871e93752c14253b68bb7f106058e536a70b468ab06f8eca41eb315e5c094f72
SHA512

dd2e292e0efbe0c3f0f2575fc9d6a1517fb9f891d0f680e8acef71a631dc79de1e8cc3d13fc5af6f243ecbe346fe8dde2f2ed7fdd5cdb2275514da66cde1a9e2
SSDEEP

1536:nnd47nXPeFCi0Jn+mIeTs3xEXf6/Dj6r/q97vKux7N+bpAn1gAL:ndk9Q8sSv6D2rCvXx5+beL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
276	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 276	1600	871e93752c14253b68bb7f106058e536a70b468ab06f8eca41eb315e5c094f72.exe	27
PID 1600 wrote to memory of 276	1600	871e93752c14253b68bb7f106058e536a70b468ab06f8eca41eb315e5c094f72.exe	27
PID 1600 wrote to memory of 276	1600	871e93752c14253b68bb7f106058e536a70b468ab06f8eca41eb315e5c094f72.exe	27
PID 1600 wrote to memory of 276	1600	871e93752c14253b68bb7f106058e536a70b468ab06f8eca41eb315e5c094f72.exe	27

C:\Users\Admin\AppData\Local\Temp\871e93752c14253b68bb7f106058e536a70b468ab06f8eca41eb315e5c094f72.exe
"C:\Users\Admin\AppData\Local\Temp\871e93752c14253b68bb7f106058e536a70b468ab06f8eca41eb315e5c094f72.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Olv..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Olv..bat

Filesize
274B

MD5
775f8d1d4ee5bd30754e869af62c7456

SHA1
1de52f60fcd941bd92df2af067a81491716029c1

SHA256
450632b5e95fe3d5b95da16e0e924ae69b6bcd3787c8841b19d0a3a5ae497334

SHA512
17d2b7a5d784f1a0c0a8b9caa0dfd0719e90665efc65efdbc84a758bfdc6b39a7070817accb11b3e5c95e81d883ff041fe54648e60c784013c2ec53a31ca465c

Download Submit
memory/276-56-0x0000000000000000-mapping.dmp

Download
memory/1600-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1600-55-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1600-57-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download