a0f552a68324a88ee198a7504a3de795f941e7e08e5c0d1c19a1fcc493915587

Analysis

max time kernel
25s
max time network
149s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0f552a68324a88ee198a7504a3de795f941e7e08e5c0d1c19a1fcc493915587.exe
Size

72KB
MD5

dcd3754b52718a016d9633aa755a0d2e
SHA1

92b0e81ae407784a4ebeb28bdc93f8f6c3cc8b29
SHA256

a0f552a68324a88ee198a7504a3de795f941e7e08e5c0d1c19a1fcc493915587
SHA512

061dbc078e11af483f14ca80ca883cc6f5bb3853582099f9af2c86196f27cb1e3bcb32d4017bd36bda15321b923e41232928e2f82db18185988f3b0a69e23784
SSDEEP

768:xDkfWemN0AQn7N6c2V7RfPrkHr8fxCU3imrGf+DmjpiMH19kF4x4UwNsQd4iSL:qfWeK0tgc2VVLpffqHjpp19VxRw6QLSL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1172	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
620	a0f552a68324a88ee198a7504a3de795f941e7e08e5c0d1c19a1fcc493915587.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1172	620	a0f552a68324a88ee198a7504a3de795f941e7e08e5c0d1c19a1fcc493915587.exe	28
PID 620 wrote to memory of 1172	620	a0f552a68324a88ee198a7504a3de795f941e7e08e5c0d1c19a1fcc493915587.exe	28
PID 620 wrote to memory of 1172	620	a0f552a68324a88ee198a7504a3de795f941e7e08e5c0d1c19a1fcc493915587.exe	28
PID 620 wrote to memory of 1172	620	a0f552a68324a88ee198a7504a3de795f941e7e08e5c0d1c19a1fcc493915587.exe	28

C:\Users\Admin\AppData\Local\Temp\a0f552a68324a88ee198a7504a3de795f941e7e08e5c0d1c19a1fcc493915587.exe
"C:\Users\Admin\AppData\Local\Temp\a0f552a68324a88ee198a7504a3de795f941e7e08e5c0d1c19a1fcc493915587.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Anz..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Anz..bat

Filesize
274B

MD5
ca4e92a8576878fe10e290b6c01c7e06

SHA1
ea0e4ffd2d5d7fd810bd18c02c4a318b64136a95

SHA256
8a3733b88a97cc282677ce72a7a52ad14873eaae28a879b6474dd871e9c33863

SHA512
e05a3abb00f0d3a05a1501f705b69a565bcb0eb2657877bb9046fbb75425e70c998bf1785187dda82a2a35085071402d4c9b1182666674f5664377b2cc505172

Download Submit
memory/620-54-0x00000000757B1000-0x00000000757B3000-memory.dmp

Filesize
8KB

Download
memory/620-55-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/620-56-0x0000000000230000-0x0000000000241000-memory.dmp

Filesize
68KB

Download
memory/620-57-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/620-58-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/620-60-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download