b5090d1c70eda85c897aa9b9d63d5b3338f63cf87e506cf6dbec66111bf13f71

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5090d1c70eda85c897aa9b9d63d5b3338f63cf87e506cf6dbec66111bf13f71.exe
Size

73KB
MD5

37fbc253f4dd5e17bed720ab49be8ada
SHA1

20b9f7a60d2e978e0258a233a37295ae90ad32a1
SHA256

b5090d1c70eda85c897aa9b9d63d5b3338f63cf87e506cf6dbec66111bf13f71
SHA512

b43d046a5efc72770ed3f05798cc55f51bad0bc69178109918aff6f7d22fef55e19ed1481ad27f0d786d8b36b076d5b0b8267f88f28d7ba8828d71397a4b31f5
SSDEEP

1536:ePR/tH5CdwfwZgRG3sV7llkrvS4TmQfYMz/+nVRvqlW:ePR/z1YZgRGIlkrFBfYMz/+eW

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1060	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1060	1476	b5090d1c70eda85c897aa9b9d63d5b3338f63cf87e506cf6dbec66111bf13f71.exe	27
PID 1476 wrote to memory of 1060	1476	b5090d1c70eda85c897aa9b9d63d5b3338f63cf87e506cf6dbec66111bf13f71.exe	27
PID 1476 wrote to memory of 1060	1476	b5090d1c70eda85c897aa9b9d63d5b3338f63cf87e506cf6dbec66111bf13f71.exe	27
PID 1476 wrote to memory of 1060	1476	b5090d1c70eda85c897aa9b9d63d5b3338f63cf87e506cf6dbec66111bf13f71.exe	27

C:\Users\Admin\AppData\Local\Temp\b5090d1c70eda85c897aa9b9d63d5b3338f63cf87e506cf6dbec66111bf13f71.exe
"C:\Users\Admin\AppData\Local\Temp\b5090d1c70eda85c897aa9b9d63d5b3338f63cf87e506cf6dbec66111bf13f71.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Rkz..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rkz..bat

Filesize
274B

MD5
97deb6db16fa7bf862ef395b13ed3086

SHA1
00f6f26b88e43d7cc523a024498ab03443a66450

SHA256
fd46894d5ab5fea4a71bbcb85d24f7f2438824bf32dfbb1a683880a475e26563

SHA512
c32d5507862ba9ce322326cfac0ad406eab86d4b16b89f59a4d9050ec9f455b48adbb224e802ef700be54bd6b8b2bc02aecd869ed7350e37b0135a8543116e02

Download Submit
memory/1476-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1476-55-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download
memory/1476-56-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1476-58-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download