bcdfb7ac778654f3531995947c9088b25cb0887b3b646ac222ea9fa46d399805

Analysis

max time kernel
27s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcdfb7ac778654f3531995947c9088b25cb0887b3b646ac222ea9fa46d399805.exe
Size

91KB
MD5

78314f07817ecde365f674f3c95460b0
SHA1

05e9c18c407ce9a7aa45e690db6188ba7044ab62
SHA256

bcdfb7ac778654f3531995947c9088b25cb0887b3b646ac222ea9fa46d399805
SHA512

470d38afa051e1c6defabb68c1a3842bd6161f4fc2b045cf53b3f75a34769aa8964b866360855091a0b64e9aec2d8c0abd5e9d2813d797aa4e63db19fd1ca528
SSDEEP

1536:ix2GNnR7NXXynnVP/QRbKKKx/1PfK6yuRMt0zar+XhL:ANHGVP+YNfK65F9

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1996	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1996	1880	bcdfb7ac778654f3531995947c9088b25cb0887b3b646ac222ea9fa46d399805.exe	28
PID 1880 wrote to memory of 1996	1880	bcdfb7ac778654f3531995947c9088b25cb0887b3b646ac222ea9fa46d399805.exe	28
PID 1880 wrote to memory of 1996	1880	bcdfb7ac778654f3531995947c9088b25cb0887b3b646ac222ea9fa46d399805.exe	28
PID 1880 wrote to memory of 1996	1880	bcdfb7ac778654f3531995947c9088b25cb0887b3b646ac222ea9fa46d399805.exe	28

C:\Users\Admin\AppData\Local\Temp\bcdfb7ac778654f3531995947c9088b25cb0887b3b646ac222ea9fa46d399805.exe
"C:\Users\Admin\AppData\Local\Temp\bcdfb7ac778654f3531995947c9088b25cb0887b3b646ac222ea9fa46d399805.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Dtz..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dtz..bat

Filesize
274B

MD5
4b294fa19b0b8acdc4f62025df84c5e6

SHA1
e6cb8b1f357698c07231f8e5ecccc49ad9de172f

SHA256
85903d266a8080aafa3345b37eb41ee3480e1cba908a38fb8a253f18ef6a01c8

SHA512
741da3c54580f236e7798ec4a2156f883d51a6671be4dbe270aae609dc4be06d2648e7710bddeae5dddc6b03799d97a58f0068b84a4d643111a7b6f68c3ce684

Download Submit
memory/1880-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/1880-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1880-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1880-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download