f30af97d963a0340d5baf801c6445b7167d3765b57e2cac1776fa6457a3c4218

Analysis

max time kernel
42s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 08:29

Target

f30af97d963a0340d5baf801c6445b7167d3765b57e2cac1776fa6457a3c4218.exe
Size

5.0MB
MD5

edf773f0a2be4e75c9feb6373ead82ed
SHA1

d5db07c86f265b7ada46986d4e0f61576aadefa9
SHA256

f30af97d963a0340d5baf801c6445b7167d3765b57e2cac1776fa6457a3c4218
SHA512

ae814eaf070e5eb4e3bbb9cdb0649f01e46a81de7a8d2f936f7da22de1209bdae78ed4ab34487bd87c31785536b7501680b7edd8a8a498e21eb9e227a3a86eb9
SSDEEP

98304:pbayV+dvf9OnIXq8acyF2mFI2wJFXzTrsJpzdNvA7a5v2nOMkwmfp9LC9hEoDDPN:5jvIXqibp7Efp9L0EoPrp

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1116	1492	f30af97d963a0340d5baf801c6445b7167d3765b57e2cac1776fa6457a3c4218.exe	27
PID 1492 wrote to memory of 1116	1492	f30af97d963a0340d5baf801c6445b7167d3765b57e2cac1776fa6457a3c4218.exe	27
PID 1492 wrote to memory of 1116	1492	f30af97d963a0340d5baf801c6445b7167d3765b57e2cac1776fa6457a3c4218.exe	27
PID 1492 wrote to memory of 1116	1492	f30af97d963a0340d5baf801c6445b7167d3765b57e2cac1776fa6457a3c4218.exe	27
PID 1492 wrote to memory of 1116	1492	f30af97d963a0340d5baf801c6445b7167d3765b57e2cac1776fa6457a3c4218.exe	27
PID 1492 wrote to memory of 1116	1492	f30af97d963a0340d5baf801c6445b7167d3765b57e2cac1776fa6457a3c4218.exe	27
PID 1492 wrote to memory of 1116	1492	f30af97d963a0340d5baf801c6445b7167d3765b57e2cac1776fa6457a3c4218.exe	27
PID 1116 wrote to memory of 1388	1116	Net.exe	29
PID 1116 wrote to memory of 1388	1116	Net.exe	29
PID 1116 wrote to memory of 1388	1116	Net.exe	29
PID 1116 wrote to memory of 1388	1116	Net.exe	29
PID 1116 wrote to memory of 1388	1116	Net.exe	29
PID 1116 wrote to memory of 1388	1116	Net.exe	29
PID 1116 wrote to memory of 1388	1116	Net.exe	29

C:\Users\Admin\AppData\Local\Temp\f30af97d963a0340d5baf801c6445b7167d3765b57e2cac1776fa6457a3c4218.exe
"C:\Users\Admin\AppData\Local\Temp\f30af97d963a0340d5baf801c6445b7167d3765b57e2cac1776fa6457a3c4218.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:1388

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download