ce9a097eb92cfb6ad82724b4afe787117a1388e5a931a51b65656db6ddd1af8d

Analysis

max time kernel
38s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/12/2022, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce9a097eb92cfb6ad82724b4afe787117a1388e5a931a51b65656db6ddd1af8d.exe
Size

90KB
MD5

59aa15dfa6c80329799b6ee5118e2bd1
SHA1

e83d9f8f9bc7f50fab7a3a691207b815394a01c3
SHA256

ce9a097eb92cfb6ad82724b4afe787117a1388e5a931a51b65656db6ddd1af8d
SHA512

6fedd70cc8ea20f3b0c46b2ee3a7d6a19602fb3f89a4df449d75d6cd0aead23eef7cf28f6e1b262d1655edcbb8d991235dea9923fc44594ccd5d2bde1d644a38
SSDEEP

1536:herX86+/2o8HNRWkoj/DAJzFXavPhVUbPWBGFarEBhFI+L:QrXr+/2o8XZoTDAJgPYrQGfBhFIq

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1388	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 1388	944	ce9a097eb92cfb6ad82724b4afe787117a1388e5a931a51b65656db6ddd1af8d.exe	27
PID 944 wrote to memory of 1388	944	ce9a097eb92cfb6ad82724b4afe787117a1388e5a931a51b65656db6ddd1af8d.exe	27
PID 944 wrote to memory of 1388	944	ce9a097eb92cfb6ad82724b4afe787117a1388e5a931a51b65656db6ddd1af8d.exe	27
PID 944 wrote to memory of 1388	944	ce9a097eb92cfb6ad82724b4afe787117a1388e5a931a51b65656db6ddd1af8d.exe	27

C:\Users\Admin\AppData\Local\Temp\ce9a097eb92cfb6ad82724b4afe787117a1388e5a931a51b65656db6ddd1af8d.exe
"C:\Users\Admin\AppData\Local\Temp\ce9a097eb92cfb6ad82724b4afe787117a1388e5a931a51b65656db6ddd1af8d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Chz..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Chz..bat

Filesize
274B

MD5
ffb9dfe723b9fa62190a9f295c66dd05

SHA1
b576bd6843665432e2018d8291efa96ff60f2010

SHA256
715327131151c48ea85433300edbb588710e4dcae0046185c3223697b6c78bf2

SHA512
45eea99f14620d0a885adadd4e4283b58169900185b0ede2e79236b82397c14c09e04e0bc9034f53fc872473209656168f988e7576839d1ccb65c53155424136

Download Submit
memory/944-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/944-55-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/944-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/944-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download