b70680c83e94d7ccd8aed4d62e4ddfd7c39e7f47cfbb5319d88037998194a693

Analysis

max time kernel
99s
max time network
136s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
07/12/2022, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b70680c83e94d7ccd8aed4d62e4ddfd7c39e7f47cfbb5319d88037998194a693.exe
Size

112KB
MD5

49d80eb6d7bb07ec52dd72e440944de1
SHA1

ec36ce2b860a57c9795c1f4560ae04e9121c338d
SHA256

b70680c83e94d7ccd8aed4d62e4ddfd7c39e7f47cfbb5319d88037998194a693
SHA512

5a1711e65094e90a51b1dc7b71640e2a4cce326dd90ac90f9268df594b5b98ef2ff1a7c488211145811efcc0c2175670f2fab3e85ef7cdc86820af6e4f2d452d
SSDEEP

3072:R+wHWqNVJp5bYMLVp4PL8Db/uhFlvNl+NkqsMO+L04yb:R+wHWqNB5bYMLVp4P4bclpH+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1296	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 1296	1536	b70680c83e94d7ccd8aed4d62e4ddfd7c39e7f47cfbb5319d88037998194a693.exe	28
PID 1536 wrote to memory of 1296	1536	b70680c83e94d7ccd8aed4d62e4ddfd7c39e7f47cfbb5319d88037998194a693.exe	28
PID 1536 wrote to memory of 1296	1536	b70680c83e94d7ccd8aed4d62e4ddfd7c39e7f47cfbb5319d88037998194a693.exe	28
PID 1536 wrote to memory of 1296	1536	b70680c83e94d7ccd8aed4d62e4ddfd7c39e7f47cfbb5319d88037998194a693.exe	28

C:\Users\Admin\AppData\Local\Temp\b70680c83e94d7ccd8aed4d62e4ddfd7c39e7f47cfbb5319d88037998194a693.exe
"C:\Users\Admin\AppData\Local\Temp\b70680c83e94d7ccd8aed4d62e4ddfd7c39e7f47cfbb5319d88037998194a693.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Ycv..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ycv..bat

Filesize
274B

MD5
1e0442e8df958e6ec8a9bbcd42501688

SHA1
ae96c2f1ad58d15fef891a7c925731ae7d361988

SHA256
211272fd03453ec4c20fb0d7ca3960ad3f0420786819cd414c3250eac8d35b1f

SHA512
5a622f0070d22c7c397ffa7d1559ba71ae0450b0dd09c7a52ecd39ddd8466a2d8a9e1963e515aca86669a4ee5d0501b7e3e6a9745fade8d0a0e94321639a90c8

Download Submit
memory/1536-54-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1536-55-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/1536-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1536-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1536-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download