f78e3aa2667d9ca93845ecc712497ade519bc55f7608d01e8dbb62ab000fe1f4

Analysis

max time kernel
98s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
07-12-2022 01:23

Target

f78e3aa2667d9ca93845ecc712497ade519bc55f7608d01e8dbb62ab000fe1f4.exe
Size

2.7MB
MD5

89f011fe41b97336a286b737563b7061
SHA1

2ca05ac7a84bb8ad92c587aba06e4cd227d04c03
SHA256

f78e3aa2667d9ca93845ecc712497ade519bc55f7608d01e8dbb62ab000fe1f4
SHA512

9eb6321d828f6052cec5666500fc1855b6ffe4046a8347fce61dae05a58d82a9c9a2a083bb745c1d4267435c484aeb696d380cfb66f976be0e2961edb3ed888b
SSDEEP

49152:PXkxXx8V7TI6da3xVgWDqVDQcuJvQzzSBgTyDa70CI6tG4ryEWIg:PXN/d6LDXvQn2wyDk0T4rTg

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 668	568	f78e3aa2667d9ca93845ecc712497ade519bc55f7608d01e8dbb62ab000fe1f4.exe	28
PID 568 wrote to memory of 668	568	f78e3aa2667d9ca93845ecc712497ade519bc55f7608d01e8dbb62ab000fe1f4.exe	28
PID 568 wrote to memory of 668	568	f78e3aa2667d9ca93845ecc712497ade519bc55f7608d01e8dbb62ab000fe1f4.exe	28
PID 568 wrote to memory of 668	568	f78e3aa2667d9ca93845ecc712497ade519bc55f7608d01e8dbb62ab000fe1f4.exe	28
PID 568 wrote to memory of 668	568	f78e3aa2667d9ca93845ecc712497ade519bc55f7608d01e8dbb62ab000fe1f4.exe	28
PID 568 wrote to memory of 668	568	f78e3aa2667d9ca93845ecc712497ade519bc55f7608d01e8dbb62ab000fe1f4.exe	28
PID 568 wrote to memory of 668	568	f78e3aa2667d9ca93845ecc712497ade519bc55f7608d01e8dbb62ab000fe1f4.exe	28
PID 668 wrote to memory of 764	668	Net.exe	30
PID 668 wrote to memory of 764	668	Net.exe	30
PID 668 wrote to memory of 764	668	Net.exe	30
PID 668 wrote to memory of 764	668	Net.exe	30
PID 668 wrote to memory of 764	668	Net.exe	30
PID 668 wrote to memory of 764	668	Net.exe	30
PID 668 wrote to memory of 764	668	Net.exe	30

C:\Users\Admin\AppData\Local\Temp\f78e3aa2667d9ca93845ecc712497ade519bc55f7608d01e8dbb62ab000fe1f4.exe
"C:\Users\Admin\AppData\Local\Temp\f78e3aa2667d9ca93845ecc712497ade519bc55f7608d01e8dbb62ab000fe1f4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:568
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:764

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/568-54-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download
memory/668-55-0x0000000000000000-mapping.dmp

Download
memory/764-57-0x0000000000000000-mapping.dmp

Download