b4b98f7907dd9d5e6bdcf204937e2ef8ff8b03ba3e59179cbed43a58b0988cf1

Analysis

max time kernel
93s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2022, 01:52

Target

b4b98f7907dd9d5e6bdcf204937e2ef8ff8b03ba3e59179cbed43a58b0988cf1.exe
Size

32KB
MD5

ff34c3ed397c5f5277c8ed06ad706313
SHA1

c2bbc8dbb0e9de818eaff9cf2974827b79b17d30
SHA256

b4b98f7907dd9d5e6bdcf204937e2ef8ff8b03ba3e59179cbed43a58b0988cf1
SHA512

fbba41a1af84aca72bf41b1784bd2dbeb67f98ffeeb8940e90791b7e5695f85abc08f6ee24a6b7b7deedb46b635f61a339575029b13b899d517bca7db60c7b33
SSDEEP

768:xPH4rKS4GDkQBZ3ImWlTtEIRlJ+qFZ2bSgJzANqM3wJJkA:xf4exGDkeZ4mOoSgJEAJJkA

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 5028	5068	b4b98f7907dd9d5e6bdcf204937e2ef8ff8b03ba3e59179cbed43a58b0988cf1.exe	80
PID 5068 wrote to memory of 5028	5068	b4b98f7907dd9d5e6bdcf204937e2ef8ff8b03ba3e59179cbed43a58b0988cf1.exe	80
PID 5068 wrote to memory of 5028	5068	b4b98f7907dd9d5e6bdcf204937e2ef8ff8b03ba3e59179cbed43a58b0988cf1.exe	80
PID 5028 wrote to memory of 1220	5028	cmd.exe	82
PID 5028 wrote to memory of 1220	5028	cmd.exe	82
PID 5028 wrote to memory of 1220	5028	cmd.exe	82
PID 1220 wrote to memory of 3436	1220	cmd.exe	84
PID 1220 wrote to memory of 3436	1220	cmd.exe	84
PID 1220 wrote to memory of 3436	1220	cmd.exe	84
PID 3436 wrote to memory of 1812	3436	net.exe	85
PID 3436 wrote to memory of 1812	3436	net.exe	85
PID 3436 wrote to memory of 1812	3436	net.exe	85
PID 1220 wrote to memory of 4472	1220	cmd.exe	86
PID 1220 wrote to memory of 4472	1220	cmd.exe	86
PID 1220 wrote to memory of 4472	1220	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\b4b98f7907dd9d5e6bdcf204937e2ef8ff8b03ba3e59179cbed43a58b0988cf1.exe
"C:\Users\Admin\AppData\Local\Temp\b4b98f7907dd9d5e6bdcf204937e2ef8ff8b03ba3e59179cbed43a58b0988cf1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dt.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K c:\windows\temp\r.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\SysWOW64\net.exe
      net stop sharedaccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3436
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        
        PID:1812
  - - C:\Windows\SysWOW64\ftp.exe
      ftp -s:c:\windows\temp\f.txt
      4⤵
      PID:4472

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\dt.bat

Filesize
1KB

MD5
676afdfa824e13b72aecaf6d0d65fa6c

SHA1
f5e918c9fe29a9b432be38b812a6087f4a49bff2

SHA256
896520460c090bcacba8cf6f633abf2e4c6e01c8284737b60b1f51063246e72a

SHA512
4ac34dd1eb77862206dc608c9b57e2956857407b7c5eced45c20b6577e2d53755254fd38300a2b7d02624c37a652ade86add230cd33c452bec380688f414f633

Download Submit
\??\c:\windows\temp\f.txt

Filesize
76B

MD5
e492c90155bb26e6c57c202780f35093

SHA1
83d3d0a8af4fbcd3b70a22611578ef5b5966fcb9

SHA256
ff07e608a348217c1306a1ff202f9b91fddf104b9367c4ee911bccefe04edb94

SHA512
b3265b4f58966441813a0da9032d68e061dcbe6213f82b10f83addafe93627d66637105b443534fac8e074340ff50e07e14437309ad88befc774d2daf5286259

Download Submit
\??\c:\windows\temp\r.bat

Filesize
164B

MD5
f22ad73544c4463a4fe267ed2c646a20

SHA1
9faba5662a5f43fad4df2182fb3c45199cd316c8

SHA256
188e171e17dad12fa1b8067a8b86bc113c0f9df9d9ef03e89006f9c3f7c51c98

SHA512
2c52ceee850adbb90863452815d60596931c485c921ef1a7c3ed8d0de028cbbfc561d62e25beb63410e867da63ebfef6c7cf0f2d1cb75fe13e566731f4df2abd

Download Submit