81522724d0ca28989c5dd4bd6ed52c5461ba53ddee27b569246fa59bd9af13a3 | Triage

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
08-12-2022 18:46

Sharing

Report Analysis Logs

General

Target

Page.bat
Size

2KB
MD5

8d0a03154bbe82f6041790b08baf39c3
SHA1

c0b78b03e2ba9400cad4ec70d3187fd18c3f958f
SHA256

45ef129aa15193c634cc8badd659c7e400282ecc4759713622a965264b130a05
SHA512

ea1387e77db42b1b3e77013ae5b3aacd89f0d3aaba98c16865a7eac0532027e8c2b320b4ccb212e04d4601fbf2db4a396999bda30fde3adb9527eeb87b86dd67

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 936	1104	cmd.exe	29
PID 1104 wrote to memory of 936	1104	cmd.exe	29
PID 1104 wrote to memory of 936	1104	cmd.exe	29
PID 1104 wrote to memory of 1832	1104	cmd.exe	28
PID 1104 wrote to memory of 1832	1104	cmd.exe	28
PID 1104 wrote to memory of 1832	1104	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Page.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\system32\xcopy.exe
  xcopy /h /y aboutUs.dll C:\ProgramData
  2⤵
  PID:1832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K copy /y /b C:\Windows\System32\rundll32.exe C:\ProgramData\aMq7gB3fPYTY.exe
  2⤵
  PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1104-56-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download