9c52ab766eff2354b0624a09872707180c34547e082102a3d802714c76686839

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
16/12/2022, 20:43

Target

9c52ab766eff2354b0624a09872707180c34547e082102a3d802714c76686839.exe
Size

3.0MB
MD5

c539f6f6a5a27d10a7631c7a0e210d1d
SHA1

62a3657071d7f04902a23381259354e002655968
SHA256

9c52ab766eff2354b0624a09872707180c34547e082102a3d802714c76686839
SHA512

b058cf9ddee2a7591ca174bd9b34b6c3e28c5cf2786b2877a2c46b19d0bf163d8bdfe9d79e7fb7beaafe1fc05765c4e88c85841bede102743b8890b018c4a114
SSDEEP

98304:lj9TRMaZG5Qy7Rxr1fTvi7lXDAY+uyB87ZLQ:jTRMaQyy7Rt1fT6VDAY+L87+

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 868	2036	9c52ab766eff2354b0624a09872707180c34547e082102a3d802714c76686839.exe	28
PID 2036 wrote to memory of 868	2036	9c52ab766eff2354b0624a09872707180c34547e082102a3d802714c76686839.exe	28
PID 2036 wrote to memory of 868	2036	9c52ab766eff2354b0624a09872707180c34547e082102a3d802714c76686839.exe	28
PID 2036 wrote to memory of 868	2036	9c52ab766eff2354b0624a09872707180c34547e082102a3d802714c76686839.exe	28
PID 2036 wrote to memory of 868	2036	9c52ab766eff2354b0624a09872707180c34547e082102a3d802714c76686839.exe	28
PID 2036 wrote to memory of 868	2036	9c52ab766eff2354b0624a09872707180c34547e082102a3d802714c76686839.exe	28
PID 2036 wrote to memory of 868	2036	9c52ab766eff2354b0624a09872707180c34547e082102a3d802714c76686839.exe	28

C:\Users\Admin\AppData\Local\Temp\9c52ab766eff2354b0624a09872707180c34547e082102a3d802714c76686839.exe
"C:\Users\Admin\AppData\Local\Temp\9c52ab766eff2354b0624a09872707180c34547e082102a3d802714c76686839.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\System32\cscript.exe" "C:\CorpID\Wallpaper\Desktop\Adapt.vbs"
  2⤵
  PID:868

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\CorpID\Wallpaper\Desktop\3180.bgi

Filesize
916B

MD5
a61cd1a19d347b1a89ff8422e485818e

SHA1
66933f428eef16210a280dcaa0f9317b6483c8b6

SHA256
c68e018791d57e82ea75ae853a6f560b4b2125bcb5ae98f7cd4a13133ea4e943

SHA512
ec8630a1f1f4f72abdaadd4275f2f230604ea8d3fdf2df96b4fa74c905118f9c4b0e38cec9a864488a03e94271e4acf3cf55e73617494a0df626e63a5bf3c94e

Download Submit
C:\CorpID\Wallpaper\Desktop\3180_16X9.bgi

Filesize
916B

MD5
a61cd1a19d347b1a89ff8422e485818e

SHA1
66933f428eef16210a280dcaa0f9317b6483c8b6

SHA256
c68e018791d57e82ea75ae853a6f560b4b2125bcb5ae98f7cd4a13133ea4e943

SHA512
ec8630a1f1f4f72abdaadd4275f2f230604ea8d3fdf2df96b4fa74c905118f9c4b0e38cec9a864488a03e94271e4acf3cf55e73617494a0df626e63a5bf3c94e

Download Submit
C:\CorpID\Wallpaper\Desktop\Adapt.vbs

Filesize
1KB

MD5
140e1f5df071c4c8b862485d3c864d9e

SHA1
19d2d2ab654d60fbf3af00ae33a410315767a781

SHA256
11d68f5f9729adfbcfca47c1aecc22a584f82038d5f6b8086ba007c70f13928b

SHA512
ec4bf7d9bc1839bc4ff079a7490588cc90a6a276b7257a7b49078cedf34bf22ee63bb9a03a86c6df3e30c25955d4f094b46eb4bed2699cbfe0d4367c7bdcfc25

Download Submit
memory/2036-54-0x00000000753D1000-0x00000000753D3000-memory.dmp

Filesize
8KB

Download