7b9bb413f70473b65af5164a696f357451d06b2fd8cd44726cb3887de2e8b433

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/01/2023, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b9bb413f70473b65af5164a696f357451d06b2fd8cd44726cb3887de2e8b433.exe
Size

1.5MB
MD5

34beaa69b367754e9cf8a6a9371edf5c
SHA1

e380cbaff884da11ea08c4916018f46bd569dde0
SHA256

7b9bb413f70473b65af5164a696f357451d06b2fd8cd44726cb3887de2e8b433
SHA512

92e1a74cd9d81153367dbefc46f95cc598cf49dc7ff6cf14e18c1eb906f773187d08fcecd60251ae58884c3d1d8b8b52b2a9a88bca919d6a928196544544fbae
SSDEEP

24576:Ooi2Q9NXw2/wPOjdGxYqfw+Jwz/S/6RZs8nVW6k5JHkARt7DBAqnF:O3Tq24GjdGSgw+W7SCRnVQTEQ/BA8

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1328	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1808	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	7b9bb413f70473b65af5164a696f357451d06b2fd8cd44726cb3887de2e8b433.exe
Token: SeDebugPrivilege	1808	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 1696	1136	7b9bb413f70473b65af5164a696f357451d06b2fd8cd44726cb3887de2e8b433.exe	29
PID 1136 wrote to memory of 1696	1136	7b9bb413f70473b65af5164a696f357451d06b2fd8cd44726cb3887de2e8b433.exe	29
PID 1136 wrote to memory of 1696	1136	7b9bb413f70473b65af5164a696f357451d06b2fd8cd44726cb3887de2e8b433.exe	29
PID 1136 wrote to memory of 1696	1136	7b9bb413f70473b65af5164a696f357451d06b2fd8cd44726cb3887de2e8b433.exe	29
PID 1696 wrote to memory of 1916	1696	cmd.exe	31
PID 1696 wrote to memory of 1916	1696	cmd.exe	31
PID 1696 wrote to memory of 1916	1696	cmd.exe	31
PID 1696 wrote to memory of 1916	1696	cmd.exe	31
PID 1696 wrote to memory of 1808	1696	cmd.exe	32
PID 1696 wrote to memory of 1808	1696	cmd.exe	32
PID 1696 wrote to memory of 1808	1696	cmd.exe	32
PID 1696 wrote to memory of 1808	1696	cmd.exe	32
PID 1696 wrote to memory of 1328	1696	cmd.exe	33
PID 1696 wrote to memory of 1328	1696	cmd.exe	33
PID 1696 wrote to memory of 1328	1696	cmd.exe	33
PID 1696 wrote to memory of 1328	1696	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\7b9bb413f70473b65af5164a696f357451d06b2fd8cd44726cb3887de2e8b433.exe
"C:\Users\Admin\AppData\Local\Temp\7b9bb413f70473b65af5164a696f357451d06b2fd8cd44726cb3887de2e8b433.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp2251.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\taskkill.exe
    TaskKill /F /IM 1136
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /T 2 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2251.tmp.bat

Filesize
57B

MD5
a88620d40a914672d6ede8ee8a97ea38

SHA1
1a9dca266209bf2bccdd3b082ac1e617a5f98ae0

SHA256
0a5e908db90c33a0d0eb3faea99e1fb89b820f015a6e8dea7ec336a3418d2f37

SHA512
e22829769473494c62235a7ae589924102ec2a677b7d5b211c429d7162dbdbc318347cd188e94bf5ccbd7004b87b4efd2a67bfe3fc51e2f5fb33076ebf25f785

Download Submit
memory/1136-54-0x0000000000A90000-0x0000000000C14000-memory.dmp

Filesize
1.5MB

Download
memory/1136-55-0x0000000075E01000-0x0000000075E03000-memory.dmp

Filesize
8KB

Download