e7e68c5e7d8d244f57455f83148f574094d216a634cb2259880c0910088402a4

Analysis

max time kernel
37s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
10/02/2023, 21:08

Target

math.bat
Size

1KB
MD5

ae315719f9e410b80ae2c059483ae3ad
SHA1

aaea22f5d865f44d904f344d82f125455d4c87ef
SHA256

f7a5e8aa213fc7cab3428f935c73e54fa5f7af07c118cb8355edaf02ebaef749
SHA512

097c721573bb6673e359ab487e46610f3bdcb767b5161d78f7cd1413136b35562294b9333421966104ba730ba18b1f12bf9f6ead9c340c5f082f81b3b9b25471

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 588	1480	cmd.exe	29
PID 1480 wrote to memory of 588	1480	cmd.exe	29
PID 1480 wrote to memory of 588	1480	cmd.exe	29
PID 588 wrote to memory of 1916	588	cmd.exe	30
PID 588 wrote to memory of 1916	588	cmd.exe	30
PID 588 wrote to memory of 1916	588	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\math.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\system32\cmd.exe
  cmd.exe /c start /b /min copy /Y C:\Windows\System32\rundll32.exe C:\ProgramData\2XvdXuWL0hw1.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K copy /Y C:\Windows\System32\rundll32.exe C:\ProgramData\2XvdXuWL0hw1.exe
    3⤵
    PID:1916

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1480-56-0x000007FEFB941000-0x000007FEFB943000-memory.dmp

Filesize
8KB

Download