204888f940e1bfe5ef634403a096f4de5ef88b154f037539f5de7274d7f3349d

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
13-02-2023 18:55

Target

samsung.bat
Size

1KB
MD5

d9c85f2b71f3845c6eccfc9cf0d61f5f
SHA1

87e33805b660677abf211a026d6571929007cd45
SHA256

a897ba334569f2bf0fcf2741cd644d5975221f009228243b140013a6bd6a2776
SHA512

1ed3bebdfc33c68253d63a3290fb76c681f928c902c476e749a00cbece97aa66d8b615fce8c0ef5905c13ea71aa5049c70c076680f89e5d93e53437e69f17fd6

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2044	1232	cmd.exe	29
PID 1232 wrote to memory of 2044	1232	cmd.exe	29
PID 1232 wrote to memory of 2044	1232	cmd.exe	29
PID 2044 wrote to memory of 2028	2044	cmd.exe	30
PID 2044 wrote to memory of 2028	2044	cmd.exe	30
PID 2044 wrote to memory of 2028	2044	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\samsung.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\system32\cmd.exe
  cmd.exe /c start /b /min copy /Y C:\Windows\System32\rundll32.exe C:\ProgramData\G84IrBV5PP.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K copy /Y C:\Windows\System32\rundll32.exe C:\ProgramData\G84IrBV5PP.exe
    3⤵
    PID:2028

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1232-56-0x000007FEFBFD1000-0x000007FEFBFD3000-memory.dmp

Filesize
8KB

Download