3e954b6126839364720363cbb12950a0b4bc91a0e473cfb59bc1a3b091f228d9

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-03-2023 07:50

Target

CONTRACT PAPER.exe
Size

2.3MB
MD5

7eb3534ce78a2b53a2d8536f1b4c733e
SHA1

f55af08ba5e762cbd3fd0d63b81ef370152e5d7b
SHA256

3e954b6126839364720363cbb12950a0b4bc91a0e473cfb59bc1a3b091f228d9
SHA512

056b06ae6f1c2068245cc45ebc4db81a5d2b13cbc9cb6642b725382989231d5432c4e2f065a49c6186db4979701ab5803a08d8139abcd61ef07b265d094133bc
SSDEEP

49152:nkWk5cS7a+9XYaQ/Zehc4mTYJ78V9gyBn4cXefmP/SA8N:fajJwZ942KQV9hp4DfmP/SA8

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 1328	920	CONTRACT PAPER.exe	27
PID 920 wrote to memory of 1328	920	CONTRACT PAPER.exe	27
PID 920 wrote to memory of 1328	920	CONTRACT PAPER.exe	27
PID 920 wrote to memory of 1328	920	CONTRACT PAPER.exe	27

C:\Users\Admin\AppData\Local\Temp\CONTRACT PAPER.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACT PAPER.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1328

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact