25fa8212eb6fb7a690aed29ec6bab72423f94b4cb81510aa7ad85845e530259e

Analysis

max time kernel
27s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-04-2023 11:05

Target

25fa8212eb6fb7a690aed29ec6bab72423f94b4cb81510aa7ad85845e530259e.exe
Size

2.8MB
MD5

489ade0743a1a3be15d6565c09a849eb
SHA1

b3337f0f3b6a3dab83eeea0535e79b0342749414
SHA256

25fa8212eb6fb7a690aed29ec6bab72423f94b4cb81510aa7ad85845e530259e
SHA512

bca0705eac03341915b3ca05811c0ca313ae2f5d46dfdc5c131d12a68fafc660bd9a07f14b67b7123d3d671dad90b1d9893bb769f940c77d1f9fbbabf0e030fe
SSDEEP

49152:2DBQFkWk5cS7a+9XYaQVZehc4mTYJ78V9gyBn4c/fmP/SA8N:ZajJeZ942KQV9hp44fmP/SA8

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2008	25fa8212eb6fb7a690aed29ec6bab72423f94b4cb81510aa7ad85845e530259e.exe
2008	25fa8212eb6fb7a690aed29ec6bab72423f94b4cb81510aa7ad85845e530259e.exe
2008	25fa8212eb6fb7a690aed29ec6bab72423f94b4cb81510aa7ad85845e530259e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1480	2008	25fa8212eb6fb7a690aed29ec6bab72423f94b4cb81510aa7ad85845e530259e.exe	29
PID 2008 wrote to memory of 1480	2008	25fa8212eb6fb7a690aed29ec6bab72423f94b4cb81510aa7ad85845e530259e.exe	29
PID 2008 wrote to memory of 1480	2008	25fa8212eb6fb7a690aed29ec6bab72423f94b4cb81510aa7ad85845e530259e.exe	29
PID 2008 wrote to memory of 1480	2008	25fa8212eb6fb7a690aed29ec6bab72423f94b4cb81510aa7ad85845e530259e.exe	29

C:\Users\Admin\AppData\Local\Temp\25fa8212eb6fb7a690aed29ec6bab72423f94b4cb81510aa7ad85845e530259e.exe
"C:\Users\Admin\AppData\Local\Temp\25fa8212eb6fb7a690aed29ec6bab72423f94b4cb81510aa7ad85845e530259e.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1480

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact