f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8

Analysis

max time kernel
4s
max time network
12s
platform
windows7_x64
resource
win7v20201028
submitted
21/01/2021, 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe
Size

17KB
MD5

c5d712f82d5d37bb284acd4468ab3533
SHA1

3426e8dcb104d9b01874498fb44c6e460228a9a0
SHA256

f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8
SHA512

be69319e023ccd23557edc3178a3b6775a771927a0e6d34f409b8d26cbe09fb27ff4bf92abdb0c344100404029b4e3f38963a0c27bd7a4ae35e5de2e779c6649

Score

5^/10

ransomware

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Kills process with taskkill 3 IoCs

evasion

pid	Process
1796	taskkill.exe
1036	taskkill.exe
432	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	1036	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1316	1832	f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe	27
PID 1832 wrote to memory of 1316	1832	f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe	27
PID 1832 wrote to memory of 1316	1832	f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe	27
PID 1316 wrote to memory of 2004	1316	cmd.exe	29
PID 1316 wrote to memory of 2004	1316	cmd.exe	29
PID 1316 wrote to memory of 2004	1316	cmd.exe	29
PID 2004 wrote to memory of 1992	2004	net.exe	30
PID 2004 wrote to memory of 1992	2004	net.exe	30
PID 2004 wrote to memory of 1992	2004	net.exe	30
PID 1316 wrote to memory of 332	1316	cmd.exe	31
PID 1316 wrote to memory of 332	1316	cmd.exe	31
PID 1316 wrote to memory of 332	1316	cmd.exe	31
PID 332 wrote to memory of 536	332	net.exe	32
PID 332 wrote to memory of 536	332	net.exe	32
PID 332 wrote to memory of 536	332	net.exe	32
PID 1316 wrote to memory of 1164	1316	cmd.exe	33
PID 1316 wrote to memory of 1164	1316	cmd.exe	33
PID 1316 wrote to memory of 1164	1316	cmd.exe	33
PID 1316 wrote to memory of 1096	1316	cmd.exe	34
PID 1316 wrote to memory of 1096	1316	cmd.exe	34
PID 1316 wrote to memory of 1096	1316	cmd.exe	34
PID 1316 wrote to memory of 560	1316	cmd.exe	35
PID 1316 wrote to memory of 560	1316	cmd.exe	35
PID 1316 wrote to memory of 560	1316	cmd.exe	35
PID 1316 wrote to memory of 1560	1316	cmd.exe	36
PID 1316 wrote to memory of 1560	1316	cmd.exe	36
PID 1316 wrote to memory of 1560	1316	cmd.exe	36
PID 1316 wrote to memory of 1796	1316	cmd.exe	37
PID 1316 wrote to memory of 1796	1316	cmd.exe	37
PID 1316 wrote to memory of 1796	1316	cmd.exe	37
PID 1316 wrote to memory of 1036	1316	cmd.exe	42
PID 1316 wrote to memory of 1036	1316	cmd.exe	42
PID 1316 wrote to memory of 1036	1316	cmd.exe	42
PID 1316 wrote to memory of 432	1316	cmd.exe	43
PID 1316 wrote to memory of 432	1316	cmd.exe	43
PID 1316 wrote to memory of 432	1316	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\kill.bat" "C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\system32\net.exe
    net stop BMR Boot Service /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:1992
- - C:\Windows\system32\net.exe
    net stop NetBackup BMR MTFTP Service /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:536
- - C:\Windows\system32\sc.exe
    sc config SQLTELEMETRY start= disabled
    3⤵
    PID:1164
- - C:\Windows\system32\sc.exe
    sc config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:1096
- - C:\Windows\system32\sc.exe
    sc config SQLWriter start= disabled
    3⤵
    PID:560
- - C:\Windows\system32\sc.exe
    sc config SstpSvc start= disabled
    3⤵
    PID:1560
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1832-2-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/1832-3-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download