Analysis
-
max time kernel
116s -
max time network
109s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-05-2021 12:17
Static task
static1
Behavioral task
behavioral1
Sample
Product Range #2828915.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Product Range #2828915.exe
Resource
win10v20210408
General
-
Target
Product Range #2828915.exe
-
Size
648KB
-
MD5
a38866790c8c35700168dcbf70c451a4
-
SHA1
1c465c58bafc50427e4facab66bbbbc576dfee0e
-
SHA256
1252078421caf8c3415891ca9012a285c509a1b952b56cc84d163000155def0a
-
SHA512
99af98c49bdbf2bbbe040f79e3cbd7e837478ec98a11e34a9e2c38580620f4327eb6025174ec593ae1bfd59c31f1ef01145d3ada8e2e1cd68401d850757feaeb
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Product Range #2828915.exepid process 2020 Product Range #2828915.exe 2020 Product Range #2828915.exe 2020 Product Range #2828915.exe 2020 Product Range #2828915.exe 2020 Product Range #2828915.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Product Range #2828915.exedescription pid process Token: SeDebugPrivilege 2020 Product Range #2828915.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Product Range #2828915.exedescription pid process target process PID 2020 wrote to memory of 1084 2020 Product Range #2828915.exe schtasks.exe PID 2020 wrote to memory of 1084 2020 Product Range #2828915.exe schtasks.exe PID 2020 wrote to memory of 1084 2020 Product Range #2828915.exe schtasks.exe PID 2020 wrote to memory of 1084 2020 Product Range #2828915.exe schtasks.exe PID 2020 wrote to memory of 924 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 924 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 924 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 924 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 640 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 640 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 640 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 640 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 1156 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 1156 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 1156 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 1156 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 544 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 544 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 544 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 544 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 1964 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 1964 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 1964 2020 Product Range #2828915.exe Product Range #2828915.exe PID 2020 wrote to memory of 1964 2020 Product Range #2828915.exe Product Range #2828915.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pecnQZLi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE5DC.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE5DC.tmpMD5
3b5b6099ff32b77222d725a441b7df39
SHA19ca57c44a5759057d6a1401e9de64e494b9d762b
SHA25681afc7604df06bcf82de37ce1588341b373fa0d66afa3a61880a017337e71099
SHA512a772a940ccc066964ce754810c43cb94f85aca756848cfaec622fcce23d7808e8cab7755a14288e364fabbae99f1054316d270b3a039167bba3a22da479f8f54
-
memory/1084-66-0x0000000000000000-mapping.dmp
-
memory/2020-60-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2020-62-0x0000000000490000-0x0000000000494000-memory.dmpFilesize
16KB
-
memory/2020-63-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/2020-64-0x0000000005160000-0x00000000051DE000-memory.dmpFilesize
504KB
-
memory/2020-65-0x0000000000750000-0x0000000000791000-memory.dmpFilesize
260KB