Overview

overview

10

Static

static

Goods240521.exe

windows7_x64

10

Goods240521.exe

windows10_x64

5

Analysis

  • max time kernel
    128s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    24-05-2021 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Goods240521.exe

  • Size

    1.4MB

  • MD5

    13521ca08216f7aaa0541a2ad77aeb2f

  • SHA1

    3bb4bde4b535a15fc5d9bde3640f7243607efd96

  • SHA256

    a1492c16ac7f3a351538573eb52ef614e19cd137d28672d8117eead8da570660

  • SHA512

    0bd4357f46acc5944e699b1d1dfa9dd027bd9d7833be14dbabc626c9e7b7a2875455789a0b87f953d2a669dacf8040b1d8834b5f2923265de515389a2cb18a2c

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Goods240521.exe
    "C:\Users\Admin\AppData\Local\Temp\Goods240521.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Goods240521.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2508
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lpyORIigWWW.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lpyORIigWWW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE4D3.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3900
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lpyORIigWWW.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3152
    • C:\Users\Admin\AppData\Local\Temp\Goods240521.exe
      "C:\Users\Admin\AppData\Local\Temp\Goods240521.exe"
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nl4TJGqDgYqQmMpN.bat" "
        3⤵
          PID:2464

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      fb843c969d7029469d85e855594b3ce2

      SHA1

      b644cb619f89986dce21b944ea64fdb539f03d93

      SHA256

      04c4037d17e53b05bd719758db6538e0bc13eac05bab09e37840d5f930c0845c

      SHA512

      5c6c364770f434141ffd07c1629f24e43320336ac921f7b933f2cff701928e6484c5b4da00d986c9ce733afc48e9a4e223d48a16bb6ac5580391bb71224f7e3d

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      5468079ffcba6ce818dbda66da4a53e6

      SHA1

      f4347f8cf03c591bef9a838791819dca5e8e4ac1

      SHA256

      2e9ff5926747551eea8b2f6e6f41c1ca6e00485733499089761dec5f938bac1c

      SHA512

      0bb0e68edfefff3d9efab1c25f42f744ed8cf4171af85a45915ef91bc7884aad2a74ddd6dd6caa94ce3f9eeeb38ae05a174f798af11077a3a0313b1a228b2c83

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Nl4TJGqDgYqQmMpN.bat
      MD5

      d3ece91a22e7783b514264668f5a8648

      SHA1

      681a2f10b173cd4883a69771e0e31a51403d1bbd

      SHA256

      9c5a2a1bbfc086fc0c42a9f764d485d70641064e59de4df9e3b990f107820f43

      SHA512

      d9ac01e7369cd8e7a3e0b829a9e3e579b5d976d6d8df3eb934c44536a3e9bf8c10e8d9b6abf10f216b2d7b75595eba57128f471368d87a54b1af94c85f6d1820

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmpE4D3.tmp
      MD5

      9a3d780b183900e44bf8758db97417df

      SHA1

      403c1571844464cdb9822b3c82dd4f75c9727db7

      SHA256

      3ff7764b7933e15e419c4f2d77a820c70733b1f25fc43c4b9ec17dd2fbff51d7

      SHA512

      1a718b4da6b6f0acb68ab6e15a61fa4a869cf72247a682c561664852626f9e031d62c349801353a31fa27342f6eb79dc0400dcfd65d7b623ef9eeaa12c0e900f

      Download Submit
    • memory/780-119-0x0000000005140000-0x0000000005141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/780-120-0x00000000052B0000-0x00000000052B5000-memory.dmp
      Filesize

      20KB

      Download
    • memory/780-122-0x000000007F960000-0x000000007F961000-memory.dmp
      Filesize

      4KB

      Download
    • memory/780-123-0x00000000060D0000-0x00000000061F3000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/780-124-0x00000000086E0000-0x0000000008803000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/780-121-0x0000000005270000-0x000000000576E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/780-114-0x00000000007B0000-0x00000000007B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/780-118-0x0000000005310000-0x0000000005311000-memory.dmp
      Filesize

      4KB

      Download
    • memory/780-116-0x0000000005770000-0x0000000005771000-memory.dmp
      Filesize

      4KB

      Download
    • memory/780-117-0x0000000005160000-0x0000000005161000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2464-199-0x0000000000000000-mapping.dmp
      Download
    • memory/2508-130-0x0000000004EF0000-0x0000000004EF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2508-132-0x0000000007920000-0x0000000007921000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2508-125-0x0000000000000000-mapping.dmp
      Download
    • memory/2508-131-0x0000000004F00000-0x0000000004F01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2508-192-0x0000000009760000-0x0000000009793000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2508-196-0x0000000004EF3000-0x0000000004EF4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2508-193-0x000000007EE50000-0x000000007EE51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2508-151-0x0000000004EF2000-0x0000000004EF3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2728-126-0x0000000000000000-mapping.dmp
      Download
    • memory/2728-194-0x000000007E7A0000-0x000000007E7A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2728-154-0x0000000006940000-0x0000000006941000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2728-140-0x00000000075B0000-0x00000000075B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2728-157-0x0000000006942000-0x0000000006943000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2728-198-0x0000000006943000-0x0000000006944000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2728-163-0x0000000007D10000-0x0000000007D11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2728-164-0x0000000008240000-0x0000000008241000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2728-143-0x0000000007730000-0x0000000007731000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2728-148-0x00000000079C0000-0x00000000079C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2728-145-0x00000000078A0000-0x00000000078A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3152-153-0x0000000006ED0000-0x0000000006ED1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3152-195-0x000000007F190000-0x000000007F191000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3152-169-0x0000000008640000-0x0000000008641000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3152-197-0x0000000006ED3000-0x0000000006ED4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3152-156-0x0000000006ED2000-0x0000000006ED3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3152-138-0x0000000000000000-mapping.dmp
      Download
    • memory/3900-127-0x0000000000000000-mapping.dmp
      Download
    • memory/3972-158-0x0000000000400000-0x00000000004F3000-memory.dmp
      Filesize

      972KB

      Download
    • memory/3972-141-0x000000000049D8CA-mapping.dmp
      Download
    • memory/3972-139-0x0000000000400000-0x00000000004F3000-memory.dmp
      Filesize

      972KB

      Download