Overview

overview

10

Static

static

Goods240521.exe

windows7_x64

10

Goods240521.exe

windows10_x64

5

Analysis

  • max time kernel
    128s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    24-05-2021 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Goods240521.exe

  • Size

    1.4MB

  • MD5

    13521ca08216f7aaa0541a2ad77aeb2f

  • SHA1

    3bb4bde4b535a15fc5d9bde3640f7243607efd96

  • SHA256

    a1492c16ac7f3a351538573eb52ef614e19cd137d28672d8117eead8da570660

  • SHA512

    0bd4357f46acc5944e699b1d1dfa9dd027bd9d7833be14dbabc626c9e7b7a2875455789a0b87f953d2a669dacf8040b1d8834b5f2923265de515389a2cb18a2c

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Goods240521.exe
    "C:\Users\Admin\AppData\Local\Temp\Goods240521.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Goods240521.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2508
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lpyORIigWWW.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lpyORIigWWW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE4D3.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3900
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lpyORIigWWW.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3152
    • C:\Users\Admin\AppData\Local\Temp\Goods240521.exe
      "C:\Users\Admin\AppData\Local\Temp\Goods240521.exe"
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nl4TJGqDgYqQmMpN.bat" "
        3⤵
          PID:2464

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/780-119-0x0000000005140000-0x0000000005141000-memory.dmp

      Filesize

      4KB

      Download

    • memory/780-120-0x00000000052B0000-0x00000000052B5000-memory.dmp

      Filesize

      20KB

      Download

    • memory/780-122-0x000000007F960000-0x000000007F961000-memory.dmp

      Filesize

      4KB

      Download

    • memory/780-123-0x00000000060D0000-0x00000000061F3000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/780-124-0x00000000086E0000-0x0000000008803000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/780-121-0x0000000005270000-0x000000000576E000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/780-114-0x00000000007B0000-0x00000000007B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/780-118-0x0000000005310000-0x0000000005311000-memory.dmp

      Filesize

      4KB

      Download

    • memory/780-116-0x0000000005770000-0x0000000005771000-memory.dmp

      Filesize

      4KB

      Download

    • memory/780-117-0x0000000005160000-0x0000000005161000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2508-130-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2508-132-0x0000000007920000-0x0000000007921000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2508-131-0x0000000004F00000-0x0000000004F01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2508-192-0x0000000009760000-0x0000000009793000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2508-196-0x0000000004EF3000-0x0000000004EF4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2508-193-0x000000007EE50000-0x000000007EE51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2508-151-0x0000000004EF2000-0x0000000004EF3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-194-0x000000007E7A0000-0x000000007E7A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-154-0x0000000006940000-0x0000000006941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-140-0x00000000075B0000-0x00000000075B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-157-0x0000000006942000-0x0000000006943000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-198-0x0000000006943000-0x0000000006944000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-163-0x0000000007D10000-0x0000000007D11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-164-0x0000000008240000-0x0000000008241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-143-0x0000000007730000-0x0000000007731000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-148-0x00000000079C0000-0x00000000079C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-145-0x00000000078A0000-0x00000000078A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3152-153-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3152-195-0x000000007F190000-0x000000007F191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3152-169-0x0000000008640000-0x0000000008641000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3152-197-0x0000000006ED3000-0x0000000006ED4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3152-156-0x0000000006ED2000-0x0000000006ED3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3972-158-0x0000000000400000-0x00000000004F3000-memory.dmp

      Filesize

      972KB

      Download

    • memory/3972-139-0x0000000000400000-0x00000000004F3000-memory.dmp

      Filesize

      972KB

      Download