Analysis
-
max time kernel
144s -
max time network
47s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-06-2021 11:47
Static task
static1
Behavioral task
behavioral1
Sample
e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe
Resource
win10v20210408
General
-
Target
e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe
-
Size
121KB
-
MD5
5d3d675b0808fc06b099608cdb714f37
-
SHA1
2416359596a289b8f75ed0797481184a5270bb4a
-
SHA256
e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603
-
SHA512
9a083e970b4bac1ca3aaae17fcf2be7fa08b9c94a6c2bd72988a76c3b617e33a0f88632959ed07e287e013faa4c2a7047a2ca637f2d5058874de50947dd1de56
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exedescription ioc process File opened (read-only) \??\B: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\N: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\W: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\M: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\U: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\X: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\Y: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\A: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\F: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\I: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\K: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\S: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\Z: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\E: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\L: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\O: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\R: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\Q: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\T: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\V: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\G: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\H: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\J: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe File opened (read-only) \??\P: e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exepid process 1656 e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exedescription pid process Token: SeDebugPrivilege 1656 e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe Token: SeTakeOwnershipPrivilege 1656 e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe"C:\Users\Admin\AppData\Local\Temp\e23e281681e88c56a946f251ba6bbe3ce5f38e6b7519a8f4c4699a8884603603.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1656-59-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB