Analysis
-
max time kernel
150s -
max time network
93s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05-06-2021 18:39
Static task
static1
Behavioral task
behavioral1
Sample
Install.sfx.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Install.sfx.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
Автономная Установка.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
Автономная Установка.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
Автономная Установка.exe
-
Size
6KB
-
MD5
6ea57e7f9246d44f91fd33c08a68c4a5
-
SHA1
8c0998c1c3b4fd419c24d9f951e8a7cf0a09b6cf
-
SHA256
9db749b9a3a2790b136548a7fdbada5e45428db659a95a05e13691fbb467e605
-
SHA512
d81902bddb500417cef1a1dbde64fbc060a66898e8b11de8a38acdb95b31058c8c2092d0a6d7d4c3a981f701e7fce4ef077b6d61bc59bd2b52ae4b8a47e3151f
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 568 svchost.exe -
Deletes itself 1 IoCs
pid Process 1680 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1696 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe 568 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1088 Автономная Установка.exe Token: SeDebugPrivilege 568 svchost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1088 wrote to memory of 1680 1088 Автономная Установка.exe 29 PID 1088 wrote to memory of 1680 1088 Автономная Установка.exe 29 PID 1088 wrote to memory of 1680 1088 Автономная Установка.exe 29 PID 1088 wrote to memory of 1680 1088 Автономная Установка.exe 29 PID 1680 wrote to memory of 1524 1680 cmd.exe 31 PID 1680 wrote to memory of 1524 1680 cmd.exe 31 PID 1680 wrote to memory of 1524 1680 cmd.exe 31 PID 1680 wrote to memory of 1524 1680 cmd.exe 31 PID 1680 wrote to memory of 1696 1680 cmd.exe 32 PID 1680 wrote to memory of 1696 1680 cmd.exe 32 PID 1680 wrote to memory of 1696 1680 cmd.exe 32 PID 1680 wrote to memory of 1696 1680 cmd.exe 32 PID 528 wrote to memory of 568 528 taskeng.exe 34 PID 528 wrote to memory of 568 528 taskeng.exe 34 PID 528 wrote to memory of 568 528 taskeng.exe 34 PID 528 wrote to memory of 568 528 taskeng.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Автономная Установка.exe"C:\Users\Admin\AppData\Local\Temp\Автономная Установка.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Автономная Установка.exe" & schtasks /create /tn \qz5vsaze\nbpsvq0r /tr C:\Users\Admin\AppData\Roaming\svchost.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵PID:1524
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \qz5vsaze\nbpsvq0r /tr C:\Users\Admin\AppData\Roaming\svchost.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f3⤵
- Creates scheduled task(s)
PID:1696
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {C00F3297-C888-4D40-9679-C1ADB27F04CD} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568
-