Analysis
-
max time kernel
6s -
max time network
56s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
10-06-2021 23:22
Static task
static1
Behavioral task
behavioral1
Sample
6803ee8f500080b6a72a7e391bc4778e.exe
Resource
win7v20210408
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
6803ee8f500080b6a72a7e391bc4778e.exe
Resource
win10v20210410
0 signatures
0 seconds
General
-
Target
6803ee8f500080b6a72a7e391bc4778e.exe
-
Size
384KB
-
MD5
6803ee8f500080b6a72a7e391bc4778e
-
SHA1
82119534bf1f452e9c98352577075073c671da59
-
SHA256
377030b4311c86adfdbab3a625400cfeae0288f71bb6a3530ed022a9ff87b04e
-
SHA512
9aee22f0c85862b03d9beebab042f84b2c5b7091181757b06404a3bf2dd4d67be72aff6a283d62897833e90f06a9b02dd396f54d64439b9b8110d643b4a44442
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 324 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1056 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1056 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6803ee8f500080b6a72a7e391bc4778e.execmd.exedescription pid process target process PID 1980 wrote to memory of 324 1980 6803ee8f500080b6a72a7e391bc4778e.exe cmd.exe PID 1980 wrote to memory of 324 1980 6803ee8f500080b6a72a7e391bc4778e.exe cmd.exe PID 1980 wrote to memory of 324 1980 6803ee8f500080b6a72a7e391bc4778e.exe cmd.exe PID 1980 wrote to memory of 324 1980 6803ee8f500080b6a72a7e391bc4778e.exe cmd.exe PID 324 wrote to memory of 1056 324 cmd.exe taskkill.exe PID 324 wrote to memory of 1056 324 cmd.exe taskkill.exe PID 324 wrote to memory of 1056 324 cmd.exe taskkill.exe PID 324 wrote to memory of 1056 324 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6803ee8f500080b6a72a7e391bc4778e.exe"C:\Users\Admin\AppData\Local\Temp\6803ee8f500080b6a72a7e391bc4778e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "6803ee8f500080b6a72a7e391bc4778e.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\6803ee8f500080b6a72a7e391bc4778e.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "6803ee8f500080b6a72a7e391bc4778e.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/324-62-0x0000000000000000-mapping.dmp
-
memory/1056-63-0x0000000000000000-mapping.dmp
-
memory/1980-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1980-60-0x0000000000250000-0x000000000027F000-memory.dmpFilesize
188KB
-
memory/1980-61-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB