Analysis
-
max time kernel
12s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-06-2021 23:22
Static task
static1
Behavioral task
behavioral1
Sample
6803ee8f500080b6a72a7e391bc4778e.exe
Resource
win7v20210408
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
6803ee8f500080b6a72a7e391bc4778e.exe
Resource
win10v20210410
0 signatures
0 seconds
General
-
Target
6803ee8f500080b6a72a7e391bc4778e.exe
-
Size
384KB
-
MD5
6803ee8f500080b6a72a7e391bc4778e
-
SHA1
82119534bf1f452e9c98352577075073c671da59
-
SHA256
377030b4311c86adfdbab3a625400cfeae0288f71bb6a3530ed022a9ff87b04e
-
SHA512
9aee22f0c85862b03d9beebab042f84b2c5b7091181757b06404a3bf2dd4d67be72aff6a283d62897833e90f06a9b02dd396f54d64439b9b8110d643b4a44442
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3720 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 3720 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6803ee8f500080b6a72a7e391bc4778e.execmd.exedescription pid process target process PID 3172 wrote to memory of 2292 3172 6803ee8f500080b6a72a7e391bc4778e.exe cmd.exe PID 3172 wrote to memory of 2292 3172 6803ee8f500080b6a72a7e391bc4778e.exe cmd.exe PID 3172 wrote to memory of 2292 3172 6803ee8f500080b6a72a7e391bc4778e.exe cmd.exe PID 2292 wrote to memory of 3720 2292 cmd.exe taskkill.exe PID 2292 wrote to memory of 3720 2292 cmd.exe taskkill.exe PID 2292 wrote to memory of 3720 2292 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6803ee8f500080b6a72a7e391bc4778e.exe"C:\Users\Admin\AppData\Local\Temp\6803ee8f500080b6a72a7e391bc4778e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "6803ee8f500080b6a72a7e391bc4778e.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\6803ee8f500080b6a72a7e391bc4778e.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "6803ee8f500080b6a72a7e391bc4778e.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken