Overview

overview

3

Static

static

발주분(...11.exe

windows7_x64

3

발주분(...11.exe

windows10_x64

3

Analysis

  • max time kernel
    107s
  • max time network
    58s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    11-06-2021 03:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    발주분(신규)_101115_[새너]_210611.exe

  • Size

    866KB

  • MD5

    3a99e7eef8446fa24717026efa1ef161

  • SHA1

    a09abbcb98ec6a85ce39e4cb8124cfbbe51b1810

  • SHA256

    f97691877cb494702c1876a40dbcc840b6ab6df9bd062eb1cafa8d23fd674d08

  • SHA512

    a6cf3ecd316b150361f788bc00a9a0096fdcfecddf3043a1d22389ead7b7736ea3448503f33411e674b6634505f6c4438c1c899c66819f4b021511b8519a6230

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\발주분(신규)_101115_[새너]_210611.exe
    "C:\Users\Admin\AppData\Local\Temp\발주분(신규)_101115_[새너]_210611.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xApAzcFTr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6068.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:740
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 1020
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp6068.tmp
    MD5

    8d27119dfce1550869343f9876c74d09

    SHA1

    c0d9f6a1fe0f81d6565a9019c8e0a21a2ef04e19

    SHA256

    5d671ab954e74efa6a994809abb37a762b685559db9c89564330df8520c411c5

    SHA512

    fbf4cdffc8d060924cee4175859a368bf788ef9e42185e28f36040020d4b5dae9643479eb953cab90cfe235cb07683eac2ca2e38a6f1e3c7193ab56406c6f2a7

    Download Submit
  • memory/740-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1392-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1392-68-0x00000000003F0000-0x00000000003F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-59-0x0000000000DC0000-0x0000000000DC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-61-0x00000000003A0000-0x00000000003BE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1728-62-0x0000000004FC0000-0x0000000004FC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-63-0x0000000005100000-0x000000000517A000-memory.dmp
    Filesize

    488KB

    Download
  • memory/1728-64-0x0000000000B70000-0x0000000000BA6000-memory.dmp
    Filesize

    216KB

    Download