Analysis
-
max time kernel
12s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-06-2021 18:12
Static task
static1
Behavioral task
behavioral1
Sample
unpacked.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
unpacked.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
unpacked.exe
-
Size
981KB
-
MD5
3be5f51314d027e399eaa49cf271ece4
-
SHA1
5567d87efd6b29a793b54237737f370aa2e7707d
-
SHA256
9404ccfb00081ecfd0633d152b3597b9a6fda274e728864f322dfbcf11cc9156
-
SHA512
0f4689975b4d07b802bc5f62000ea94e78e8b662788ef860d1cae7c918b9b24707899b12d888840bbc8872350f943a4f594fe1a863a409f525dc465682f0e613
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3188 unpacked.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3188 unpacked.exe Token: SeCreatePagefilePrivilege 3188 unpacked.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3188 wrote to memory of 2748 3188 unpacked.exe 78 PID 3188 wrote to memory of 2748 3188 unpacked.exe 78 PID 3188 wrote to memory of 2748 3188 unpacked.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\unpacked.exe"C:\Users\Admin\AppData\Local\Temp\unpacked.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n5FoUwA6xhfQtMJS.bat" "2⤵PID:2748
-