Overview

overview

3

Static

static

발주분(...18.exe

windows7_x64

3

발주분(...18.exe

windows10_x64

3

Analysis

  • max time kernel
    106s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    21-06-2021 00:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    발주분(신규)_10115_[새너]_210618.exe

  • Size

    896KB

  • MD5

    e09894bf14893c505a994a382c4d6a62

  • SHA1

    b4965362953a87cc854e08f1e5a19d9ecc10871e

  • SHA256

    e8744060c5568394940066bc2a220430ab1d62fbaca0239d7a51352f666220ff

  • SHA512

    0c86272483d6e9f67a7ba8de5b86ca44064b2a5cbe5783ef3dc28b2bca1a3084a79efa8e50e068b1d80efb17509edd752f44fd3a1417904701ff2f59dc1d4e81

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\발주분(신규)_10115_[새너]_210618.exe
    "C:\Users\Admin\AppData\Local\Temp\발주분(신규)_10115_[새너]_210618.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnwsifLF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF907.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3308
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1616
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpF907.tmp
    MD5

    7f6390aa78ab2b4fb54b4763082bfd7b

    SHA1

    edaebb93635cc4bc7af39ea4b9518585ebf8fbd4

    SHA256

    2f1db67964f3b6d24e1ca207b9b01cb19a3c6932e36e0547cc7cb2009aa7c041

    SHA512

    098c39446f8d83768a51c74fcd4bd68363154e77e4e1549d9ba6413dc5bbcca316cf183bdac01c8f25d4af07e65eb60172f7ac4e1427130b0b6c3ced08a264c0

    Download Submit
  • memory/2256-114-0x0000000000B10000-0x0000000000B11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2256-116-0x00000000078B0000-0x00000000078B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2256-117-0x0000000007E50000-0x0000000007E51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2256-118-0x00000000079F0000-0x00000000079F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2256-119-0x0000000007980000-0x0000000007981000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2256-120-0x0000000007C10000-0x0000000007C11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2256-121-0x00000000079A0000-0x00000000079B6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/2256-122-0x0000000007950000-0x0000000007E4E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2256-123-0x00000000085C0000-0x000000000862F000-memory.dmp
    Filesize

    444KB

    Download
  • memory/2256-124-0x0000000002E20000-0x0000000002E58000-memory.dmp
    Filesize

    224KB

    Download
  • memory/3308-125-0x0000000000000000-mapping.dmp
    Download