Analysis
-
max time kernel
43s -
max time network
15s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
14-09-2021 16:10
Static task
static1
Behavioral task
behavioral1
Sample
SplashtopSOS.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SplashtopSOS.exe
Resource
win10-en
windows10_x64
0 signatures
0 seconds
General
-
Target
SplashtopSOS.exe
-
Size
7.9MB
-
MD5
89d8445240fd9d438583429458d76756
-
SHA1
c7f83b6f86002b6d92c20019dcf11d8fc7690259
-
SHA256
e7677cc256fd579f656584413a3c227d7063b5791b333ffef200610a3adee6a3
-
SHA512
ad5859344694a5d51eecbdc2b2e8fc52596cf738a7d677a53caf7b76d3db6c20d72e7647c44fa952cb98b7c527df332110be79167db9ea87b5a79f818c8b05d6
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DPX\setuperr.log expand.exe File opened for modification C:\Windows\Logs\DPX\setupact.log expand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 648 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1096 SplashtopSOS.exe 1096 SplashtopSOS.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1096 wrote to memory of 2044 1096 SplashtopSOS.exe 26 PID 1096 wrote to memory of 2044 1096 SplashtopSOS.exe 26 PID 1096 wrote to memory of 2044 1096 SplashtopSOS.exe 26 PID 1096 wrote to memory of 2044 1096 SplashtopSOS.exe 26 PID 2044 wrote to memory of 1976 2044 cmd.exe 28 PID 2044 wrote to memory of 1976 2044 cmd.exe 28 PID 2044 wrote to memory of 1976 2044 cmd.exe 28 PID 1096 wrote to memory of 1476 1096 SplashtopSOS.exe 32 PID 1096 wrote to memory of 1476 1096 SplashtopSOS.exe 32 PID 1096 wrote to memory of 1476 1096 SplashtopSOS.exe 32 PID 1096 wrote to memory of 1476 1096 SplashtopSOS.exe 32 PID 1476 wrote to memory of 648 1476 cmd.exe 34 PID 1476 wrote to memory of 648 1476 cmd.exe 34 PID 1476 wrote to memory of 648 1476 cmd.exe 34 PID 1096 wrote to memory of 1104 1096 SplashtopSOS.exe 35 PID 1096 wrote to memory of 1104 1096 SplashtopSOS.exe 35 PID 1096 wrote to memory of 1104 1096 SplashtopSOS.exe 35 PID 1096 wrote to memory of 1104 1096 SplashtopSOS.exe 35 PID 1104 wrote to memory of 1592 1104 cmd.exe 37 PID 1104 wrote to memory of 1592 1104 cmd.exe 37 PID 1104 wrote to memory of 1592 1104 cmd.exe 37 PID 1096 wrote to memory of 756 1096 SplashtopSOS.exe 38 PID 1096 wrote to memory of 756 1096 SplashtopSOS.exe 38 PID 1096 wrote to memory of 756 1096 SplashtopSOS.exe 38 PID 1096 wrote to memory of 756 1096 SplashtopSOS.exe 38 PID 756 wrote to memory of 668 756 cmd.exe 40 PID 756 wrote to memory of 668 756 cmd.exe 40 PID 756 wrote to memory of 668 756 cmd.exe 40 PID 1096 wrote to memory of 952 1096 SplashtopSOS.exe 42 PID 1096 wrote to memory of 952 1096 SplashtopSOS.exe 42 PID 1096 wrote to memory of 952 1096 SplashtopSOS.exe 42 PID 1096 wrote to memory of 952 1096 SplashtopSOS.exe 42 PID 952 wrote to memory of 1348 952 cmd.exe 44 PID 952 wrote to memory of 1348 952 cmd.exe 44 PID 952 wrote to memory of 1348 952 cmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\SplashtopSOS.exe"C:\Users\Admin\AppData\Local\Temp\SplashtopSOS.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c expand *.cab /f:* .\2⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\expand.exeexpand *.cab /f:* .\3⤵
- Drops file in Windows directory
PID:1976
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS12⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\system32\schtasks.exeschtasks /create /xml ASOS.xml /ru "system" /tn ASOS13⤵
- Creates scheduled task(s)
PID:648
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "2⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\system32\schtasks.exeschtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "3⤵PID:1592
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS12⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\system32\schtasks.exeschtasks /run /tn ASOS13⤵PID:668
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS12⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn ASOS13⤵PID:1348
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E0BF4FFA-5CCF-4C2C-8680-9060AC7B40A1} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:400