Analysis

  • max time kernel
    146s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    04-10-2021 15:59

General

  • Target

    5028df0da2732dc8528ca9b7d7e41be5.exe

  • Size

    20KB

  • MD5

    5028df0da2732dc8528ca9b7d7e41be5

  • SHA1

    462a178ab8063511109a91e11d44443485edd49d

  • SHA256

    9bd273556358606717f3d0e7d4a2521dba396d6838d8dfccb78bfc5c98590b84

  • SHA512

    dc31474f8a6ac3a1ca811a769a6c8c13b7beec22071565a37cbd8db85831e5d0fc3f270dc1328705849c23fac6eb7c1b55bc255db69ec3d7380771914fc8c3ae

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5028df0da2732dc8528ca9b7d7e41be5.exe
    "C:\Users\Admin\AppData\Local\Temp\5028df0da2732dc8528ca9b7d7e41be5.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 10
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1604
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 10
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1376
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 1820
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1364

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    MD5

    e0cf37e8966001763342215d979501be

    SHA1

    9322ff60a36d809a8b0ff93fd1b3b6b15123d30c

    SHA256

    43e19459b78e09eab8f3a4d5f94a7afcaeadf1d8bdda726b4d36cc14b4db8bf4

    SHA512

    8980faff2d6eafb88a91929a775c59bd8e51a438c4aaf669118772ef49cbfd20068b314454b994597c791e61d5e8c36dc75e5c1c21788ac99f8e6524b60a1856

  • memory/1324-56-0x0000000075661000-0x0000000075663000-memory.dmp

    Filesize

    8KB

  • memory/1324-68-0x00000000047F0000-0x00000000047F1000-memory.dmp

    Filesize

    4KB

  • memory/1324-54-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

  • memory/1364-70-0x00000000004A0000-0x00000000004A1000-memory.dmp

    Filesize

    4KB

  • memory/1364-69-0x0000000000000000-mapping.dmp

  • memory/1376-66-0x0000000002480000-0x00000000030CA000-memory.dmp

    Filesize

    12.3MB

  • memory/1376-62-0x0000000000000000-mapping.dmp

  • memory/1376-65-0x0000000002480000-0x00000000030CA000-memory.dmp

    Filesize

    12.3MB

  • memory/1376-67-0x0000000002480000-0x00000000030CA000-memory.dmp

    Filesize

    12.3MB

  • memory/1604-61-0x0000000002412000-0x0000000002414000-memory.dmp

    Filesize

    8KB

  • memory/1604-60-0x0000000002411000-0x0000000002412000-memory.dmp

    Filesize

    4KB

  • memory/1604-59-0x0000000002410000-0x0000000002411000-memory.dmp

    Filesize

    4KB

  • memory/1604-57-0x0000000000000000-mapping.dmp