Analysis
-
max time kernel
123s -
max time network
162s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 15:32
General
-
Target
San11 Tc/开始游戏.exe
-
Size
4.6MB
-
MD5
3d4b53eb549585ee077617f61072c6e7
-
SHA1
f2b4efe06ed35af3daf7b0bb1db302411f93682f
-
SHA256
b4538fc19c0fd8db74795d4983d17044aa722f30030a0501a247b2b195ba6363
-
SHA512
6d04931ec1c97401ec2c6d090594808ef64ff9e55c217235389783ddd0b72bc923c09a4469217699816320340d9242da70f9e5409a5887b7514628e8d4bf3931
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\San11 Tc\开始游戏.exe"C:\Users\Admin\AppData\Local\Temp\San11 Tc\开始游戏.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 30122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 30362⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2344-115-0x0000000010001000-0x00000000101B3000-memory.dmpFilesize
1.7MB
-
memory/2344-116-0x00000000101B3000-0x000000001020E000-memory.dmpFilesize
364KB
-
memory/2344-117-0x0000000000BD0000-0x0000000000BF3000-memory.dmpFilesize
140KB