Overview

overview

10

Static

static

SKU1008800...st.exe

windows7_x64

3

SKU1008800...st.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    21-10-2021 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SKU10088002 loading photos and container comm inv and packing list.exe

  • Size

    566KB

  • MD5

    0e8b01d10cce62d28f58897bad493b57

  • SHA1

    63cddbb8231c3f1d61fb528cb74902d047038018

  • SHA256

    b1fe3e4522b701047d35e034db5ed2e9b8b10619b15f3d1a0b44b8da1a499352

  • SHA512

    86506f1bb54d5f7362bfbe548737af89cf4c0afe939152619d6bd08460b086ebca47cb35b18a273e82bb27f6c7400665883635612d2245bc18509b131a9dc4ef

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SKU10088002 loading photos and container comm inv and packing list.exe
    "C:\Users\Admin\AppData\Local\Temp\SKU10088002 loading photos and container comm inv and packing list.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:820
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PJmhGQzpevP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp63E1.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:916
    • C:\Users\Admin\AppData\Local\Temp\SKU10088002 loading photos and container comm inv and packing list.exe
      "{path}"
      2⤵
        PID:456
      • C:\Users\Admin\AppData\Local\Temp\SKU10088002 loading photos and container comm inv and packing list.exe
        "{path}"
        2⤵
          PID:1900
        • C:\Users\Admin\AppData\Local\Temp\SKU10088002 loading photos and container comm inv and packing list.exe
          "{path}"
          2⤵
            PID:396
          • C:\Users\Admin\AppData\Local\Temp\SKU10088002 loading photos and container comm inv and packing list.exe
            "{path}"
            2⤵
              PID:812
            • C:\Users\Admin\AppData\Local\Temp\SKU10088002 loading photos and container comm inv and packing list.exe
              "{path}"
              2⤵
                PID:952

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp63E1.tmp
              MD5

              7ff10d145e60529fd266cf09f3131d86

              SHA1

              495de10c785e8c72f7b2e3d4760de2080c97d06e

              SHA256

              b7d41c35440c4bb105a2f687e0d4b1124b6ddf9c5c9ea2a79a01e341714a3af2

              SHA512

              f8e056494722ff495a8eaf2ae19097e5f435a7e9b31d3a2ee367f95b550ed9b30321f72670ad238eafd8d82781b013ad87dbe6f232ada2d04321318a7f7f720f

              Download Submit
            • memory/820-54-0x00000000003D0000-0x00000000003D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/820-56-0x0000000075821000-0x0000000075823000-memory.dmp
              Filesize

              8KB

              Download
            • memory/820-57-0x0000000004D70000-0x0000000004D71000-memory.dmp
              Filesize

              4KB

              Download
            • memory/820-58-0x00000000003A0000-0x00000000003AE000-memory.dmp
              Filesize

              56KB

              Download
            • memory/820-59-0x0000000005390000-0x000000000540F000-memory.dmp
              Filesize

              508KB

              Download
            • memory/820-60-0x0000000001E60000-0x0000000001E98000-memory.dmp
              Filesize

              224KB

              Download
            • memory/916-61-0x0000000000000000-mapping.dmp
              Download