Analysis
-
max time kernel
44s -
max time network
36s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
22-10-2021 06:47
Static task
static1
Behavioral task
behavioral1
Sample
RansomWare.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RansomWare.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
RansomWare.exe
-
Size
158KB
-
MD5
d3c355a11849cbd0d4f3937a79c81c96
-
SHA1
bdc7567d33da81654395d8fefc7500d124d87a31
-
SHA256
8b0d359eb8167b044bf25b943820a3b71e94bc3f0c26d9ba295dee1df014a7c0
-
SHA512
a9091d36341135e74ba7918bc1f1f3960d8d1e049361ccea700662311bdbaa6e8c23a224ca0d640c596d5f8b269839e50104de5e5f96fcfe57ef8523d8a0ce7d
Score
8/10
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Drops desktop.ini file(s) 4 IoCs
Processes:
RansomWare.exedescription ioc process File created C:\Users\Admin\Desktop\desktop.ini RansomWare.exe File created C:\Users\Admin\Pictures\desktop.ini RansomWare.exe File created C:\Users\Admin\Videos\desktop.ini RansomWare.exe File created C:\Users\Admin\Documents\desktop.ini RansomWare.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
RansomWare.exepid process 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
RansomWare.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 956 RansomWare.exe Token: 33 1748 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1748 AUDIODG.EXE Token: 33 1748 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1748 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RansomWare.exepid process 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe 956 RansomWare.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomWare.exe"C:\Users\Admin\AppData\Local\Temp\RansomWare.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/956-55-0x00000000013D0000-0x00000000013D1000-memory.dmpFilesize
4KB
-
memory/956-57-0x00000000764D1000-0x00000000764D3000-memory.dmpFilesize
8KB
-
memory/956-58-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/956-59-0x00000000009C5000-0x00000000009D6000-memory.dmpFilesize
68KB
-
memory/1760-60-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmpFilesize
8KB