Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
17-11-2021 18:28
Static task
static1
Behavioral task
behavioral1
Sample
94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe
Resource
win10-en-20211104
General
-
Target
94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe
-
Size
256KB
-
MD5
447af103027bb7cfa1c09538b38a6007
-
SHA1
f369d25335c9c899f94ee0e2c2e3ac4b09f27812
-
SHA256
94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb
-
SHA512
64fb4db381c01e511c7e32871c386bfa70dddaab9e2cd24d4b9cd98913546e92f28dc1e54f6073638bc159f460cdd82978756c4cf1b4b24d0192b62cac2eed24
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1928 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.execmd.exedescription pid process target process PID 1092 wrote to memory of 1928 1092 94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe cmd.exe PID 1092 wrote to memory of 1928 1092 94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe cmd.exe PID 1092 wrote to memory of 1928 1092 94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe cmd.exe PID 1092 wrote to memory of 1928 1092 94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe cmd.exe PID 1928 wrote to memory of 436 1928 cmd.exe choice.exe PID 1928 wrote to memory of 436 1928 cmd.exe choice.exe PID 1928 wrote to memory of 436 1928 cmd.exe choice.exe PID 1928 wrote to memory of 436 1928 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe"C:\Users\Admin\AppData\Local\Temp\94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del C:\Users\Admin\AppData\Local\Temp\94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/436-62-0x0000000000000000-mapping.dmp
-
memory/1092-55-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB
-
memory/1092-57-0x0000000000470000-0x0000000000471000-memory.dmpFilesize
4KB
-
memory/1092-58-0x00000000004F0000-0x000000000053C000-memory.dmpFilesize
304KB
-
memory/1092-59-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/1092-60-0x0000000000490000-0x0000000000491000-memory.dmpFilesize
4KB
-
memory/1928-61-0x0000000000000000-mapping.dmp