Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
24-11-2021 14:07
Static task
static1
Behavioral task
behavioral1
Sample
GST-48B3.cmd.exe
Resource
win7-en-20211014
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
GST-48B3.cmd.exe
Resource
win10-en-20211104
0 signatures
0 seconds
General
-
Target
GST-48B3.cmd.exe
-
Size
1.4MB
-
MD5
032f4480781e0ed708241d92d8b6c718
-
SHA1
1b1e6009b1d1f76ce17197bbda33fedd6e0e1175
-
SHA256
064fe665dce5b2cf6d824290c2fdebea593f26b0c4b05efbdd3e300ab926900f
-
SHA512
6ad6d3f4e8c84f50f1931917da9027a3bbb7302caa923483888bf3c6cc073f82b649666b16d28a3ac3e154fdaea9d3d2a42a3b875ea4831f15ca14e0b74c071f
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid Process 1420 DllHost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
GST-48B3.cmd.exepid Process 660 GST-48B3.cmd.exe 660 GST-48B3.cmd.exe 660 GST-48B3.cmd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
GST-48B3.cmd.exedescription pid Process procid_target PID 660 wrote to memory of 760 660 GST-48B3.cmd.exe 28 PID 660 wrote to memory of 760 660 GST-48B3.cmd.exe 28 PID 660 wrote to memory of 760 660 GST-48B3.cmd.exe 28 PID 660 wrote to memory of 760 660 GST-48B3.cmd.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\GST-48B3.cmd.exe"C:\Users\Admin\AppData\Local\Temp\GST-48B3.cmd.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\Receipt.bmp2⤵PID:760
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1420