Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
10-12-2021 07:54
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10-en-20211208
General
-
Target
setup.exe
-
Size
87.0MB
-
MD5
15d1ff4e15e0bbf16b23399c496c4759
-
SHA1
841dab2c6d373b4384ee053ea6788dba65160ba7
-
SHA256
8b45a1d20ee96da3d81d3a5bad7c71f99a20fa9a7aae47068abff6c50f912902
-
SHA512
6b46b34b1f0635b22ff7770d0428eaf33aadb4187a839d7ad5971992f228b4224f7d8665b3576de448d9c63e5983bf2d4edf6b380686a3c5ef30a9ba5425d37c
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
SsaWrapper.exeSetup.exepid process 3820 SsaWrapper.exe 4028 Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
setup.exeSsaWrapper.exeSetup.exedescription pid process target process PID 3404 wrote to memory of 3820 3404 setup.exe SsaWrapper.exe PID 3404 wrote to memory of 3820 3404 setup.exe SsaWrapper.exe PID 3404 wrote to memory of 3820 3404 setup.exe SsaWrapper.exe PID 3820 wrote to memory of 4028 3820 SsaWrapper.exe Setup.exe PID 3820 wrote to memory of 4028 3820 SsaWrapper.exe Setup.exe PID 3820 wrote to memory of 4028 3820 SsaWrapper.exe Setup.exe PID 4028 wrote to memory of 4212 4028 Setup.exe pcaui.exe PID 4028 wrote to memory of 4212 4028 Setup.exe pcaui.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Symantec\SsaWrapper.exe"SsaWrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Symantec\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Symantec\Setup.exe" /s /w3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\pcaui.exe"C:\Windows\system32\pcaui.exe" /g {11111111-1111-1111-1111-111111111111} /x {ab91612d-df36-4cbe-9df7-83dcac049825} /a "Symantec Endpoint Protection" /v "Symantec" /s "Symantec Endpoint Protection is incompatible with this version of Windows. For more information, contact Symantec." /b 2 /f 0 /k 0 /e "C:\Users\Admin\AppData\Local\Temp\Symantec\Setup.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Symantec\Setup.exeMD5
964f1ea9384d72735b92e20379390543
SHA14ae1b8d48301a28da6a1766208d5043c5afcbe9d
SHA2563385a845c8c344bb82b5154a5abf53db23e6a3187d5137520ea70bda26ce22ab
SHA5123d0930ba241b67e49358f0787f815baff45d2931cca488925b646eda4a9205cad538f422b45436a3d7fcefc3e3cb5dccc8eb1ee606186503e011b7747f7f1584
-
C:\Users\Admin\AppData\Local\Temp\Symantec\Setup.exeMD5
964f1ea9384d72735b92e20379390543
SHA14ae1b8d48301a28da6a1766208d5043c5afcbe9d
SHA2563385a845c8c344bb82b5154a5abf53db23e6a3187d5137520ea70bda26ce22ab
SHA5123d0930ba241b67e49358f0787f815baff45d2931cca488925b646eda4a9205cad538f422b45436a3d7fcefc3e3cb5dccc8eb1ee606186503e011b7747f7f1584
-
C:\Users\Admin\AppData\Local\Temp\Symantec\SsaWrapper.exeMD5
b1e88978f05e35b55e44b5f8f1fa34f9
SHA19bc53365599c6897cbc2d11b483b4e8efc24c6dc
SHA25638262bac11289042fcbc443d625c2e0f637374e58bc2cfa8234e1966a057409d
SHA5124c91657ff3f7ff03340faf15f4f91150ffe8f88d0424e6d2dfa9a60c1aca4f9c14449525a42ca6fe00d21196f0ebe379c83506594d902137ca7262d3bc1ddf73
-
memory/3820-118-0x0000000000000000-mapping.dmp
-
memory/4028-121-0x0000000000000000-mapping.dmp
-
memory/4212-123-0x0000000000000000-mapping.dmp