Analysis
-
max time kernel
110s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
14-12-2021 18:37
Static task
static1
Behavioral task
behavioral1
Sample
SUPLY.cmd.exe
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SUPLY.cmd.exe
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
SUPLY.cmd.exe
-
Size
1.5MB
-
MD5
a6395684ced7f9127f03f17bd263f6fd
-
SHA1
bcd96892630129da75b2faefc7dbf6fcad90c552
-
SHA256
002f0bfd7f0c174e11f976f38861391e8f9eff093e8c3e36e01d811451c63ebd
-
SHA512
6e2fb4e4fb122713da25523a861cb8ede4ccceaa8844462d17177c7fb7b9e7d1161cc0324b73b3667ddf4156a2305e670425ad58914568377185aaad1b8dd924
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspaint.exepid Process 580 mspaint.exe 580 mspaint.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
SUPLY.cmd.exemspaint.exepid Process 2116 SUPLY.cmd.exe 2116 SUPLY.cmd.exe 2116 SUPLY.cmd.exe 580 mspaint.exe 580 mspaint.exe 580 mspaint.exe 580 mspaint.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SUPLY.cmd.execmd.exedescription pid Process procid_target PID 2116 wrote to memory of 368 2116 SUPLY.cmd.exe 70 PID 2116 wrote to memory of 368 2116 SUPLY.cmd.exe 70 PID 2116 wrote to memory of 368 2116 SUPLY.cmd.exe 70 PID 368 wrote to memory of 580 368 cmd.exe 72 PID 368 wrote to memory of 580 368 cmd.exe 72 PID 368 wrote to memory of 580 368 cmd.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\SUPLY.cmd.exe"C:\Users\Admin\AppData\Local\Temp\SUPLY.cmd.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\Receipt.bmp2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Receipt.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:580
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵PID:2864