Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 13:19
Static task
static1
Behavioral task
behavioral1
Sample
sample13.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
sample13.exe
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
sample13.exe
-
Size
37KB
-
MD5
2c7d4e78f74cc716f23492ad19daf763
-
SHA1
6ef7bfe52f66fb204b401aa7d280df124f3fa0e2
-
SHA256
f06b116d8af2db4ae345ed7c9596865c3476d401ff7d52b0a45478847f053ff1
-
SHA512
2e503be1721f52bffd2d426ed1fa24a7f8f412a78c15db4ec7fbff1df97622c3e1a540a1e1f45d4630faa8a7d5a565ba2cb9c4e713d3bc7a3e11cb50c9a613e8
Score
10/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/980-54-0x0000000000350000-0x0000000000360000-memory.dmp family_spyex -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1424 powershell.exe 1028 powershell.exe 1428 powershell.exe 1964 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1028 powershell.exe Token: SeDebugPrivilege 1428 powershell.exe Token: SeDebugPrivilege 1424 powershell.exe Token: SeIncreaseQuotaPrivilege 1428 powershell.exe Token: SeSecurityPrivilege 1428 powershell.exe Token: SeTakeOwnershipPrivilege 1428 powershell.exe Token: SeLoadDriverPrivilege 1428 powershell.exe Token: SeSystemProfilePrivilege 1428 powershell.exe Token: SeSystemtimePrivilege 1428 powershell.exe Token: SeProfSingleProcessPrivilege 1428 powershell.exe Token: SeIncBasePriorityPrivilege 1428 powershell.exe Token: SeCreatePagefilePrivilege 1428 powershell.exe Token: SeBackupPrivilege 1428 powershell.exe Token: SeRestorePrivilege 1428 powershell.exe Token: SeShutdownPrivilege 1428 powershell.exe Token: SeDebugPrivilege 1428 powershell.exe Token: SeSystemEnvironmentPrivilege 1428 powershell.exe Token: SeRemoteShutdownPrivilege 1428 powershell.exe Token: SeUndockPrivilege 1428 powershell.exe Token: SeManageVolumePrivilege 1428 powershell.exe Token: 33 1428 powershell.exe Token: 34 1428 powershell.exe Token: 35 1428 powershell.exe Token: SeIncreaseQuotaPrivilege 1028 powershell.exe Token: SeSecurityPrivilege 1028 powershell.exe Token: SeTakeOwnershipPrivilege 1028 powershell.exe Token: SeLoadDriverPrivilege 1028 powershell.exe Token: SeSystemProfilePrivilege 1028 powershell.exe Token: SeSystemtimePrivilege 1028 powershell.exe Token: SeProfSingleProcessPrivilege 1028 powershell.exe Token: SeIncBasePriorityPrivilege 1028 powershell.exe Token: SeCreatePagefilePrivilege 1028 powershell.exe Token: SeBackupPrivilege 1028 powershell.exe Token: SeRestorePrivilege 1028 powershell.exe Token: SeShutdownPrivilege 1028 powershell.exe Token: SeDebugPrivilege 1028 powershell.exe Token: SeSystemEnvironmentPrivilege 1028 powershell.exe Token: SeRemoteShutdownPrivilege 1028 powershell.exe Token: SeUndockPrivilege 1028 powershell.exe Token: SeManageVolumePrivilege 1028 powershell.exe Token: 33 1028 powershell.exe Token: 34 1028 powershell.exe Token: 35 1028 powershell.exe Token: SeIncreaseQuotaPrivilege 1424 powershell.exe Token: SeSecurityPrivilege 1424 powershell.exe Token: SeTakeOwnershipPrivilege 1424 powershell.exe Token: SeLoadDriverPrivilege 1424 powershell.exe Token: SeSystemProfilePrivilege 1424 powershell.exe Token: SeSystemtimePrivilege 1424 powershell.exe Token: SeProfSingleProcessPrivilege 1424 powershell.exe Token: SeIncBasePriorityPrivilege 1424 powershell.exe Token: SeCreatePagefilePrivilege 1424 powershell.exe Token: SeBackupPrivilege 1424 powershell.exe Token: SeRestorePrivilege 1424 powershell.exe Token: SeShutdownPrivilege 1424 powershell.exe Token: SeDebugPrivilege 1424 powershell.exe Token: SeSystemEnvironmentPrivilege 1424 powershell.exe Token: SeRemoteShutdownPrivilege 1424 powershell.exe Token: SeUndockPrivilege 1424 powershell.exe Token: SeManageVolumePrivilege 1424 powershell.exe Token: 33 1424 powershell.exe Token: 34 1424 powershell.exe Token: 35 1424 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 980 wrote to memory of 1028 980 sample13.exe 27 PID 980 wrote to memory of 1028 980 sample13.exe 27 PID 980 wrote to memory of 1028 980 sample13.exe 27 PID 980 wrote to memory of 1028 980 sample13.exe 27 PID 980 wrote to memory of 1428 980 sample13.exe 28 PID 980 wrote to memory of 1428 980 sample13.exe 28 PID 980 wrote to memory of 1428 980 sample13.exe 28 PID 980 wrote to memory of 1428 980 sample13.exe 28 PID 980 wrote to memory of 1424 980 sample13.exe 31 PID 980 wrote to memory of 1424 980 sample13.exe 31 PID 980 wrote to memory of 1424 980 sample13.exe 31 PID 980 wrote to memory of 1424 980 sample13.exe 31 PID 980 wrote to memory of 1964 980 sample13.exe 34 PID 980 wrote to memory of 1964 980 sample13.exe 34 PID 980 wrote to memory of 1964 980 sample13.exe 34 PID 980 wrote to memory of 1964 980 sample13.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample13.exe"C:\Users\Admin\AppData\Local\Temp\sample13.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.facebook.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.twitter.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-