Analysis
-
max time kernel
132s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
07/02/2022, 02:32
Behavioral task
behavioral1
Sample
4dce648291d33a5eb98f21179e043dc2787fc2224458957bf000d8a26d65ae6d.exe
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
4dce648291d33a5eb98f21179e043dc2787fc2224458957bf000d8a26d65ae6d.exe
Resource
win10v2004-en-20220112
0 signatures
0 seconds
General
-
Target
4dce648291d33a5eb98f21179e043dc2787fc2224458957bf000d8a26d65ae6d.exe
-
Size
1.8MB
-
MD5
d1b922e5f97270ad56f1c314bbab51a2
-
SHA1
a24a536042b233fd352572498234bc4653ab9006
-
SHA256
4dce648291d33a5eb98f21179e043dc2787fc2224458957bf000d8a26d65ae6d
-
SHA512
1f9edec7d1cb9fa3e1a90510d9f40e084232164838557cd13b77e69d44ca5b54afef886ed95d4ef3bc97ec8d4785dce40b2ed9b1f3ff966453f6abb30cb60e98
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1688 2.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\KeepVid\Video Converter\KeepVidVideoConverter.exe 2.exe File opened for modification C:\Program Files\KeepVid\Video Converter\KeepVidVideoConverter.exe 2.exe File created C:\Program Files\KeepVid\Video Converter\CBSProductClient.dll 2.exe File opened for modification C:\Program Files\KeepVid\Video Converter\CBSProductClient.dll 2.exe File opened for modification C:\Program Files\KeepVid 2.exe File opened for modification C:\Program Files\KeepVid\Video Converter 2.exe File created C:\Program Files\KeepVid\Video Converter\__tmp_rar_sfx_access_check_181585 2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1688 2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2036 wrote to memory of 1636 2036 4dce648291d33a5eb98f21179e043dc2787fc2224458957bf000d8a26d65ae6d.exe 27 PID 2036 wrote to memory of 1636 2036 4dce648291d33a5eb98f21179e043dc2787fc2224458957bf000d8a26d65ae6d.exe 27 PID 2036 wrote to memory of 1636 2036 4dce648291d33a5eb98f21179e043dc2787fc2224458957bf000d8a26d65ae6d.exe 27 PID 2036 wrote to memory of 1636 2036 4dce648291d33a5eb98f21179e043dc2787fc2224458957bf000d8a26d65ae6d.exe 27 PID 1636 wrote to memory of 1688 1636 cmd.exe 29 PID 1636 wrote to memory of 1688 1636 cmd.exe 29 PID 1636 wrote to memory of 1688 1636 cmd.exe 29 PID 1636 wrote to memory of 1688 1636 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dce648291d33a5eb98f21179e043dc2787fc2224458957bf000d8a26d65ae6d.exe"C:\Users\Admin\AppData\Local\Temp\4dce648291d33a5eb98f21179e043dc2787fc2224458957bf000d8a26d65ae6d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BE10.tmp\BE11.bat C:\Users\Admin\AppData\Local\Temp\4dce648291d33a5eb98f21179e043dc2787fc2224458957bf000d8a26d65ae6d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\BE10.tmp\2.exe2.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1688
-
-