Analysis
-
max time kernel
137s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
07/02/2022, 02:48
Behavioral task
behavioral1
Sample
405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe
Resource
win10v2004-en-20220112
0 signatures
0 seconds
General
-
Target
405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe
-
Size
1.2MB
-
MD5
55d3bf6845cb75b495704d3d3be3e406
-
SHA1
1e078c1e5937db4ebec4a24d75dd777ad4e175ff
-
SHA256
405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0
-
SHA512
c904b9016fe932e0a4187467279cfa28cf4daa719674ff63d568bff706faac8d520fcb283d2d26eba2a83ded61119e32284a2aafc1872f1bbe4db07809170a1e
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1568 2.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\KeepVid\KeepVid Pro\KeepVidPro.exe 2.exe File opened for modification C:\Program Files\KeepVid\KeepVid Pro\KeepVidPro.exe 2.exe File created C:\Program Files\KeepVid\KeepVid Pro\CBSProductClient.dll 2.exe File opened for modification C:\Program Files\KeepVid\KeepVid Pro\CBSProductClient.dll 2.exe File opened for modification C:\Program Files\KeepVid 2.exe File opened for modification C:\Program Files\KeepVid\KeepVid Pro 2.exe File created C:\Program Files\KeepVid\KeepVid Pro\__tmp_rar_sfx_access_check_203238 2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1568 2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1196 wrote to memory of 1264 1196 405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe 27 PID 1196 wrote to memory of 1264 1196 405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe 27 PID 1196 wrote to memory of 1264 1196 405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe 27 PID 1196 wrote to memory of 1264 1196 405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe 27 PID 1264 wrote to memory of 1568 1264 cmd.exe 29 PID 1264 wrote to memory of 1568 1264 cmd.exe 29 PID 1264 wrote to memory of 1568 1264 cmd.exe 29 PID 1264 wrote to memory of 1568 1264 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe"C:\Users\Admin\AppData\Local\Temp\405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\14E6.tmp\14E7.bat C:\Users\Admin\AppData\Local\Temp\405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\14E6.tmp\2.exe2.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1568
-
-