Analysis
-
max time kernel
155s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
07/02/2022, 08:46
Behavioral task
behavioral1
Sample
0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe
Resource
win10v2004-en-20220113
0 signatures
0 seconds
General
-
Target
0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe
-
Size
64KB
-
MD5
9f66ae4cf67d2bd7a20b358f19a911c6
-
SHA1
fbba0cf5aaf04cc62986f3f384f649cce3571f12
-
SHA256
0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb
-
SHA512
940b6a9536f20fda14cd61c308432c46878eb495bbf9b34d07a2d5c91e84f0d52baea94acb0c4c82a812e5191edb9bfce0c46af3f1bddbad4d4ecf511397da31
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 844 wrote to memory of 1388 844 0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe 27 PID 844 wrote to memory of 1388 844 0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe 27 PID 844 wrote to memory of 1388 844 0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe 27 PID 844 wrote to memory of 1388 844 0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe 27 PID 1388 wrote to memory of 1572 1388 cmd.exe 29 PID 1388 wrote to memory of 1572 1388 cmd.exe 29 PID 1388 wrote to memory of 1572 1388 cmd.exe 29 PID 1388 wrote to memory of 1088 1388 cmd.exe 30 PID 1388 wrote to memory of 1088 1388 cmd.exe 30 PID 1388 wrote to memory of 1088 1388 cmd.exe 30 PID 1388 wrote to memory of 1084 1388 cmd.exe 31 PID 1388 wrote to memory of 1084 1388 cmd.exe 31 PID 1388 wrote to memory of 1084 1388 cmd.exe 31 PID 1388 wrote to memory of 732 1388 cmd.exe 32 PID 1388 wrote to memory of 732 1388 cmd.exe 32 PID 1388 wrote to memory of 732 1388 cmd.exe 32 PID 1388 wrote to memory of 744 1388 cmd.exe 33 PID 1388 wrote to memory of 744 1388 cmd.exe 33 PID 1388 wrote to memory of 744 1388 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe"C:\Users\Admin\AppData\Local\Temp\0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\20F7.tmp\20F8.bat C:\Users\Admin\AppData\Local\Temp\0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir C:\Users\Admin\AppData\Local\Temp\App\Engine\*.exe /b3⤵PID:1572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir C:\Users\Admin\AppData\Local\Temp\App\*.exe /b3⤵PID:1088
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\Interface" /f3⤵PID:1084
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\AlanThinker" /f3⤵PID:732
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\AlanThinker\Data\6" /v "isVideoPlayed" /t REG_SZ /d "True" /f3⤵PID:744
-
-