Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
07/02/2022, 14:22
Behavioral task
behavioral1
Sample
b27d94521600c442e32f934365fd38936a54c395cca4f8727578b1f759d385d7.exe
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
b27d94521600c442e32f934365fd38936a54c395cca4f8727578b1f759d385d7.exe
Resource
win10v2004-en-20220112
0 signatures
0 seconds
General
-
Target
b27d94521600c442e32f934365fd38936a54c395cca4f8727578b1f759d385d7.exe
-
Size
2.0MB
-
MD5
9dab96a19ce340608e3cde6691eaa76d
-
SHA1
6864b6fe38285e6e8e98f8d9bc182b19f9528597
-
SHA256
b27d94521600c442e32f934365fd38936a54c395cca4f8727578b1f759d385d7
-
SHA512
7e696c149cae3e04b8888d9e3b0fc2087d65a2a9c4abe8b3012068b934e12afcc591d981f5c5bda39c5cd05e3f27c69ccf5e4e7a7e24fd2972fe72f35d03bab5
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1316 1.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files\Wondershare 1.exe File opened for modification C:\Program Files\Wondershare\Video Converter Ultimate 1.exe File created C:\Program Files\Wondershare\Video Converter Ultimate\__tmp_rar_sfx_access_check_174877 1.exe File created C:\Program Files\Wondershare\Video Converter Ultimate\VideoConverterUltimate.exe 1.exe File opened for modification C:\Program Files\Wondershare\Video Converter Ultimate\VideoConverterUltimate.exe 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1316 1.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2008 wrote to memory of 1528 2008 b27d94521600c442e32f934365fd38936a54c395cca4f8727578b1f759d385d7.exe 27 PID 2008 wrote to memory of 1528 2008 b27d94521600c442e32f934365fd38936a54c395cca4f8727578b1f759d385d7.exe 27 PID 2008 wrote to memory of 1528 2008 b27d94521600c442e32f934365fd38936a54c395cca4f8727578b1f759d385d7.exe 27 PID 2008 wrote to memory of 1528 2008 b27d94521600c442e32f934365fd38936a54c395cca4f8727578b1f759d385d7.exe 27 PID 1528 wrote to memory of 1316 1528 cmd.exe 29 PID 1528 wrote to memory of 1316 1528 cmd.exe 29 PID 1528 wrote to memory of 1316 1528 cmd.exe 29 PID 1528 wrote to memory of 1316 1528 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\b27d94521600c442e32f934365fd38936a54c395cca4f8727578b1f759d385d7.exe"C:\Users\Admin\AppData\Local\Temp\b27d94521600c442e32f934365fd38936a54c395cca4f8727578b1f759d385d7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A7C3.tmp\A7C4.bat C:\Users\Admin\AppData\Local\Temp\b27d94521600c442e32f934365fd38936a54c395cca4f8727578b1f759d385d7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\A7C3.tmp\1.exe1.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1316
-
-