Analysis
-
max time kernel
128s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
07/02/2022, 14:59
Behavioral task
behavioral1
Sample
b0ae60c70c187c8aaf55d1bfd4d0293f25ba9f315668ceacc2560d22a2730206.exe
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
b0ae60c70c187c8aaf55d1bfd4d0293f25ba9f315668ceacc2560d22a2730206.exe
Resource
win10v2004-en-20220112
0 signatures
0 seconds
General
-
Target
b0ae60c70c187c8aaf55d1bfd4d0293f25ba9f315668ceacc2560d22a2730206.exe
-
Size
19.1MB
-
MD5
4e74c09cdf73e043a217e68058b43139
-
SHA1
4325cc8708fbe6f1bc5673037fb4c58042ce291b
-
SHA256
b0ae60c70c187c8aaf55d1bfd4d0293f25ba9f315668ceacc2560d22a2730206
-
SHA512
29fe208509ae883d90bd878885416e2411f2c3ea888b9caab408ebd8117ffb919143c3b0486ecfc0ef9ea4017306b1d10913e68db2aed50f585eea1e00ab1de8
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1428 2.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Winstep\unins000.dat 2.exe File opened for modification C:\Program Files\Winstep 2.exe File created C:\Program Files\Winstep\__tmp_rar_sfx_access_check_229009 2.exe File opened for modification C:\Program Files\Winstep\unins000.exe 2.exe File created C:\Program Files\Winstep\WorkShelf.exe 2.exe File opened for modification C:\Program Files\Winstep\WorkShelf.exe 2.exe File opened for modification C:\Program Files\Winstep\unins000.dat 2.exe File created C:\Program Files\Winstep\Nextstart.exe 2.exe File opened for modification C:\Program Files\Winstep\Nextstart.exe 2.exe File created C:\Program Files\Winstep\unins000.exe 2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1428 2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1104 2020 b0ae60c70c187c8aaf55d1bfd4d0293f25ba9f315668ceacc2560d22a2730206.exe 27 PID 2020 wrote to memory of 1104 2020 b0ae60c70c187c8aaf55d1bfd4d0293f25ba9f315668ceacc2560d22a2730206.exe 27 PID 2020 wrote to memory of 1104 2020 b0ae60c70c187c8aaf55d1bfd4d0293f25ba9f315668ceacc2560d22a2730206.exe 27 PID 2020 wrote to memory of 1104 2020 b0ae60c70c187c8aaf55d1bfd4d0293f25ba9f315668ceacc2560d22a2730206.exe 27 PID 1104 wrote to memory of 1428 1104 cmd.exe 29 PID 1104 wrote to memory of 1428 1104 cmd.exe 29 PID 1104 wrote to memory of 1428 1104 cmd.exe 29 PID 1104 wrote to memory of 1428 1104 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0ae60c70c187c8aaf55d1bfd4d0293f25ba9f315668ceacc2560d22a2730206.exe"C:\Users\Admin\AppData\Local\Temp\b0ae60c70c187c8aaf55d1bfd4d0293f25ba9f315668ceacc2560d22a2730206.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5733.tmp\5754.bat C:\Users\Admin\AppData\Local\Temp\b0ae60c70c187c8aaf55d1bfd4d0293f25ba9f315668ceacc2560d22a2730206.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\5733.tmp\2.exe2.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1428
-
-