Analysis
-
max time kernel
124s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08/02/2022, 16:34
Behavioral task
behavioral1
Sample
c5b5b8c520b0619549653a1e68d2318547483e59d39dc57352e2c39d84869d3c.exe
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
c5b5b8c520b0619549653a1e68d2318547483e59d39dc57352e2c39d84869d3c.exe
Resource
win10v2004-en-20220112
0 signatures
0 seconds
General
-
Target
c5b5b8c520b0619549653a1e68d2318547483e59d39dc57352e2c39d84869d3c.exe
-
Size
13.6MB
-
MD5
bea610a4b1e7649e623ca842c7b5eabe
-
SHA1
35c14688cf42428e3e811c5ac78f31c8665f635a
-
SHA256
c5b5b8c520b0619549653a1e68d2318547483e59d39dc57352e2c39d84869d3c
-
SHA512
539d8012eca78e207aeba36cf94e01a9edbf3b9c046d0b8fd0b9acc2886ac554513c81a7d24eecb4ea675495ed36315dee51b29106e54944431d00578ddcebbf
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 544 2.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files\Photodex\ProShow Producer\all.dnt 2.exe File opened for modification C:\Program Files\Photodex\ProShow Producer\if.dnt 2.exe File created C:\Program Files\Photodex\ProShow Producer\pshow.dnt 2.exe File opened for modification C:\Program Files\Photodex\ProShow Producer\pshow.dnt 2.exe File opened for modification C:\Program Files\Photodex 2.exe File opened for modification C:\Program Files\Photodex\ProShow Producer 2.exe File created C:\Program Files\Photodex\ProShow Producer\__tmp_rar_sfx_access_check_259427868 2.exe File opened for modification C:\Program Files\Photodex\ProShow Producer\all.dnt 2.exe File created C:\Program Files\Photodex\ProShow Producer\if.dnt 2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 544 2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1692 wrote to memory of 1924 1692 c5b5b8c520b0619549653a1e68d2318547483e59d39dc57352e2c39d84869d3c.exe 27 PID 1692 wrote to memory of 1924 1692 c5b5b8c520b0619549653a1e68d2318547483e59d39dc57352e2c39d84869d3c.exe 27 PID 1692 wrote to memory of 1924 1692 c5b5b8c520b0619549653a1e68d2318547483e59d39dc57352e2c39d84869d3c.exe 27 PID 1692 wrote to memory of 1924 1692 c5b5b8c520b0619549653a1e68d2318547483e59d39dc57352e2c39d84869d3c.exe 27 PID 1924 wrote to memory of 544 1924 cmd.exe 29 PID 1924 wrote to memory of 544 1924 cmd.exe 29 PID 1924 wrote to memory of 544 1924 cmd.exe 29 PID 1924 wrote to memory of 544 1924 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5b5b8c520b0619549653a1e68d2318547483e59d39dc57352e2c39d84869d3c.exe"C:\Users\Admin\AppData\Local\Temp\c5b5b8c520b0619549653a1e68d2318547483e59d39dc57352e2c39d84869d3c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\697D.tmp\69AC.bat C:\Users\Admin\AppData\Local\Temp\c5b5b8c520b0619549653a1e68d2318547483e59d39dc57352e2c39d84869d3c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\697D.tmp\2.exe2.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:544
-
-