Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-02-2022 15:46
Static task
static1
Behavioral task
behavioral1
Sample
6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe
-
Size
292KB
-
MD5
2c16d6151ed74fb8373332f46cd662f3
-
SHA1
1c2c141e1f03602532c5645cfa1b52415cf86f0f
-
SHA256
6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062
-
SHA512
f70e5d46dee197ad7c1a78bf58aa22ebd4a566560a569772994c538d3b751042502676c8b20b738b67fbe750409d68c99dc581a7bce3639739cc6ae667d01671
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exepid process 980 6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe 1180 6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe 1180 6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.execmd.exedescription pid process target process PID 980 wrote to memory of 1180 980 6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe 6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe PID 980 wrote to memory of 1180 980 6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe 6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe PID 980 wrote to memory of 1180 980 6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe 6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe PID 980 wrote to memory of 1180 980 6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe 6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe PID 980 wrote to memory of 268 980 6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe cmd.exe PID 980 wrote to memory of 268 980 6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe cmd.exe PID 980 wrote to memory of 268 980 6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe cmd.exe PID 980 wrote to memory of 268 980 6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe cmd.exe PID 268 wrote to memory of 576 268 cmd.exe PING.EXE PID 268 wrote to memory of 576 268 cmd.exe PING.EXE PID 268 wrote to memory of 576 268 cmd.exe PING.EXE PID 268 wrote to memory of 576 268 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe"C:\Users\Admin\AppData\Local\Temp\6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exeC:\Users\Admin\AppData\Local\Temp\6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/980-53-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB