Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-02-2022 15:10
Static task
static1
Behavioral task
behavioral1
Sample
c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe
-
Size
216KB
-
MD5
e7fe8d6976cad7165d5ab79c12b28b4e
-
SHA1
0bd76ef651c878ea4050a1ad8873da78510a4c00
-
SHA256
c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3
-
SHA512
2135fa63b7bd2795ac3b3a9d3a02463af7e2c472e8175d2d48c79d2dd7835e63d71c7644c6f42669c9aa529d7b1706a81dd84ceac58ad2d756911023675d8fc9
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exec67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exepid process 748 c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe 1576 c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe 1576 c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.execmd.exedescription pid process target process PID 748 wrote to memory of 1576 748 c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe PID 748 wrote to memory of 1576 748 c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe PID 748 wrote to memory of 1576 748 c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe PID 748 wrote to memory of 1576 748 c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe PID 748 wrote to memory of 588 748 c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe cmd.exe PID 748 wrote to memory of 588 748 c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe cmd.exe PID 748 wrote to memory of 588 748 c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe cmd.exe PID 748 wrote to memory of 588 748 c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe cmd.exe PID 588 wrote to memory of 544 588 cmd.exe PING.EXE PID 588 wrote to memory of 544 588 cmd.exe PING.EXE PID 588 wrote to memory of 544 588 cmd.exe PING.EXE PID 588 wrote to memory of 544 588 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe"C:\Users\Admin\AppData\Local\Temp\c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exeC:\Users\Admin\AppData\Local\Temp\c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\c67eb13bf6222d0f7dee5250bcfc7175178d4977afd21baf3f61d64c35e79fe3.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/748-53-0x00000000754B1000-0x00000000754B3000-memory.dmpFilesize
8KB