Analysis
-
max time kernel
118s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
22-02-2022 20:33
Behavioral task
behavioral1
Sample
0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe
Resource
win7-en-20211208
0 signatures
0 seconds
General
-
Target
0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe
-
Size
58KB
-
MD5
96a8df3f39d930dd11ea0453c5d81497
-
SHA1
615ed7b29a61503c2d8b76615769279ff93dcdbf
-
SHA256
0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069
-
SHA512
9d00921c6a3cd9fd31025ec33a6634602041d7ab808ffe98e695a9a16a13613e1b5a40aed2a8575e3ee9098c59310487a741d2e6c85f463005948984343f6929
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exepid process 3516 0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exedescription pid process target process PID 3352 wrote to memory of 3516 3352 0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe 0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe PID 3352 wrote to memory of 3516 3352 0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe 0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe PID 3352 wrote to memory of 3516 3352 0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe 0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe"C:\Users\Admin\AppData\Local\Temp\0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe--5b933e962⤵
- Suspicious behavior: RenamesItself