Analysis
-
max time kernel
4294181s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
26-03-2022 23:07
Static task
static1
Behavioral task
behavioral1
Sample
aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
Resource
win10v2004-en-20220113
General
-
Target
aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
-
Size
1.0MB
-
MD5
02cadb9489d5db4e68b01febcf6bc2da
-
SHA1
dbd38f77e72b4db0f7cb9d068773bbffc3a0d37e
-
SHA256
aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126
-
SHA512
9a7374c05ed28106096655f0beb6100372a5dd6760df6119d95dfb06180b0d78ad57a66753e52059bbd66ca2357f912e54ced01593ab97ca75ce7bdc395b37d9
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1264 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1908 wrote to memory of 1264 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 30 PID 1908 wrote to memory of 1264 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 30 PID 1908 wrote to memory of 1264 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 30 PID 1908 wrote to memory of 1264 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 30 PID 1908 wrote to memory of 1396 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 32 PID 1908 wrote to memory of 1396 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 32 PID 1908 wrote to memory of 1396 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 32 PID 1908 wrote to memory of 1396 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 32 PID 1908 wrote to memory of 1976 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 33 PID 1908 wrote to memory of 1976 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 33 PID 1908 wrote to memory of 1976 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 33 PID 1908 wrote to memory of 1976 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 33 PID 1908 wrote to memory of 380 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 34 PID 1908 wrote to memory of 380 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 34 PID 1908 wrote to memory of 380 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 34 PID 1908 wrote to memory of 380 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 34 PID 1908 wrote to memory of 452 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 35 PID 1908 wrote to memory of 452 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 35 PID 1908 wrote to memory of 452 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 35 PID 1908 wrote to memory of 452 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 35 PID 1908 wrote to memory of 292 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 36 PID 1908 wrote to memory of 292 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 36 PID 1908 wrote to memory of 292 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 36 PID 1908 wrote to memory of 292 1908 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OxshqXOJkj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp36BA.tmp"2⤵
- Creates scheduled task(s)
PID:1264
-
-
C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"2⤵PID:1396
-
-
C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"2⤵PID:1976
-
-
C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"2⤵PID:380
-
-
C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"2⤵PID:452
-
-
C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"2⤵PID:292
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56ed15d43bdd548f8b72c0ab0097f29df
SHA127fcbe874896e3b0d99fd8ed5697b7c522f816fa
SHA256453f1ac926a9c162fede949a3b15b005e3af0dfbb9dcdcdd6c625f5469de4ea3
SHA5127c930b6f9655dd1a41726a5d6674bd747bdc9824ab68427e401acd2fd45900be6e4803ad22545e5919bdc612727261baaa8a5634e1eec44464f1e95969ef331b