Overview

overview

10

Static

static

da61f09c26...e7.exe

windows7_x64

3

da61f09c26...e7.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294179s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    26-03-2022 16:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da61f09c2679cae39e07c5ec3f8c271232ced03582a4bd4d5eec9563040228e7.exe

  • Size

    837KB

  • MD5

    fc4696e263fd29642a491cd5911a41d1

  • SHA1

    4d1b49c670ac548ac46380194f65f268354eb013

  • SHA256

    da61f09c2679cae39e07c5ec3f8c271232ced03582a4bd4d5eec9563040228e7

  • SHA512

    2e458a15ba86b95867f1f45f6743ddd94119f45235411a5d8adb66b3480b517ca2962ccace09478978e47749211367830c9231ff7239d074eb963f745e8b98b4

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da61f09c2679cae39e07c5ec3f8c271232ced03582a4bd4d5eec9563040228e7.exe
    "C:\Users\Admin\AppData\Local\Temp\da61f09c2679cae39e07c5ec3f8c271232ced03582a4bd4d5eec9563040228e7.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GfhsaeruF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF161.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:432
    • C:\Users\Admin\AppData\Local\Temp\da61f09c2679cae39e07c5ec3f8c271232ced03582a4bd4d5eec9563040228e7.exe
      "{path}"
      2⤵
        PID:360
      • C:\Users\Admin\AppData\Local\Temp\da61f09c2679cae39e07c5ec3f8c271232ced03582a4bd4d5eec9563040228e7.exe
        "{path}"
        2⤵
          PID:1848
        • C:\Users\Admin\AppData\Local\Temp\da61f09c2679cae39e07c5ec3f8c271232ced03582a4bd4d5eec9563040228e7.exe
          "{path}"
          2⤵
            PID:1824
          • C:\Users\Admin\AppData\Local\Temp\da61f09c2679cae39e07c5ec3f8c271232ced03582a4bd4d5eec9563040228e7.exe
            "{path}"
            2⤵
              PID:1820
            • C:\Users\Admin\AppData\Local\Temp\da61f09c2679cae39e07c5ec3f8c271232ced03582a4bd4d5eec9563040228e7.exe
              "{path}"
              2⤵
                PID:1456

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpF161.tmp
              Filesize

              1KB

              MD5

              166ffc1bde89365fa634426b9e761faf

              SHA1

              7812930cfbdca20a5a3d801ca10b753867af9d75

              SHA256

              0746d631efc0d42d12d2805ec4a1a6afba5a519f783f48f9038b9d659eb0ed14

              SHA512

              bf4148b43eb15ca86451b833bbdb7c8b8cdc9e9699d93f3269a6170f5b4f8d4939a0037f9a11167a35957c4095c7ffebec843015d514b2182a9e6d833aca6449

              Download Submit
            • memory/432-57-0x0000000000000000-mapping.dmp
              Download
            • memory/1564-54-0x0000000000270000-0x0000000000348000-memory.dmp
              Filesize

              864KB

              Download
            • memory/1564-55-0x0000000000370000-0x000000000038C000-memory.dmp
              Filesize

              112KB

              Download
            • memory/1564-56-0x0000000005440000-0x00000000054E2000-memory.dmp
              Filesize

              648KB

              Download