9d2a9f461fef5e3e6115724cc21bb0ef0028dcdc1a70ea32ae9e8a146ec078ac

Analysis

max time kernel
4294212s
max time network
130s
platform
windows7_x64
resource
win7-20220310-en
submitted
14-04-2022 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d2a9f461fef5e3e6115724cc21bb0ef0028dcdc1a70ea32ae9e8a146ec078ac.exe
Size

976KB
MD5

7850d47320202e10b156628105e5c4d8
SHA1

21d8765ce2a6ce989d773dc914abda4bc0705318
SHA256

9d2a9f461fef5e3e6115724cc21bb0ef0028dcdc1a70ea32ae9e8a146ec078ac
SHA512

b19ddb38792cdb13ac2cb8b3824f29d04fb6173f6d8598837db83381706093cf72c16d8f65323d64d63eda376971dc2785b1e451c4588c7369513eeaf58950a0

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1180	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1180	1092	9d2a9f461fef5e3e6115724cc21bb0ef0028dcdc1a70ea32ae9e8a146ec078ac.exe	29
PID 1092 wrote to memory of 1180	1092	9d2a9f461fef5e3e6115724cc21bb0ef0028dcdc1a70ea32ae9e8a146ec078ac.exe	29
PID 1092 wrote to memory of 1180	1092	9d2a9f461fef5e3e6115724cc21bb0ef0028dcdc1a70ea32ae9e8a146ec078ac.exe	29
PID 1092 wrote to memory of 1180	1092	9d2a9f461fef5e3e6115724cc21bb0ef0028dcdc1a70ea32ae9e8a146ec078ac.exe	29
PID 1092 wrote to memory of 1988	1092	9d2a9f461fef5e3e6115724cc21bb0ef0028dcdc1a70ea32ae9e8a146ec078ac.exe	31
PID 1092 wrote to memory of 1988	1092	9d2a9f461fef5e3e6115724cc21bb0ef0028dcdc1a70ea32ae9e8a146ec078ac.exe	31
PID 1092 wrote to memory of 1988	1092	9d2a9f461fef5e3e6115724cc21bb0ef0028dcdc1a70ea32ae9e8a146ec078ac.exe	31
PID 1092 wrote to memory of 1988	1092	9d2a9f461fef5e3e6115724cc21bb0ef0028dcdc1a70ea32ae9e8a146ec078ac.exe	31

C:\Users\Admin\AppData\Local\Temp\9d2a9f461fef5e3e6115724cc21bb0ef0028dcdc1a70ea32ae9e8a146ec078ac.exe
"C:\Users\Admin\AppData\Local\Temp\9d2a9f461fef5e3e6115724cc21bb0ef0028dcdc1a70ea32ae9e8a146ec078ac.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vNKsKV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD9EB.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1180
- C:\Users\Admin\AppData\Local\Temp\9d2a9f461fef5e3e6115724cc21bb0ef0028dcdc1a70ea32ae9e8a146ec078ac.exe
  "{path}"
  2⤵
  PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD9EB.tmp

Filesize
1KB

MD5
6d71199bd4746a2e637c1058d0e4c96e

SHA1
e9b5c0b21ecf50593b9489c90535bf2c2cd8d48c

SHA256
69d8136ac2388aa398f2bf6682177850e8bbae495c7ebddc033972d39723314e

SHA512
69ee2e720d394b3669355ebdaba747841dbec844b4ad81c9f22181d81309cacb3c760aac7a652e4a44269eee09bb12860c506e9af29f6adcf651f391a946124f

Download Submit
memory/1092-54-0x0000000000020000-0x000000000011A000-memory.dmp

Filesize
1000KB

Download
memory/1092-55-0x0000000001F80000-0x0000000001F9E000-memory.dmp

Filesize
120KB

Download
memory/1092-56-0x0000000007C40000-0x0000000007CFA000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads