Analysis

  • max time kernel
    78s
  • max time network
    93s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    15-04-2022 09:38

General

  • Target

    e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe

  • Size

    573KB

  • MD5

    c9531869cbdf03333c99368be877b7e2

  • SHA1

    59209818bf3261ba17de8b561801abbd2892b4aa

  • SHA256

    e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c

  • SHA512

    88dbab0c4b8d6918b6c3c6295ad5119a19459ff44a83ad6f39431f6478d70754e5590cbce484abbcb62ac6ce62be75ed60033279e2b8de484963f8c8a0adbbcc

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe
    "C:\Users\Admin\AppData\Local\Temp\e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHmmhgfjXRj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E6A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1960
    • C:\Users\Admin\AppData\Local\Temp\e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe
      "{path}"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1E6A.tmp

    Filesize

    1KB

    MD5

    3cbfe74d85ccd22e569cdcdf6ff78eed

    SHA1

    5803b5a447337683c17ad45de9659186acabe140

    SHA256

    d20ee9827288383d0d1db71957e9c32f1e04e5730c3ce910769037750fd1538a

    SHA512

    0c4351ee97979f7ae117ebbefa672c7a1ba9b8138ca3fcc9cdc9944fa35c419b8af8b0d344b0c5dbfc8406aad43dcc25816fca8304431b41e3ca6043807c112e

  • memory/756-55-0x00000000002D0000-0x000000000030E000-memory.dmp

    Filesize

    248KB

  • memory/756-56-0x0000000000470000-0x000000000048C000-memory.dmp

    Filesize

    112KB

  • memory/756-57-0x00000000047C0000-0x00000000047F6000-memory.dmp

    Filesize

    216KB

  • memory/756-54-0x0000000000D50000-0x0000000000DE6000-memory.dmp

    Filesize

    600KB

  • memory/900-60-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/900-61-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/900-63-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/900-64-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/900-65-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/900-68-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/900-70-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB