Analysis
-
max time kernel
78s -
max time network
93s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-04-2022 09:38
Static task
static1
Behavioral task
behavioral1
Sample
e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe
Resource
win10v2004-20220414-en
General
-
Target
e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe
-
Size
573KB
-
MD5
c9531869cbdf03333c99368be877b7e2
-
SHA1
59209818bf3261ba17de8b561801abbd2892b4aa
-
SHA256
e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c
-
SHA512
88dbab0c4b8d6918b6c3c6295ad5119a19459ff44a83ad6f39431f6478d70754e5590cbce484abbcb62ac6ce62be75ed60033279e2b8de484963f8c8a0adbbcc
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 756 set thread context of 900 756 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1960 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 756 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 756 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe Token: SeDebugPrivilege 900 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 756 wrote to memory of 1960 756 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 27 PID 756 wrote to memory of 1960 756 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 27 PID 756 wrote to memory of 1960 756 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 27 PID 756 wrote to memory of 1960 756 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 27 PID 756 wrote to memory of 900 756 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 29 PID 756 wrote to memory of 900 756 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 29 PID 756 wrote to memory of 900 756 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 29 PID 756 wrote to memory of 900 756 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 29 PID 756 wrote to memory of 900 756 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 29 PID 756 wrote to memory of 900 756 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 29 PID 756 wrote to memory of 900 756 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 29 PID 756 wrote to memory of 900 756 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 29 PID 756 wrote to memory of 900 756 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe"C:\Users\Admin\AppData\Local\Temp\e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHmmhgfjXRj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E6A.tmp"2⤵
- Creates scheduled task(s)
PID:1960
-
-
C:\Users\Admin\AppData\Local\Temp\e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:900
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53cbfe74d85ccd22e569cdcdf6ff78eed
SHA15803b5a447337683c17ad45de9659186acabe140
SHA256d20ee9827288383d0d1db71957e9c32f1e04e5730c3ce910769037750fd1538a
SHA5120c4351ee97979f7ae117ebbefa672c7a1ba9b8138ca3fcc9cdc9944fa35c419b8af8b0d344b0c5dbfc8406aad43dcc25816fca8304431b41e3ca6043807c112e