Analysis
-
max time kernel
27s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:00
Static task
static1
Behavioral task
behavioral1
Sample
4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6.exe
Resource
win10v2004-20220414-en
General
-
Target
4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6.exe
-
Size
118KB
-
MD5
b2a783306993be4df58e0bdf5f40f5e4
-
SHA1
ff0daa080adc166de359d40b387711910ee277a8
-
SHA256
4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6
-
SHA512
522f6e672f69f6e328b9152b8b0caea4943a3936eed1accdb21f7cccd06a990f0b79b85853cd835dd1607aaf9156a7efa925e19fa37043dc4c350a8cd53f7208
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.exe 4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.exe 4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6.exepid process 800 4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6.exedescription pid process Token: SeDebugPrivilege 800 4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6.execmd.exedescription pid process target process PID 800 wrote to memory of 1208 800 4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6.exe cmd.exe PID 800 wrote to memory of 1208 800 4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6.exe cmd.exe PID 800 wrote to memory of 1208 800 4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6.exe cmd.exe PID 800 wrote to memory of 1208 800 4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6.exe cmd.exe PID 1208 wrote to memory of 1712 1208 cmd.exe reg.exe PID 1208 wrote to memory of 1712 1208 cmd.exe reg.exe PID 1208 wrote to memory of 1712 1208 cmd.exe reg.exe PID 1208 wrote to memory of 1712 1208 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6.exe"C:\Users\Admin\AppData\Local\Temp\4342092be0d494e067341332e3831f9f8c6051286e3adec975e88cd3d524beb6.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key