Overview

overview

10

Static

static

Purchase o...ts.exe

windows7_x64

10

Purchase o...ts.exe

windows10-2004_x64

10

Tender Doc...ts.exe

windows7_x64

3

Tender Doc...ts.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    42s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 22:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Tender Documents Arrow Electronics Components.exe

  • Size

    424KB

  • MD5

    f094dca28a6ce2605e0fbbf5a119807e

  • SHA1

    476167feac646617417834133571878436166918

  • SHA256

    b4ccf43f4738a566c201a3320e7ed4a49454359e8d85cc2470fd3caa820d4e29

  • SHA512

    72260c47ee5b96729ba5d88c4973b6b118e2f323ebffedeb2da0c3651c48b4c8c0e1e2047372a61fe6f6b737af8da448e146c30a3767c942fec3c000b8f7b26e

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Tender Documents Arrow Electronics Components.exe
    "C:\Users\Admin\AppData\Local\Temp\Tender Documents Arrow Electronics Components.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZaGARaFt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9925.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:832
    • C:\Users\Admin\AppData\Local\Temp\Tender Documents Arrow Electronics Components.exe
      "{path}"
      2⤵
        PID:1000
      • C:\Users\Admin\AppData\Local\Temp\Tender Documents Arrow Electronics Components.exe
        "{path}"
        2⤵
          PID:1108
        • C:\Users\Admin\AppData\Local\Temp\Tender Documents Arrow Electronics Components.exe
          "{path}"
          2⤵
            PID:1044
          • C:\Users\Admin\AppData\Local\Temp\Tender Documents Arrow Electronics Components.exe
            "{path}"
            2⤵
              PID:1068
            • C:\Users\Admin\AppData\Local\Temp\Tender Documents Arrow Electronics Components.exe
              "{path}"
              2⤵
                PID:580

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp9925.tmp
              Filesize

              1KB

              MD5

              11b245f9c9b5fbd47db3781fec55e231

              SHA1

              826e15c45f82d40c2f50436d70e8dfd1854a02cf

              SHA256

              9d31549c3525d609edde701daea3be32ea2cf6b0c7960e5a6c9f0ef4e934399b

              SHA512

              fe170972e286a67b36b25fd67dea71251eaf58dd69bd7a828e9a71610c95700200a934610148b281ea287272d5a28e224fdca9eea314d8c1ce9891a3ca29d655

              Download Submit

            • memory/832-56-0x0000000000000000-mapping.dmp

              Download

            • memory/2024-54-0x0000000076011000-0x0000000076013000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2024-55-0x0000000074B90000-0x000000007513B000-memory.dmp

              Filesize

              5.7MB

              Download