Analysis
-
max time kernel
136s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-05-2022 08:19
Static task
static1
Behavioral task
behavioral1
Sample
CashCat.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
CashCat.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
CashCat.exe
-
Size
518KB
-
MD5
e22f15441e597430b069dad9f72889fc
-
SHA1
6310f4db3726fdb52514718a402ede2db38c71bd
-
SHA256
fa6855733a1cca500f3088b535808fc8093d67cadc9b34ad4ca7ec0170b25e03
-
SHA512
b23e6c94b64cc18b42bbd6c95f07e335fb631fc8a003b01a64671e01067dbf8fa265cd4df30c6bfaca5ec61c068fa41d64b28b3c90bd88a1ee12ec13c7197469
Score
10/10
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeManageVolumePrivilege 2640 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CashCat.exe"C:\Users\Admin\AppData\Local\Temp\CashCat.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2640-134-0x0000016F688D0000-0x0000016F688E0000-memory.dmpFilesize
64KB
-
memory/2640-135-0x0000016F689D0000-0x0000016F689E0000-memory.dmpFilesize
64KB
-
memory/3136-130-0x0000000000290000-0x0000000000318000-memory.dmpFilesize
544KB
-
memory/3136-131-0x0000000008BE0000-0x0000000008BE8000-memory.dmpFilesize
32KB
-
memory/3136-132-0x0000000009480000-0x00000000094B8000-memory.dmpFilesize
224KB
-
memory/3136-133-0x0000000009460000-0x000000000946E000-memory.dmpFilesize
56KB