Analysis
-
max time kernel
62s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 16:05
Static task
static1
Behavioral task
behavioral1
Sample
a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe
Resource
win10v2004-20220414-en
General
-
Target
a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe
-
Size
935KB
-
MD5
bba6ba82caeb5b34de59cd5a0e6a7695
-
SHA1
615d2d6f93d0354ddb853bc143ac6e7fe74a0193
-
SHA256
a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759
-
SHA512
c46dd4a1a317db987740610639877af4ee7456e342800d5cd29bf31c848cc58252d5596f408233c234a40ab9bc05a483a6fd1ef1f942d073db45fbf387d16d29
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
service.exepid process 1008 service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.execmd.exetaskeng.exeservice.execmd.exedescription pid process target process PID 1504 wrote to memory of 1660 1504 a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe cmd.exe PID 1504 wrote to memory of 1660 1504 a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe cmd.exe PID 1504 wrote to memory of 1660 1504 a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe cmd.exe PID 1504 wrote to memory of 1660 1504 a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe cmd.exe PID 1660 wrote to memory of 364 1660 cmd.exe schtasks.exe PID 1660 wrote to memory of 364 1660 cmd.exe schtasks.exe PID 1660 wrote to memory of 364 1660 cmd.exe schtasks.exe PID 1660 wrote to memory of 364 1660 cmd.exe schtasks.exe PID 1728 wrote to memory of 1008 1728 taskeng.exe service.exe PID 1728 wrote to memory of 1008 1728 taskeng.exe service.exe PID 1728 wrote to memory of 1008 1728 taskeng.exe service.exe PID 1728 wrote to memory of 1008 1728 taskeng.exe service.exe PID 1008 wrote to memory of 1144 1008 service.exe cmd.exe PID 1008 wrote to memory of 1144 1008 service.exe cmd.exe PID 1008 wrote to memory of 1144 1008 service.exe cmd.exe PID 1008 wrote to memory of 1144 1008 service.exe cmd.exe PID 1144 wrote to memory of 540 1144 cmd.exe schtasks.exe PID 1144 wrote to memory of 540 1144 cmd.exe schtasks.exe PID 1144 wrote to memory of 540 1144 cmd.exe schtasks.exe PID 1144 wrote to memory of 540 1144 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe"C:\Users\Admin\AppData\Local\Temp\a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {0EE1D346-F158-441F-B3B9-0D75E9AA8711} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\service.exeC:\Users\Admin\AppData\Roaming\service.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f1⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f1⤵
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\service.exe
-
C:\Users\Admin\AppData\Roaming\service.exe
-
memory/364-56-0x0000000000000000-mapping.dmp
-
memory/540-62-0x0000000000000000-mapping.dmp
-
memory/1008-58-0x0000000000000000-mapping.dmp
-
memory/1144-61-0x0000000000000000-mapping.dmp
-
memory/1504-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1660-55-0x0000000000000000-mapping.dmp