Analysis
-
max time kernel
59s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 00:15
General
-
Target
95b89635d7e70cbfb3927de75fca512f70c0e1969a047eea9978c3d786a3aa0a.exe
-
Size
78KB
-
MD5
528376e463b4a4162a2793dd2edc1d3e
-
SHA1
feb346d329280e763f3009b746ec75b22bdd27bb
-
SHA256
95b89635d7e70cbfb3927de75fca512f70c0e1969a047eea9978c3d786a3aa0a
-
SHA512
8ac1afc3d236b66800160e216835c913973301dd377f6c96f1b616a4fa45b935e09cf48618dac78b61913308d7a9ed312f94186573128770e1dc393829481a8c
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Drops startup file 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\95b89635d7e70cbfb3927de75fca512f70c0e1969a047eea9978c3d786a3aa0a.exe"C:\Users\Admin\AppData\Local\Temp\95b89635d7e70cbfb3927de75fca512f70c0e1969a047eea9978c3d786a3aa0a.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\95b89635d7e70cbfb3927de75fca512f70c0e1969a047eea9978c3d786a3aa0a.exe" /sc minute /mo 12⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\Client.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {777B93CD-8DE6-4E4B-A1C1-E37AE3B9423E} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\Client.exeC:\Users\Admin\AppData\Roaming\Client.exe2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\Client.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Client.exe
-
C:\Users\Admin\AppData\Roaming\Client.exe
-
C:\Users\Admin\AppData\Roaming\Client.exe
-
\Users\Admin\AppData\Roaming\Client.exe
-
memory/556-73-0x0000000000000000-mapping.dmp
-
memory/624-57-0x0000000000000000-mapping.dmp
-
memory/772-64-0x0000000000000000-mapping.dmp
-
memory/1200-66-0x0000000000000000-mapping.dmp
-
memory/1208-68-0x0000000000000000-mapping.dmp
-
memory/1208-72-0x0000000074230000-0x00000000747DB000-memory.dmpFilesize
5.7MB
-
memory/1208-74-0x0000000000D65000-0x0000000000D76000-memory.dmpFilesize
68KB
-
memory/1400-71-0x0000000000000000-mapping.dmp
-
memory/1516-58-0x0000000000775000-0x0000000000786000-memory.dmpFilesize
68KB
-
memory/1516-54-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB
-
memory/1516-56-0x0000000074230000-0x00000000747DB000-memory.dmpFilesize
5.7MB
-
memory/1732-55-0x0000000000000000-mapping.dmp
-
memory/2028-60-0x0000000000000000-mapping.dmp
-
memory/2028-67-0x00000000008D5000-0x00000000008E6000-memory.dmpFilesize
68KB
-
memory/2028-65-0x0000000074230000-0x00000000747DB000-memory.dmpFilesize
5.7MB