83ffbe63dd41a1a9d2d68fb1b72f6dffcf8e76ecefb8683ee47f6651f58b20a1 | Triage

Resubmissions

01-06-2022 16:41

220601-t7dhraebdq 10

01-06-2022 16:38

220601-t5k5taafc2 1

Analysis

max time kernel
93s
max time network
55s
platform
windows7_x64
resource
win7-20220414-en
submitted
01-06-2022 16:38

Sharing

Report Analysis Logs

General

Target

windows_x64_encrypt.exe
Size

661KB
MD5

d2fab5d65d761b5efd229f0695e67011
SHA1

5480999819b359ed4f1ec284e74f8a33aa127915
SHA256

83ffbe63dd41a1a9d2d68fb1b72f6dffcf8e76ecefb8683ee47f6651f58b20a1
SHA512

dddd949221c9f1d5b425aaf4a026cec41205f78128e6b2a7aa94203c882903da87e4f5b052f36e5f9f4f91105554f86c0cf36d838c77948f438fbfda57934b3a

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
892	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	892	taskmgr.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe
892	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe
"C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe"
1⤵
PID:1100

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:892

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/892-54-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/892-55-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/892-56-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download