83ffbe63dd41a1a9d2d68fb1b72f6dffcf8e76ecefb8683ee47f6651f58b20a1 | Triage

Resubmissions

01-06-2022 16:41

220601-t7dhraebdq 10

01-06-2022 16:38

220601-t5k5taafc2 1

Analysis

max time kernel
130s
max time network
40s
platform
windows7_x64
resource
win7-20220414-en
submitted
01-06-2022 16:41

Sharing

Report Analysis Logs

General

Target

windows_x64_encrypt.exe
Size

661KB
MD5

d2fab5d65d761b5efd229f0695e67011
SHA1

5480999819b359ed4f1ec284e74f8a33aa127915
SHA256

83ffbe63dd41a1a9d2d68fb1b72f6dffcf8e76ecefb8683ee47f6651f58b20a1
SHA512

dddd949221c9f1d5b425aaf4a026cec41205f78128e6b2a7aa94203c882903da87e4f5b052f36e5f9f4f91105554f86c0cf36d838c77948f438fbfda57934b3a

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	Process
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid	Process
1292	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskmgr.exeAUDIODG.EXE

description	pid	Process
Token: SeDebugPrivilege	1292	taskmgr.exe
Token: 33	1448	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1448	AUDIODG.EXE
Token: 33	1448	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1448	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	Process
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	Process
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe
C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe -u test:test
1⤵
PID:1280

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1896

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1292

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1292-56-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1896-54-0x000007FEFBC21000-0x000007FEFBC23000-memory.dmp

Filesize
8KB

Download