Analysis
-
max time kernel
64s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-06-2022 23:42
Static task
static1
Behavioral task
behavioral1
Sample
16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe
-
Size
221KB
-
MD5
93a1498df07b4d368895de25c32be22e
-
SHA1
cd4ec1f2efc6cc9474777a37ee9743681ac6a94a
-
SHA256
16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446
-
SHA512
b3486e1380aab5d30d5a44fa4d61aa12da8229929fadf9021cf3b89536f9d564bee648c0ad6b8680fb05ad4edb46785d65b8945c4f54311b0930ebafec911ba2
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exepid process 1948 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe 2008 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe 2008 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.execmd.exedescription pid process target process PID 1948 wrote to memory of 2008 1948 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe PID 1948 wrote to memory of 2008 1948 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe PID 1948 wrote to memory of 2008 1948 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe PID 1948 wrote to memory of 2008 1948 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe PID 1948 wrote to memory of 888 1948 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe cmd.exe PID 1948 wrote to memory of 888 1948 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe cmd.exe PID 1948 wrote to memory of 888 1948 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe cmd.exe PID 1948 wrote to memory of 888 1948 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe cmd.exe PID 888 wrote to memory of 2044 888 cmd.exe PING.EXE PID 888 wrote to memory of 2044 888 cmd.exe PING.EXE PID 888 wrote to memory of 2044 888 cmd.exe PING.EXE PID 888 wrote to memory of 2044 888 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe"C:\Users\Admin\AppData\Local\Temp\16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exeC:\Users\Admin\AppData\Local\Temp\16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe