Overview

overview

10

Static

static

10

2891b08c13...e4.exe

windows7_x64

10

2891b08c13...e4.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    68s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-06-2022 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2891b08c134238beeb08582e3465d77c0fff2ac4bf2cd67162b7402b7246ace4.exe

  • Size

    1.7MB

  • MD5

    ad389201c02e4edbeff9b26be6b0ea58

  • SHA1

    08b174b3890840b275aec4b6942772c61e07f4e4

  • SHA256

    2891b08c134238beeb08582e3465d77c0fff2ac4bf2cd67162b7402b7246ace4

  • SHA512

    b30a496bed466136c662f9b69b9504161203458d9fc5e5afbce6175a446402526705eb9c82637e6d4bcd264b26978704829786cb8ea5e6030fc6dedef611cd82

Score
10/10
suricata

Malware Config

Signatures

  • suricata: ET MALWARE Legion Loader Activity Observed (suspira)

    suricata: ET MALWARE Legion Loader Activity Observed (suspira)

    suricata
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2891b08c134238beeb08582e3465d77c0fff2ac4bf2cd67162b7402b7246ace4.exe
    "C:\Users\Admin\AppData\Local\Temp\2891b08c134238beeb08582e3465d77c0fff2ac4bf2cd67162b7402b7246ace4.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4480
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1844
      2⤵
      • Program crash
      PID:4776
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4480 -ip 4480
    1⤵
      PID:2460

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads