Analysis
-
max time kernel
37s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 06:15
Static task
static1
Behavioral task
behavioral1
Sample
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe
Resource
win7-20220414-en
General
-
Target
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe
-
Size
320KB
-
MD5
ab30a9e2d9d13fddd81c62c1e7c32b70
-
SHA1
7b580bfabef1a13e88c36333603aaef09ca07a59
-
SHA256
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f
-
SHA512
156511283fd4bfee1ad596640be80e39fe0708c193cd6343aa90da874e57fb915a26b38e03d2fe5c51cb1c822e1c95ee4374f7089419a1891d8cd4ec7f884262
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exepid Process 900 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 744 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exepid Process 1400 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe 1400 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exedescription pid Process Token: SeDebugPrivilege 1400 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.execmd.exedescription pid Process procid_target PID 1400 wrote to memory of 900 1400 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe 28 PID 1400 wrote to memory of 900 1400 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe 28 PID 1400 wrote to memory of 900 1400 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe 28 PID 1400 wrote to memory of 900 1400 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe 28 PID 1400 wrote to memory of 744 1400 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe 29 PID 1400 wrote to memory of 744 1400 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe 29 PID 1400 wrote to memory of 744 1400 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe 29 PID 1400 wrote to memory of 744 1400 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe 29 PID 744 wrote to memory of 1324 744 cmd.exe 31 PID 744 wrote to memory of 1324 744 cmd.exe 31 PID 744 wrote to memory of 1324 744 cmd.exe 31 PID 744 wrote to memory of 1324 744 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe"C:\Users\Admin\AppData\Local\Temp\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe"C:\Users\Admin\AppData\Local\Temp\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe"2⤵
- Executes dropped EXE
PID:900
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:1324
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe
Filesize320KB
MD5ab30a9e2d9d13fddd81c62c1e7c32b70
SHA17b580bfabef1a13e88c36333603aaef09ca07a59
SHA256270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f
SHA512156511283fd4bfee1ad596640be80e39fe0708c193cd6343aa90da874e57fb915a26b38e03d2fe5c51cb1c822e1c95ee4374f7089419a1891d8cd4ec7f884262
-
C:\Users\Admin\AppData\Local\Temp\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe
Filesize320KB
MD5ab30a9e2d9d13fddd81c62c1e7c32b70
SHA17b580bfabef1a13e88c36333603aaef09ca07a59
SHA256270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f
SHA512156511283fd4bfee1ad596640be80e39fe0708c193cd6343aa90da874e57fb915a26b38e03d2fe5c51cb1c822e1c95ee4374f7089419a1891d8cd4ec7f884262
-
\Users\Admin\AppData\Local\Temp\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe
Filesize320KB
MD5ab30a9e2d9d13fddd81c62c1e7c32b70
SHA17b580bfabef1a13e88c36333603aaef09ca07a59
SHA256270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f
SHA512156511283fd4bfee1ad596640be80e39fe0708c193cd6343aa90da874e57fb915a26b38e03d2fe5c51cb1c822e1c95ee4374f7089419a1891d8cd4ec7f884262
-
\Users\Admin\AppData\Local\Temp\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe
Filesize320KB
MD5ab30a9e2d9d13fddd81c62c1e7c32b70
SHA17b580bfabef1a13e88c36333603aaef09ca07a59
SHA256270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f
SHA512156511283fd4bfee1ad596640be80e39fe0708c193cd6343aa90da874e57fb915a26b38e03d2fe5c51cb1c822e1c95ee4374f7089419a1891d8cd4ec7f884262