Analysis
-
max time kernel
187s -
max time network
233s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-06-2022 00:05
Static task
static1
Behavioral task
behavioral1
Sample
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe
Resource
win7-20220414-en
General
-
Target
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe
-
Size
320KB
-
MD5
b20733f2f81130783a51243733009222
-
SHA1
fc7055cb65b424bcb39e16c12a32e0fd4ded11d0
-
SHA256
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c
-
SHA512
702be5ed69bfb3129ba77571d3904afc0d8663887d6b3f848c4c6fdd40ced8416c9b7f8cdddd9a2b916f2bd969291e7b48dfd1c398d189ef9f6b810fa188141c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exepid Process 1264 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 1236 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exepid Process 936 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe 936 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exepid Process 1264 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exedescription pid Process Token: SeDebugPrivilege 936 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe Token: SeDebugPrivilege 1264 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe Token: 33 1264 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe Token: SeIncBasePriorityPrivilege 1264 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exepid Process 1264 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.execmd.exedescription pid Process procid_target PID 936 wrote to memory of 1264 936 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe 29 PID 936 wrote to memory of 1264 936 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe 29 PID 936 wrote to memory of 1264 936 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe 29 PID 936 wrote to memory of 1264 936 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe 29 PID 936 wrote to memory of 1236 936 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe 30 PID 936 wrote to memory of 1236 936 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe 30 PID 936 wrote to memory of 1236 936 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe 30 PID 936 wrote to memory of 1236 936 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe 30 PID 1236 wrote to memory of 1400 1236 cmd.exe 32 PID 1236 wrote to memory of 1400 1236 cmd.exe 32 PID 1236 wrote to memory of 1400 1236 cmd.exe 32 PID 1236 wrote to memory of 1400 1236 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe"C:\Users\Admin\AppData\Local\Temp\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Users\Admin\AppData\Local\Temp\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe"C:\Users\Admin\AppData\Local\Temp\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1264
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:1400
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe
Filesize320KB
MD5b20733f2f81130783a51243733009222
SHA1fc7055cb65b424bcb39e16c12a32e0fd4ded11d0
SHA25631309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c
SHA512702be5ed69bfb3129ba77571d3904afc0d8663887d6b3f848c4c6fdd40ced8416c9b7f8cdddd9a2b916f2bd969291e7b48dfd1c398d189ef9f6b810fa188141c
-
C:\Users\Admin\AppData\Local\Temp\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe
Filesize320KB
MD5b20733f2f81130783a51243733009222
SHA1fc7055cb65b424bcb39e16c12a32e0fd4ded11d0
SHA25631309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c
SHA512702be5ed69bfb3129ba77571d3904afc0d8663887d6b3f848c4c6fdd40ced8416c9b7f8cdddd9a2b916f2bd969291e7b48dfd1c398d189ef9f6b810fa188141c
-
\Users\Admin\AppData\Local\Temp\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe
Filesize320KB
MD5b20733f2f81130783a51243733009222
SHA1fc7055cb65b424bcb39e16c12a32e0fd4ded11d0
SHA25631309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c
SHA512702be5ed69bfb3129ba77571d3904afc0d8663887d6b3f848c4c6fdd40ced8416c9b7f8cdddd9a2b916f2bd969291e7b48dfd1c398d189ef9f6b810fa188141c
-
\Users\Admin\AppData\Local\Temp\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe
Filesize320KB
MD5b20733f2f81130783a51243733009222
SHA1fc7055cb65b424bcb39e16c12a32e0fd4ded11d0
SHA25631309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c
SHA512702be5ed69bfb3129ba77571d3904afc0d8663887d6b3f848c4c6fdd40ced8416c9b7f8cdddd9a2b916f2bd969291e7b48dfd1c398d189ef9f6b810fa188141c