Analysis
-
max time kernel
32s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 02:17
Static task
static1
Behavioral task
behavioral1
Sample
9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe
Resource
win10v2004-20220414-en
General
-
Target
9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe
-
Size
397KB
-
MD5
7fc4300a6f6dea00b341018b3366e8be
-
SHA1
05b8a1966cb6b423f9e0da49add7d7cd913a9c73
-
SHA256
9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c
-
SHA512
dcc16e705fd42d295e64580585068aed496611506ae26783321e00f63d50bbd8efadff7573f0c6c8bcc59eb9009b1b0d88fa3d5cd778135e1c049bcc203bd26c
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 944 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 944 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exedescription pid process target process PID 1952 wrote to memory of 944 1952 9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe powershell.exe PID 1952 wrote to memory of 944 1952 9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe powershell.exe PID 1952 wrote to memory of 944 1952 9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe powershell.exe PID 1952 wrote to memory of 944 1952 9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe"C:\Users\Admin\AppData\Local\Temp\9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\LUoUY.ps1"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\LUoUY.ps1Filesize
24KB
MD5da9dc2ad19105e8daebc4b438c74aa12
SHA181c1f48dda44ad25de5693734613ae2c92282ade
SHA2569d6c7d381757d0571869bcbca844d7a8742f5276269d7fb086e04ab11d9ba540
SHA512aa19b27f6ddbfd07cea33fdb248564224cfc585d80d41196ff0f2eb66a69644adac472a2a3526eba093d4439ba11c92b08a7e41bdf392d650a7f43e26973a1f7
-
memory/944-56-0x0000000000000000-mapping.dmp
-
memory/944-58-0x0000000074410000-0x00000000749BB000-memory.dmpFilesize
5.7MB
-
memory/944-60-0x0000000074410000-0x00000000749BB000-memory.dmpFilesize
5.7MB
-
memory/1952-54-0x0000000001120000-0x000000000118A000-memory.dmpFilesize
424KB
-
memory/1952-55-0x00000000765C1000-0x00000000765C3000-memory.dmpFilesize
8KB