Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2022 23:26
Static task
static1
Behavioral task
behavioral1
Sample
microsoft.exe
Resource
win7-20220718-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
microsoft.exe
Resource
win10v2004-20220718-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
microsoft.exe
-
Size
410KB
-
MD5
0c2c9f346c5c3d6ece9f0bd3241a356f
-
SHA1
4df27264caaea246eab651d618ad8e554cf1ad6e
-
SHA256
4a08fa0e9d46964ee88efa05ac7aec0a2889b8b7094fbb3834102423b1915593
-
SHA512
6fc7a2ae524184178a93fa729192b194ff387447f341153ea1ed840075b6c58ec1b3792fc0d9ba1e9426a4029c9a0ea920ed0673e2908c9d5bb803cedbd65263
Score
7/10
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
microsoft.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoftwareLicensingProductWindows.lnk microsoft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
microsoft.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 microsoft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString microsoft.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
microsoft.exedescription pid process Token: SeDebugPrivilege 3768 microsoft.exe