Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 19:33
Static task
static1
Behavioral task
behavioral1
Sample
4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe
Resource
win7-20220715-en
windows7-x64
7 signatures
150 seconds
General
-
Target
4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe
-
Size
211KB
-
MD5
35e92fe30af505779b26a7b877eb0f70
-
SHA1
9936ba4740f138abb49f07d282ee18b5997ba648
-
SHA256
4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf
-
SHA512
a8342cf4bd5f7b1bcc72687df083017672c0421f45d2973f48bafa03f7a07a19e6aef07777b93d41b27f59b738ae12126d0a351b07b8b82ad6bd5d2eb48a5ef9
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exeuuidgensubs.exeuuidgensubs.exepid process 2364 4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe 2364 4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe 1708 4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe 1708 4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe 1088 uuidgensubs.exe 1088 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe 1104 uuidgensubs.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exepid process 1708 4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exeuuidgensubs.exedescription pid process target process PID 2364 wrote to memory of 1708 2364 4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe 4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe PID 2364 wrote to memory of 1708 2364 4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe 4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe PID 2364 wrote to memory of 1708 2364 4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe 4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe PID 1088 wrote to memory of 1104 1088 uuidgensubs.exe uuidgensubs.exe PID 1088 wrote to memory of 1104 1088 uuidgensubs.exe uuidgensubs.exe PID 1088 wrote to memory of 1104 1088 uuidgensubs.exe uuidgensubs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe"C:\Users\Admin\AppData\Local\Temp\4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe"C:\Users\Admin\AppData\Local\Temp\4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1708
-
C:\Windows\SysWOW64\uuidgensubs.exe"C:\Windows\SysWOW64\uuidgensubs.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\uuidgensubs.exe"C:\Windows\SysWOW64\uuidgensubs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1104