Analysis

  • max time kernel
    143s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2022 20:52

General

  • Target

    b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe

  • Size

    1.5MB

  • MD5

    572b24052c1d26c031b80a52c47d8af6

  • SHA1

    6c2faf8bc87ddc6c326f2d574ba5a5d1caea47d0

  • SHA256

    b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12

  • SHA512

    c730ff51c3db83044ad7ea818939112e786da6a4c75f8de923efdec083c0f08c91d3e28e2ef36279e3deaf3fb4c2a49c47f694273ec31e070ef0d0d1b4ead1ff

Score
6/10

Malware Config

Signatures

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
    "C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
      "C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1236
      • C:\Program Files\Java\jre7\bin\javaw.exe
        "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tsd.jar"
        3⤵
          PID:336

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tsd.jar

      Filesize

      473KB

      MD5

      7da7000ca39ce69997bbcad56fa8d180

      SHA1

      5178465612c87a838fdfaa03b2148baf05a71768

      SHA256

      9d817b32fd59dbbe3a17f0c73d4be0b3301df89be5389bb2e81532bda93e34f8

      SHA512

      5999a976b75bbc457c1b38fa6e0f8149e9ffeedf3e5895d9b4478ffa94d53bf8d38b1df8aa8238423f6eb5b89c0a4bb36fa342033c6597214d12c6def53887d4

    • memory/336-69-0x0000000000000000-mapping.dmp

    • memory/336-81-0x0000000002190000-0x0000000005190000-memory.dmp

      Filesize

      48.0MB

    • memory/336-70-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

      Filesize

      8KB

    • memory/1236-57-0x0000000000400000-0x00000000004D6000-memory.dmp

      Filesize

      856KB

    • memory/1236-59-0x00000000000C0000-0x0000000000196000-memory.dmp

      Filesize

      856KB

    • memory/1236-60-0x00000000000C0000-0x0000000000196000-memory.dmp

      Filesize

      856KB

    • memory/1236-64-0x00000000000C0000-0x0000000000196000-memory.dmp

      Filesize

      856KB

    • memory/1236-67-0x00000000000C0000-0x0000000000196000-memory.dmp

      Filesize

      856KB

    • memory/1236-58-0x00000000004D0CFE-mapping.dmp

    • memory/1236-82-0x0000000002210000-0x000000000221A000-memory.dmp

      Filesize

      40KB

    • memory/1616-54-0x00000000003D0000-0x0000000000556000-memory.dmp

      Filesize

      1.5MB

    • memory/1616-56-0x00000000758B1000-0x00000000758B3000-memory.dmp

      Filesize

      8KB

    • memory/1616-55-0x0000000000230000-0x0000000000240000-memory.dmp

      Filesize

      64KB