Analysis
-
max time kernel
143s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
24-07-2022 20:52
Static task
static1
Behavioral task
behavioral1
Sample
b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
Resource
win10v2004-20220721-en
General
-
Target
b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
-
Size
1.5MB
-
MD5
572b24052c1d26c031b80a52c47d8af6
-
SHA1
6c2faf8bc87ddc6c326f2d574ba5a5d1caea47d0
-
SHA256
b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12
-
SHA512
c730ff51c3db83044ad7ea818939112e786da6a4c75f8de923efdec083c0f08c91d3e28e2ef36279e3deaf3fb4c2a49c47f694273ec31e070ef0d0d1b4ead1ff
Malware Config
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exedescription pid Process procid_target PID 1616 set thread context of 1236 1616 b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe 27 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exepid Process 1236 b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe 1236 b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exeb35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exedescription pid Process Token: SeDebugPrivilege 1616 b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe Token: SeDebugPrivilege 1236 b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exedescription pid Process procid_target PID 1616 wrote to memory of 1236 1616 b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe 27 PID 1616 wrote to memory of 1236 1616 b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe 27 PID 1616 wrote to memory of 1236 1616 b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe 27 PID 1616 wrote to memory of 1236 1616 b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe 27 PID 1616 wrote to memory of 1236 1616 b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe 27 PID 1616 wrote to memory of 1236 1616 b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe 27 PID 1616 wrote to memory of 1236 1616 b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe 27 PID 1616 wrote to memory of 1236 1616 b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe 27 PID 1616 wrote to memory of 1236 1616 b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe"C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe"C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tsd.jar"3⤵PID:336
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
473KB
MD57da7000ca39ce69997bbcad56fa8d180
SHA15178465612c87a838fdfaa03b2148baf05a71768
SHA2569d817b32fd59dbbe3a17f0c73d4be0b3301df89be5389bb2e81532bda93e34f8
SHA5125999a976b75bbc457c1b38fa6e0f8149e9ffeedf3e5895d9b4478ffa94d53bf8d38b1df8aa8238423f6eb5b89c0a4bb36fa342033c6597214d12c6def53887d4