Overview

overview

7

Static

static

da415ce6c0...ec.exe

windows7-x64

3

da415ce6c0...ec.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    42s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2022 20:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec.exe

  • Size

    852KB

  • MD5

    bd367fcebc67575d8b305dfd49e5e0b7

  • SHA1

    791fce7c34c80cfb75726e5284a3ef516dc44964

  • SHA256

    da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec

  • SHA512

    a27ff4ca8fadbd3fda529c83091187879b22becec2d2e4d538998b7086294240a951a82d16c39784be5ff7c8f8daf04cd3812e0aabf5eaf07e1365318f29264b

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec.exe
    "C:\Users\Admin\AppData\Local\Temp\da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\sysq.ps1"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:980
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 672
      2⤵
        PID:1388

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\sysq.ps1
      Filesize

      24KB

      MD5

      67d5e76d5bf4e46f437cbea641892e4b

      SHA1

      c213d0d29ce855fdf96da8900cc31679d6df43c3

      SHA256

      2cfb4d18d2afc27c40e98f42541e3e977c75af0fe2eee503a7723d46c5ebb8c3

      SHA512

      c8f447834d97857b20365ed0a8440bbb36445e8e27947faf354552bb3481481f98d5033711d335f9578d7386602bd5f9c67208388228fce6dc0b0af9e0f46f16

      Download Submit
    • memory/980-56-0x0000000000000000-mapping.dmp
      Download
    • memory/980-61-0x0000000074890000-0x0000000074E3B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/980-63-0x0000000074890000-0x0000000074E3B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1388-58-0x0000000000000000-mapping.dmp
      Download
    • memory/2012-54-0x0000000076601000-0x0000000076603000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2012-55-0x0000000074890000-0x0000000074E3B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2012-59-0x0000000074890000-0x0000000074E3B000-memory.dmp
      Filesize

      5.7MB

      Download