Analysis
-
max time kernel
42s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
24-07-2022 20:58
Static task
static1
Behavioral task
behavioral1
Sample
da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec.exe
Resource
win10v2004-20220721-en
General
-
Target
da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec.exe
-
Size
852KB
-
MD5
bd367fcebc67575d8b305dfd49e5e0b7
-
SHA1
791fce7c34c80cfb75726e5284a3ef516dc44964
-
SHA256
da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec
-
SHA512
a27ff4ca8fadbd3fda529c83091187879b22becec2d2e4d538998b7086294240a951a82d16c39784be5ff7c8f8daf04cd3812e0aabf5eaf07e1365318f29264b
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 980 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 980 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec.exedescription pid process target process PID 2012 wrote to memory of 980 2012 da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec.exe powershell.exe PID 2012 wrote to memory of 980 2012 da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec.exe powershell.exe PID 2012 wrote to memory of 980 2012 da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec.exe powershell.exe PID 2012 wrote to memory of 980 2012 da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec.exe powershell.exe PID 2012 wrote to memory of 1388 2012 da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec.exe dw20.exe PID 2012 wrote to memory of 1388 2012 da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec.exe dw20.exe PID 2012 wrote to memory of 1388 2012 da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec.exe dw20.exe PID 2012 wrote to memory of 1388 2012 da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec.exe"C:\Users\Admin\AppData\Local\Temp\da415ce6c004349ee80c6e3c47c193fa1391f2ff3e308780017e6f93848eaeec.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\sysq.ps1"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 6722⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\sysq.ps1Filesize
24KB
MD567d5e76d5bf4e46f437cbea641892e4b
SHA1c213d0d29ce855fdf96da8900cc31679d6df43c3
SHA2562cfb4d18d2afc27c40e98f42541e3e977c75af0fe2eee503a7723d46c5ebb8c3
SHA512c8f447834d97857b20365ed0a8440bbb36445e8e27947faf354552bb3481481f98d5033711d335f9578d7386602bd5f9c67208388228fce6dc0b0af9e0f46f16
-
memory/980-56-0x0000000000000000-mapping.dmp
-
memory/980-61-0x0000000074890000-0x0000000074E3B000-memory.dmpFilesize
5.7MB
-
memory/980-63-0x0000000074890000-0x0000000074E3B000-memory.dmpFilesize
5.7MB
-
memory/1388-58-0x0000000000000000-mapping.dmp
-
memory/2012-54-0x0000000076601000-0x0000000076603000-memory.dmpFilesize
8KB
-
memory/2012-55-0x0000000074890000-0x0000000074E3B000-memory.dmpFilesize
5.7MB
-
memory/2012-59-0x0000000074890000-0x0000000074E3B000-memory.dmpFilesize
5.7MB