Analysis
-
max time kernel
152s -
max time network
191s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 23:57
Static task
static1
Behavioral task
behavioral1
Sample
5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe
Resource
win10v2004-20220722-en
General
-
Target
5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe
-
Size
321KB
-
MD5
4766270285f7bb69b2a93214c650f152
-
SHA1
8a9ddce8c3ca9674adb69af3930a7424cfde9553
-
SHA256
5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638
-
SHA512
80b4d81c45c07b96226109a52c476ba4370377dc20609a274baae75659f72fc962df0b451d1e838a0b13df34a32c62f051225e77a79695055831a0e02148900d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exepid process 1228 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe -
Loads dropped DLL 2 IoCs
Processes:
5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exepid process 1540 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe 1540 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exepid process 1228 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exedescription pid process Token: SeDebugPrivilege 1540 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe Token: SeDebugPrivilege 1228 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe Token: 33 1228 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe Token: SeIncBasePriorityPrivilege 1228 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exepid process 1228 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.execmd.exedescription pid process target process PID 1540 wrote to memory of 1228 1540 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe PID 1540 wrote to memory of 1228 1540 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe PID 1540 wrote to memory of 1228 1540 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe PID 1540 wrote to memory of 1228 1540 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe PID 1540 wrote to memory of 548 1540 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe cmd.exe PID 1540 wrote to memory of 548 1540 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe cmd.exe PID 1540 wrote to memory of 548 1540 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe cmd.exe PID 1540 wrote to memory of 548 1540 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe cmd.exe PID 548 wrote to memory of 1660 548 cmd.exe PING.EXE PID 548 wrote to memory of 1660 548 cmd.exe PING.EXE PID 548 wrote to memory of 1660 548 cmd.exe PING.EXE PID 548 wrote to memory of 1660 548 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe"C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe"C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1228
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:1660
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe
Filesize321KB
MD54766270285f7bb69b2a93214c650f152
SHA18a9ddce8c3ca9674adb69af3930a7424cfde9553
SHA2565d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638
SHA51280b4d81c45c07b96226109a52c476ba4370377dc20609a274baae75659f72fc962df0b451d1e838a0b13df34a32c62f051225e77a79695055831a0e02148900d
-
C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe
Filesize321KB
MD54766270285f7bb69b2a93214c650f152
SHA18a9ddce8c3ca9674adb69af3930a7424cfde9553
SHA2565d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638
SHA51280b4d81c45c07b96226109a52c476ba4370377dc20609a274baae75659f72fc962df0b451d1e838a0b13df34a32c62f051225e77a79695055831a0e02148900d
-
\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe
Filesize321KB
MD54766270285f7bb69b2a93214c650f152
SHA18a9ddce8c3ca9674adb69af3930a7424cfde9553
SHA2565d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638
SHA51280b4d81c45c07b96226109a52c476ba4370377dc20609a274baae75659f72fc962df0b451d1e838a0b13df34a32c62f051225e77a79695055831a0e02148900d
-
\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe
Filesize321KB
MD54766270285f7bb69b2a93214c650f152
SHA18a9ddce8c3ca9674adb69af3930a7424cfde9553
SHA2565d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638
SHA51280b4d81c45c07b96226109a52c476ba4370377dc20609a274baae75659f72fc962df0b451d1e838a0b13df34a32c62f051225e77a79695055831a0e02148900d