Overview

overview

10

Static

static

IM202208.exe

windows7-x64

3

IM202208.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-08-2022 09:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IM202208.exe

  • Size

    727KB

  • MD5

    c1ca174fbfc7936f8d9d0aad755f29cf

  • SHA1

    16ad7f314c9c2742886523ac256fbb4a5f4bfdb0

  • SHA256

    d08f75542680080f9d3393fc3bb0ced3c30335db5030c1f38a8d7a7aadb15794

  • SHA512

    e2ff294837639043c1b24cfee2eae281284ac9a563ad5e8d31a8ce7538f60447cb747508021b98326a78923e99159109fc908c390a8f3d570d7d91b6d24fa280

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IM202208.exe
    "C:\Users\Admin\AppData\Local\Temp\IM202208.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uunNVGIyv.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2020
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uunNVGIyv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4E50.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1324
    • C:\Users\Admin\AppData\Local\Temp\IM202208.exe
      "C:\Users\Admin\AppData\Local\Temp\IM202208.exe"
      2⤵
        PID:572
      • C:\Users\Admin\AppData\Local\Temp\IM202208.exe
        "C:\Users\Admin\AppData\Local\Temp\IM202208.exe"
        2⤵
          PID:1400
        • C:\Users\Admin\AppData\Local\Temp\IM202208.exe
          "C:\Users\Admin\AppData\Local\Temp\IM202208.exe"
          2⤵
            PID:852
          • C:\Users\Admin\AppData\Local\Temp\IM202208.exe
            "C:\Users\Admin\AppData\Local\Temp\IM202208.exe"
            2⤵
              PID:1392
            • C:\Users\Admin\AppData\Local\Temp\IM202208.exe
              "C:\Users\Admin\AppData\Local\Temp\IM202208.exe"
              2⤵
                PID:764

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp4E50.tmp
              Filesize

              1KB

              MD5

              fe9f002c892c56113f07e2dceab01bcf

              SHA1

              480d5da495655134a2749aecc4070f725456a3b8

              SHA256

              02a843d84169f5adad37680d8d38775e92d79cfd51b42d4eba0e36ec19e706ae

              SHA512

              87220652e4dc99a5fb55cf6b258c908778a317837ae5e9d40a30677c7d27ce773ba52ffce6c6c6623dee4ad9ca323c9819a217cb3b7c83915070d82089b0f9c4

              Download Submit
            • memory/900-54-0x00000000003F0000-0x00000000004AC000-memory.dmp
              Filesize

              752KB

              Download
            • memory/900-55-0x0000000075C61000-0x0000000075C63000-memory.dmp
              Filesize

              8KB

              Download
            • memory/900-56-0x00000000004B0000-0x00000000004CA000-memory.dmp
              Filesize

              104KB

              Download
            • memory/900-57-0x00000000004D0000-0x00000000004DC000-memory.dmp
              Filesize

              48KB

              Download
            • memory/900-58-0x0000000005FB0000-0x0000000006042000-memory.dmp
              Filesize

              584KB

              Download
            • memory/900-63-0x0000000006040000-0x000000000608E000-memory.dmp
              Filesize

              312KB

              Download
            • memory/1324-60-0x0000000000000000-mapping.dmp
              Download
            • memory/2020-59-0x0000000000000000-mapping.dmp
              Download
            • memory/2020-64-0x000000006F1C0000-0x000000006F76B000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/2020-65-0x000000006F1C0000-0x000000006F76B000-memory.dmp
              Filesize

              5.7MB

              Download