Analysis
-
max time kernel
87s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-08-2022 09:39
Static task
static1
Behavioral task
behavioral1
Sample
IM202208.exe
Resource
win7-20220812-en
General
-
Target
IM202208.exe
-
Size
727KB
-
MD5
c1ca174fbfc7936f8d9d0aad755f29cf
-
SHA1
16ad7f314c9c2742886523ac256fbb4a5f4bfdb0
-
SHA256
d08f75542680080f9d3393fc3bb0ced3c30335db5030c1f38a8d7a7aadb15794
-
SHA512
e2ff294837639043c1b24cfee2eae281284ac9a563ad5e8d31a8ce7538f60447cb747508021b98326a78923e99159109fc908c390a8f3d570d7d91b6d24fa280
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
IM202208.exepowershell.exepid process 900 IM202208.exe 900 IM202208.exe 900 IM202208.exe 900 IM202208.exe 900 IM202208.exe 2020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
IM202208.exepowershell.exedescription pid process Token: SeDebugPrivilege 900 IM202208.exe Token: SeDebugPrivilege 2020 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
IM202208.exedescription pid process target process PID 900 wrote to memory of 2020 900 IM202208.exe powershell.exe PID 900 wrote to memory of 2020 900 IM202208.exe powershell.exe PID 900 wrote to memory of 2020 900 IM202208.exe powershell.exe PID 900 wrote to memory of 2020 900 IM202208.exe powershell.exe PID 900 wrote to memory of 1324 900 IM202208.exe schtasks.exe PID 900 wrote to memory of 1324 900 IM202208.exe schtasks.exe PID 900 wrote to memory of 1324 900 IM202208.exe schtasks.exe PID 900 wrote to memory of 1324 900 IM202208.exe schtasks.exe PID 900 wrote to memory of 572 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 572 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 572 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 572 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 1400 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 1400 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 1400 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 1400 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 852 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 852 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 852 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 852 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 1392 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 1392 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 1392 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 1392 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 764 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 764 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 764 900 IM202208.exe IM202208.exe PID 900 wrote to memory of 764 900 IM202208.exe IM202208.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IM202208.exe"C:\Users\Admin\AppData\Local\Temp\IM202208.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uunNVGIyv.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uunNVGIyv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4E50.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\IM202208.exe"C:\Users\Admin\AppData\Local\Temp\IM202208.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\IM202208.exe"C:\Users\Admin\AppData\Local\Temp\IM202208.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\IM202208.exe"C:\Users\Admin\AppData\Local\Temp\IM202208.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\IM202208.exe"C:\Users\Admin\AppData\Local\Temp\IM202208.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\IM202208.exe"C:\Users\Admin\AppData\Local\Temp\IM202208.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4E50.tmpFilesize
1KB
MD5fe9f002c892c56113f07e2dceab01bcf
SHA1480d5da495655134a2749aecc4070f725456a3b8
SHA25602a843d84169f5adad37680d8d38775e92d79cfd51b42d4eba0e36ec19e706ae
SHA51287220652e4dc99a5fb55cf6b258c908778a317837ae5e9d40a30677c7d27ce773ba52ffce6c6c6623dee4ad9ca323c9819a217cb3b7c83915070d82089b0f9c4
-
memory/900-54-0x00000000003F0000-0x00000000004AC000-memory.dmpFilesize
752KB
-
memory/900-55-0x0000000075C61000-0x0000000075C63000-memory.dmpFilesize
8KB
-
memory/900-56-0x00000000004B0000-0x00000000004CA000-memory.dmpFilesize
104KB
-
memory/900-57-0x00000000004D0000-0x00000000004DC000-memory.dmpFilesize
48KB
-
memory/900-58-0x0000000005FB0000-0x0000000006042000-memory.dmpFilesize
584KB
-
memory/900-63-0x0000000006040000-0x000000000608E000-memory.dmpFilesize
312KB
-
memory/1324-60-0x0000000000000000-mapping.dmp
-
memory/2020-59-0x0000000000000000-mapping.dmp
-
memory/2020-64-0x000000006F1C0000-0x000000006F76B000-memory.dmpFilesize
5.7MB
-
memory/2020-65-0x000000006F1C0000-0x000000006F76B000-memory.dmpFilesize
5.7MB