Analysis
-
max time kernel
151s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19-09-2022 02:38
Static task
static1
Behavioral task
behavioral1
Sample
bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe
Resource
win7-20220901-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe
-
Size
84KB
-
MD5
f7a01298c1186af504e422504788d9cf
-
SHA1
899823d8b509a2b08993e6c8b29eef63d05d1992
-
SHA256
bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9
-
SHA512
7d4086d040db36cdbf253e89b48ce076fb8ff7004bf3c8eadbc835eeb38646055567702d607d654f02cc5fad3d4cc6e435424aa922654b9ede6f55ce75f9efb9
-
SSDEEP
1536:L2Ek2YwI+mwdQBGlF2e5kFWNTr1OVz+IHQV:LP1VFkoF2eC0Az+IH0
Score
8/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1280-57-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1280-59-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1280-60-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1280-64-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1280-65-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1280-68-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 276 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1600 set thread context of 1280 1600 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 27 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe 1280 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1600 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1600 wrote to memory of 1280 1600 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 27 PID 1600 wrote to memory of 1280 1600 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 27 PID 1600 wrote to memory of 1280 1600 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 27 PID 1600 wrote to memory of 1280 1600 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 27 PID 1600 wrote to memory of 1280 1600 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 27 PID 1600 wrote to memory of 1280 1600 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 27 PID 1600 wrote to memory of 1280 1600 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 27 PID 1600 wrote to memory of 1280 1600 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 27 PID 1600 wrote to memory of 276 1600 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 28 PID 1600 wrote to memory of 276 1600 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 28 PID 1600 wrote to memory of 276 1600 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 28 PID 1600 wrote to memory of 276 1600 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe"C:\Users\Admin\AppData\Local\Temp\bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1280
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\a.bat" "2⤵
- Deletes itself
PID:276
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176B
MD5114fa56a27e1d62bcf7f5e53fe0a4b14
SHA1d80039195fc522cb90d40e213684f5ba9f72821f
SHA256fab65e28342bd6c887ac93f16372bc0719b61cfe28a2cd85edee4673d63324a4
SHA51223dbb4f4f33be60492d99c50a726a7f8173d414f7b1070d9dea75f577c4b6f870756b9260843eb247fe8939b06498dcacaaacd9b8c40fbe7d003fe1884eebee4