Analysis
-
max time kernel
43s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29/09/2022, 09:34
Static task
static1
Behavioral task
behavioral1
Sample
RF202201002.exe
Resource
win7-20220901-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
RF202201002.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
RF202201002.exe
-
Size
741KB
-
MD5
4e6f0d386462dba844d2842442430b68
-
SHA1
32ad4cfd2bbf88aa057e7928ee11c0ab76a6ef0e
-
SHA256
eb7562547f5d2ac7f6da17ec4c1e0195715ed4309ef43d5d0cc49ec073207ff5
-
SHA512
883a094fd663912c69c6f2b96328add6ae064ceb0c82bb28e4e8f9212ce5534816312b99e05423d9baea18a781704d00c970b5be7af2490bd8c2b0243e992e67
-
SSDEEP
12288:VslvVxN02iN9ADqjJ5npUCA9wN05ZoMzr4Rrd23oUPrVsqAKC:qT01bjrpVTN046swoUPBNA
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 560 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe 1272 RF202201002.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1272 RF202201002.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1272 wrote to memory of 560 1272 RF202201002.exe 28 PID 1272 wrote to memory of 560 1272 RF202201002.exe 28 PID 1272 wrote to memory of 560 1272 RF202201002.exe 28 PID 1272 wrote to memory of 560 1272 RF202201002.exe 28 PID 1272 wrote to memory of 976 1272 RF202201002.exe 30 PID 1272 wrote to memory of 976 1272 RF202201002.exe 30 PID 1272 wrote to memory of 976 1272 RF202201002.exe 30 PID 1272 wrote to memory of 976 1272 RF202201002.exe 30 PID 1272 wrote to memory of 1644 1272 RF202201002.exe 31 PID 1272 wrote to memory of 1644 1272 RF202201002.exe 31 PID 1272 wrote to memory of 1644 1272 RF202201002.exe 31 PID 1272 wrote to memory of 1644 1272 RF202201002.exe 31 PID 1272 wrote to memory of 1640 1272 RF202201002.exe 32 PID 1272 wrote to memory of 1640 1272 RF202201002.exe 32 PID 1272 wrote to memory of 1640 1272 RF202201002.exe 32 PID 1272 wrote to memory of 1640 1272 RF202201002.exe 32 PID 1272 wrote to memory of 1016 1272 RF202201002.exe 33 PID 1272 wrote to memory of 1016 1272 RF202201002.exe 33 PID 1272 wrote to memory of 1016 1272 RF202201002.exe 33 PID 1272 wrote to memory of 1016 1272 RF202201002.exe 33 PID 1272 wrote to memory of 520 1272 RF202201002.exe 34 PID 1272 wrote to memory of 520 1272 RF202201002.exe 34 PID 1272 wrote to memory of 520 1272 RF202201002.exe 34 PID 1272 wrote to memory of 520 1272 RF202201002.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\RF202201002.exe"C:\Users\Admin\AppData\Local\Temp\RF202201002.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rKTGgqIKF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7D1D.tmp"2⤵
- Creates scheduled task(s)
PID:560
-
-
C:\Users\Admin\AppData\Local\Temp\RF202201002.exe"{path}"2⤵PID:976
-
-
C:\Users\Admin\AppData\Local\Temp\RF202201002.exe"{path}"2⤵PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\RF202201002.exe"{path}"2⤵PID:1640
-
-
C:\Users\Admin\AppData\Local\Temp\RF202201002.exe"{path}"2⤵PID:1016
-
-
C:\Users\Admin\AppData\Local\Temp\RF202201002.exe"{path}"2⤵PID:520
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5984984cc60a67c32b8ab058739d14ef2
SHA17d51080301d5cf497558fc738fb4c3b3aa1db142
SHA2567c5d75a1856b4cc837f3e489393322bd826b3a2edb9753af2cadf6383efa59a2
SHA512a590d0b677a23dd72bfd02b81b439bcf72b8f066059926c0bb56fbe500cb41f9fb1674eb2f7c30f1ba972c394a06c1a570d0d723dddaa84f66dc30c1325e1662