Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 23:37
Behavioral task
behavioral1
Sample
bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe
Resource
win7-20220812-en
windows7-x64
4 signatures
150 seconds
General
-
Target
bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe
-
Size
658KB
-
MD5
450c9d8f929ed31bb75c41453e05fa60
-
SHA1
09e67a019b7b3de17d788e82cf9a1cf52760c1a6
-
SHA256
bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c
-
SHA512
43c028c4239ce2f8e7c855294f7368a52e45a78979b91417b5b7d02c8222ada60f84495af754fa819eb595cca01c97f84dfa656f3f51979b758991da87edafb4
-
SSDEEP
12288:q9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hP:mZ1xuVVjfFoynPaVBUR8f+kN10EBJ
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exedescription pid process Token: SeIncreaseQuotaPrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeSecurityPrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeTakeOwnershipPrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeLoadDriverPrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeSystemProfilePrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeSystemtimePrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeProfSingleProcessPrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeIncBasePriorityPrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeCreatePagefilePrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeBackupPrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeRestorePrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeShutdownPrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeDebugPrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeSystemEnvironmentPrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeChangeNotifyPrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeRemoteShutdownPrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeUndockPrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeManageVolumePrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeImpersonatePrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: SeCreateGlobalPrivilege 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: 33 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: 34 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: 35 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe Token: 36 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exepid process 2628 bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe"C:\Users\Admin\AppData\Local\Temp\bd557ea6051890680bfdb17dc04704170c99d258e11cd79f392eba47c352699c.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx