Analysis
-
max time kernel
40s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-10-2022 00:18
Static task
static1
Behavioral task
behavioral1
Sample
169030c6f0610a8c8dec7c12e6629a4a953a386ceced75e4758af0911d07558c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
169030c6f0610a8c8dec7c12e6629a4a953a386ceced75e4758af0911d07558c.exe
Resource
win10v2004-20220812-en
General
-
Target
169030c6f0610a8c8dec7c12e6629a4a953a386ceced75e4758af0911d07558c.exe
-
Size
37KB
-
MD5
67f917352f70ec0ae3668eb2f8309f40
-
SHA1
968f0b1ae28826e59a1806966bb1f0a2e94df5a5
-
SHA256
169030c6f0610a8c8dec7c12e6629a4a953a386ceced75e4758af0911d07558c
-
SHA512
9b002de070314a1ab53d83c5be0e5e709d93025c1a207207682a2be2f5c6b1a5c61dbb10bf7a784c30956bf6eef6276e222411b1748f54484059b4dbfda82fa1
-
SSDEEP
768:EiY4uDKrBMOu8jkS6wbaqn7GqEl97ogRMOZ:xDumrBuq6wbObl97bR
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1168 cmd.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 169030c6f0610a8c8dec7c12e6629a4a953a386ceced75e4758af0911d07558c.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 169030c6f0610a8c8dec7c12e6629a4a953a386ceced75e4758af0911d07558c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 268 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 268 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 828 169030c6f0610a8c8dec7c12e6629a4a953a386ceced75e4758af0911d07558c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 828 wrote to memory of 1168 828 169030c6f0610a8c8dec7c12e6629a4a953a386ceced75e4758af0911d07558c.exe 29 PID 828 wrote to memory of 1168 828 169030c6f0610a8c8dec7c12e6629a4a953a386ceced75e4758af0911d07558c.exe 29 PID 828 wrote to memory of 1168 828 169030c6f0610a8c8dec7c12e6629a4a953a386ceced75e4758af0911d07558c.exe 29 PID 828 wrote to memory of 1168 828 169030c6f0610a8c8dec7c12e6629a4a953a386ceced75e4758af0911d07558c.exe 29 PID 1168 wrote to memory of 268 1168 cmd.exe 31 PID 1168 wrote to memory of 268 1168 cmd.exe 31 PID 1168 wrote to memory of 268 1168 cmd.exe 31 PID 1168 wrote to memory of 268 1168 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\169030c6f0610a8c8dec7c12e6629a4a953a386ceced75e4758af0911d07558c.exe"C:\Users\Admin\AppData\Local\Temp\169030c6f0610a8c8dec7c12e6629a4a953a386ceced75e4758af0911d07558c.exe"1⤵
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 169030c6f0610a8c8dec7c12e6629a4a953a386ceced75e4758af0911d07558c.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:268
-
-