Analysis
-
max time kernel
154s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
02/10/2022, 01:15
Static task
static1
Behavioral task
behavioral1
Sample
1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral2
Sample
1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938.exe
-
Size
657KB
-
MD5
6c637e608d50c0d82981dbae7b480160
-
SHA1
a841e1e77ae14f8b56681c535b52708fe44027df
-
SHA256
1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938
-
SHA512
632b28b6f21430094fe26f0ffbbc4820a3844c6fe035a494824673058cc797c14a590b3ee710c23ed0013339efefc5eef035a5e95e8fa988ef88ea86c0d545fd
-
SSDEEP
12288:OHqoKu9k/JCZHzT2JUnPxvjwsJhXMTos:Ovaf0P6srMr
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 perfmon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz perfmon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe 1376 perfmon.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1376 perfmon.exe Token: SeSystemProfilePrivilege 1376 perfmon.exe Token: SeCreateGlobalPrivilege 1376 perfmon.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1376 2016 1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938.exe 27 PID 2016 wrote to memory of 1376 2016 1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938.exe 27 PID 2016 wrote to memory of 1376 2016 1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938.exe"C:\Users\Admin\AppData\Local\Temp\1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\System32\perfmon.exe"C:\Windows\System32\perfmon.exe" /res2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-