ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67

Analysis

max time kernel
67s
max time network
68s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe
Size

92KB
MD5

6b9a869286f6f4d042ce6b86ad5598f1
SHA1

134e5c4f65b2c41193954b220e207bc8cccc32ba
SHA256

ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67
SHA512

c5980fd73d648071b448c7d1f955271558707aa36a32848ce78daa84b5c187745362787fe194e23fbd06688dedd63dfa09b8597e9e1198e4f102ad484ee01cc9
SSDEEP

768:4mp1D5+8+yyCExggbX4xyhKpDq3yWqimSr4CsDqel30JbP6XTI3WoUUZ+IcnR7S:4CD5ePN4xye0q3tDj8r6XEJTc

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1352	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	tasklist.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1388	ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe
1388	ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1464	1388	ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe	29
PID 1388 wrote to memory of 1464	1388	ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe	29
PID 1388 wrote to memory of 1464	1388	ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe	29
PID 1388 wrote to memory of 1464	1388	ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe	29
PID 1464 wrote to memory of 1352	1464	cmd.exe	31
PID 1464 wrote to memory of 1352	1464	cmd.exe	31
PID 1464 wrote to memory of 1352	1464	cmd.exe	31
PID 1464 wrote to memory of 1352	1464	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe
"C:\Users\Admin\AppData\Local\Temp\ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del ebfda79f9d2e26d2087e5f5d9b06690a5c
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1352-60-0x0000000000000000-mapping.dmp

Download
memory/1388-57-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/1388-58-0x0000000003380000-0x0000000003E3A000-memory.dmp

Filesize
10.7MB

Download
memory/1464-59-0x0000000000000000-mapping.dmp

Download