Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2022 18:30

General

  • Target

    46356ce64664820165594ed18ec26a90.exe

  • Size

    302KB

  • MD5

    46356ce64664820165594ed18ec26a90

  • SHA1

    4cc931965d09e90eaffca9d3d6e9a3e76a1a4366

  • SHA256

    f06f422d7fc0f07d426965ceccf417598eadb7fcacfbe156dd37d3059669ecc0

  • SHA512

    e725dd10fc4ee0d9429decb52f7fe79b4f1dab5547f19cef1d323e2dcf836d28edf7d1bbaf4090cd1b5f2a3cabb1840dcb1a94513a5f14899e7eedffda08e7f0

  • SSDEEP

    6144:EInpgzEJQ5Jz+ZwRI3iusfICdNOWqlzhjZRPY8yxDziZi4/W:np6ZCwRI3iiCTSlzh1BR2HIW

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE ⋅ 1 IoCs
  • VMProtect packed file ⋅ 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) ⋅ 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe ⋅ 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 1 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 4 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46356ce64664820165594ed18ec26a90.exe
    "C:\Users\Admin\AppData\Local\Temp\46356ce64664820165594ed18ec26a90.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ShellExperienceHost" /tr '"C:\Users\Admin\AppData\Roaming\ShellExperienceHost.exe"' & exit
      Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "ShellExperienceHost" /tr '"C:\Users\Admin\AppData\Roaming\ShellExperienceHost.exe"'
        Creates scheduled task(s)
        PID:2020
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp71C7.tmp.bat""
      Suspicious use of WriteProcessMemory
      PID:1524
      • C:\Windows\system32\timeout.exe
        timeout 3
        Delays execution with timeout.exe
        PID:524
      • C:\Users\Admin\AppData\Roaming\ShellExperienceHost.exe
        "C:\Users\Admin\AppData\Roaming\ShellExperienceHost.exe"
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        PID:664

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                    Privilege Escalation

                      Replay Monitor

                      00:00 00:00

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\tmp71C7.tmp.bat
                        MD5

                        7d9c5156d8b5536eaaeba19ba78e81f2

                        SHA1

                        6c489fd9ba2d5a085e835ae161bb4a5816d409b3

                        SHA256

                        ece8438bc146e48d594050a339925483644cddffd19bddec06cde395bbb69eeb

                        SHA512

                        02a2b0068d0e91ac66bde11b85b55780ee83a1a39639d2cb4ccacf54aecc6adc555879076c3a50ff1e2087e2ae8b1cf0623c8a92bc819d743e55c576662e62f7

                      • C:\Users\Admin\AppData\Roaming\ShellExperienceHost.exe
                        MD5

                        46356ce64664820165594ed18ec26a90

                        SHA1

                        4cc931965d09e90eaffca9d3d6e9a3e76a1a4366

                        SHA256

                        f06f422d7fc0f07d426965ceccf417598eadb7fcacfbe156dd37d3059669ecc0

                        SHA512

                        e725dd10fc4ee0d9429decb52f7fe79b4f1dab5547f19cef1d323e2dcf836d28edf7d1bbaf4090cd1b5f2a3cabb1840dcb1a94513a5f14899e7eedffda08e7f0

                      • C:\Users\Admin\AppData\Roaming\ShellExperienceHost.exe
                        MD5

                        46356ce64664820165594ed18ec26a90

                        SHA1

                        4cc931965d09e90eaffca9d3d6e9a3e76a1a4366

                        SHA256

                        f06f422d7fc0f07d426965ceccf417598eadb7fcacfbe156dd37d3059669ecc0

                        SHA512

                        e725dd10fc4ee0d9429decb52f7fe79b4f1dab5547f19cef1d323e2dcf836d28edf7d1bbaf4090cd1b5f2a3cabb1840dcb1a94513a5f14899e7eedffda08e7f0

                      • memory/524-61-0x0000000000000000-mapping.dmp
                      • memory/664-62-0x0000000000000000-mapping.dmp
                      • memory/664-65-0x0000000000FE0000-0x0000000001066000-memory.dmp
                      • memory/1524-59-0x0000000000000000-mapping.dmp
                      • memory/1640-57-0x0000000000000000-mapping.dmp
                      • memory/2020-58-0x0000000000000000-mapping.dmp
                      • memory/2024-54-0x00000000000D0000-0x0000000000156000-memory.dmp