Analysis
-
max time kernel
43s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14-10-2022 10:16
Static task
static1
Behavioral task
behavioral1
Sample
648dec9bf8fc46309755437ea6626b731bc10aeca2f007fddaf29a30f14d166f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
648dec9bf8fc46309755437ea6626b731bc10aeca2f007fddaf29a30f14d166f.exe
Resource
win10v2004-20220812-en
General
-
Target
648dec9bf8fc46309755437ea6626b731bc10aeca2f007fddaf29a30f14d166f.exe
-
Size
76KB
-
MD5
62243bd3fa524afb5a368b088a284f38
-
SHA1
5eb8656459319d948b51dedec5aebb71307e69ae
-
SHA256
648dec9bf8fc46309755437ea6626b731bc10aeca2f007fddaf29a30f14d166f
-
SHA512
932bd7f5c302f3ec24c7859efcbbcd533843e9d8f61167fce414e9c5698de76765c391272326ba77ecc307837c74a2a189e840bf192db696f2efb38b9face2aa
-
SSDEEP
1536:VA7sbuq2p6oHUVOAn3wW6/7DcQ/9Dj4g:Kj1soHUVO531/N4g
Malware Config
Signatures
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 648dec9bf8fc46309755437ea6626b731bc10aeca2f007fddaf29a30f14d166f.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 648dec9bf8fc46309755437ea6626b731bc10aeca2f007fddaf29a30f14d166f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1768 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1768 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 904 648dec9bf8fc46309755437ea6626b731bc10aeca2f007fddaf29a30f14d166f.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 904 wrote to memory of 1764 904 648dec9bf8fc46309755437ea6626b731bc10aeca2f007fddaf29a30f14d166f.exe 29 PID 904 wrote to memory of 1764 904 648dec9bf8fc46309755437ea6626b731bc10aeca2f007fddaf29a30f14d166f.exe 29 PID 904 wrote to memory of 1764 904 648dec9bf8fc46309755437ea6626b731bc10aeca2f007fddaf29a30f14d166f.exe 29 PID 904 wrote to memory of 1764 904 648dec9bf8fc46309755437ea6626b731bc10aeca2f007fddaf29a30f14d166f.exe 29 PID 1764 wrote to memory of 1768 1764 cmd.exe 31 PID 1764 wrote to memory of 1768 1764 cmd.exe 31 PID 1764 wrote to memory of 1768 1764 cmd.exe 31 PID 1764 wrote to memory of 1768 1764 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\648dec9bf8fc46309755437ea6626b731bc10aeca2f007fddaf29a30f14d166f.exe"C:\Users\Admin\AppData\Local\Temp\648dec9bf8fc46309755437ea6626b731bc10aeca2f007fddaf29a30f14d166f.exe"1⤵
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 648dec9bf8fc46309755437ea6626b731b2⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-