a20d62110e3e9d2659ee55299033ff3542bdce0b669f299dad18dddce4ddc1af

Analysis

max time kernel
131s
max time network
134s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15/10/2022, 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9482bb02601f897d980e64e4b54fe3c.exe
Size

10KB
MD5

f9482bb02601f897d980e64e4b54fe3c
SHA1

bbaf763d8b26f468f6d4fb5cb631e3fedb3c965b
SHA256

a20d62110e3e9d2659ee55299033ff3542bdce0b669f299dad18dddce4ddc1af
SHA512

f0b2dcb4403d6b709a327fdf3533ff80272ccf4618e094fa7727564d0f47cf83cff2568615c331062c4b21fa21755b62c88acea466ac96627aeba120244a9d6d
SSDEEP

192:ZBlbXZH5KcyeRrUt0cgh8/2PnH/7AvBp:ZBkurM05S/2vHzM

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 532 set thread context of 1372	532	f9482bb02601f897d980e64e4b54fe3c.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2024	powershell.exe
532	f9482bb02601f897d980e64e4b54fe3c.exe
532	f9482bb02601f897d980e64e4b54fe3c.exe
1372	AppLaunch.exe
1372	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	f9482bb02601f897d980e64e4b54fe3c.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1372	AppLaunch.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 2024	532	f9482bb02601f897d980e64e4b54fe3c.exe	27
PID 532 wrote to memory of 2024	532	f9482bb02601f897d980e64e4b54fe3c.exe	27
PID 532 wrote to memory of 2024	532	f9482bb02601f897d980e64e4b54fe3c.exe	27
PID 532 wrote to memory of 1372	532	f9482bb02601f897d980e64e4b54fe3c.exe	29
PID 532 wrote to memory of 1372	532	f9482bb02601f897d980e64e4b54fe3c.exe	29
PID 532 wrote to memory of 1372	532	f9482bb02601f897d980e64e4b54fe3c.exe	29
PID 532 wrote to memory of 1372	532	f9482bb02601f897d980e64e4b54fe3c.exe	29
PID 532 wrote to memory of 1372	532	f9482bb02601f897d980e64e4b54fe3c.exe	29
PID 532 wrote to memory of 1372	532	f9482bb02601f897d980e64e4b54fe3c.exe	29
PID 532 wrote to memory of 1372	532	f9482bb02601f897d980e64e4b54fe3c.exe	29

C:\Users\Admin\AppData\Local\Temp\f9482bb02601f897d980e64e4b54fe3c.exe
"C:\Users\Admin\AppData\Local\Temp\f9482bb02601f897d980e64e4b54fe3c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/532-54-0x0000000001380000-0x0000000001386000-memory.dmp

Filesize
24KB

Download
memory/532-55-0x000000001C550000-0x000000001C68A000-memory.dmp

Filesize
1.2MB

Download
memory/532-56-0x0000000000DC0000-0x0000000000E52000-memory.dmp

Filesize
584KB

Download
memory/532-75-0x00000000011D6000-0x00000000011F5000-memory.dmp

Filesize
124KB

Download
memory/1372-80-0x000000001B076000-0x000000001B095000-memory.dmp

Filesize
124KB

Download
memory/1372-79-0x000000001B076000-0x000000001B095000-memory.dmp

Filesize
124KB

Download
memory/1372-78-0x0000000000550000-0x000000000059C000-memory.dmp

Filesize
304KB

Download
memory/1372-77-0x0000000000500000-0x000000000054E000-memory.dmp

Filesize
312KB

Download
memory/1372-76-0x00000000021E0000-0x000000000228A000-memory.dmp

Filesize
680KB

Download
memory/1372-69-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/1372-71-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/1372-66-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/1372-67-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/2024-59-0x000007FEEC070000-0x000007FEECA93000-memory.dmp

Filesize
10.1MB

Download
memory/2024-65-0x00000000029AB000-0x00000000029CA000-memory.dmp

Filesize
124KB

Download
memory/2024-64-0x00000000029A4000-0x00000000029A7000-memory.dmp

Filesize
12KB

Download
memory/2024-63-0x00000000029AB000-0x00000000029CA000-memory.dmp

Filesize
124KB

Download
memory/2024-61-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/2024-62-0x00000000029A4000-0x00000000029A7000-memory.dmp

Filesize
12KB

Download
memory/2024-60-0x000007FEEB510000-0x000007FEEC06D000-memory.dmp

Filesize
11.4MB

Download
memory/2024-58-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download