Overview

overview

8

Static

static

801acd1c8e...a4.exe

windows7-x64

8

801acd1c8e...a4.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2022 21:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    801acd1c8e0280b31e28c726f6b427a4.exe

  • Size

    363KB

  • MD5

    801acd1c8e0280b31e28c726f6b427a4

  • SHA1

    d83262e6081da951918dfa5121814bb82e95a269

  • SHA256

    67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4

  • SHA512

    39aad4426232681419d5d15ce061767fff5b2d3b25076ebe07a2cb0c6593b75dfb44d91e2ecc40dfde7ef1b8e9b643c25c22feaa89807ca9cd476f1a76782dae

  • SSDEEP

    3072:vWlhCuAo4LsUokIau9UUsnz+NSMfD9H5+EKj:ulhCuF4LTu9xsniNS4Dr8

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 46 IoCs
  • Suspicious use of SendNotifyMessage 46 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\801acd1c8e0280b31e28c726f6b427a4.exe
    "C:\Users\Admin\AppData\Local\Temp\801acd1c8e0280b31e28c726f6b427a4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1416
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Windows\System32\conhost.exe
        C:\Windows\System32\conhost.exe qeqkbjctbfy0 6E3sjfZq2rJQaxvLPmXgsLqz8lpJ63UklPJg9pmcWSo8Jq3kZKSmvY4+NRTnUpEE3r7+XdtDimsNE7e/g+L2X9H56A5oEjJPagfD7QnT15zaBaj0uazjcA0XmidLhgHPgbFsB3e7l3mh+HQxK0IgPyO5BCIyV/0dj7UBA5qbtnhvEysue9hfOHc3u05LtSAbyLevTJdM29MLupiky3fBB4f7gpKX6SCprT+ftxtOrV1jVTSOVeWYw0PtiKcCojqtEffJsh4ZUZhRRWjAF9vtd6YAerLXuvJWihYiYwUI6cKGgNXX6Rp/oTqNMRDOeX5AHhUEpGHVpRjSu8gA7guRnSgqQBDeAJf0DVOipCGNM4wBWTFxmErarlh1DfOgRL8t
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:880

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/564-75-0x00000000004A0000-0x00000000004AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/564-66-0x0000000140000000-0x000000014025C000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/564-70-0x0000000140000000-0x000000014025C000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/564-69-0x0000000140000000-0x000000014025C000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/564-67-0x0000000140000000-0x000000014025C000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/816-56-0x000000001A690000-0x000000001A722000-memory.dmp

    Filesize

    584KB

    Download

  • memory/816-55-0x000000001C130000-0x000000001C460000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/816-54-0x0000000000DA0000-0x0000000000DFE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/816-73-0x000000001AFE6000-0x000000001B005000-memory.dmp

    Filesize

    124KB

    Download

  • memory/880-80-0x0000000000000000-0x0000000001000000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/880-78-0x0000000000070000-0x0000000000090000-memory.dmp

    Filesize

    128KB

    Download

  • memory/880-79-0x0000000000000000-0x0000000001000000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/1416-64-0x0000000002954000-0x0000000002957000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1416-63-0x000000000295B000-0x000000000297A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1416-61-0x000000001B880000-0x000000001BB7F000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1416-62-0x0000000002954000-0x0000000002957000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1416-60-0x000007FEEAED0000-0x000007FEEBA2D000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1416-59-0x000007FEEBA30000-0x000007FEEC453000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/1416-58-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1416-65-0x000000000295B000-0x000000000297A000-memory.dmp

    Filesize

    124KB

    Download