Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 01:15
Static task
static1
Behavioral task
behavioral1
Sample
a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe
Resource
win10v2004-20220812-en
General
-
Target
a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe
-
Size
580KB
-
MD5
f121fe09017c12ca9ba6326f34d1b754
-
SHA1
5630e45ca277fb15fd72e0f36ffa05106f9a1052
-
SHA256
a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231
-
SHA512
71d0510d0279d24449fdb535791448ac4d6fb0a5cf4e408bbbe8cd26fa478935740d162ca7198f882596be24a162223eaafaf64acb3ab120f2f8a3b428068c3e
-
SSDEEP
6144:wS5PHFrOHoZN78DJ6YCesUXs92Azje78RpD4PjneMKYgFywwj/H8naDo/JnJ+5:wS5RZN+J6YCeQIAzfRh4exswwgV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exepid process 1928 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe -
Deletes itself 1 IoCs
Processes:
a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exepid process 1928 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe -
Loads dropped DLL 1 IoCs
Processes:
a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exepid process 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exedescription pid process target process PID 1708 set thread context of 1928 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe:ZONE.identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exepid process 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exepid process 1928 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exea65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exedescription pid process Token: SeDebugPrivilege 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe Token: SeDebugPrivilege 1928 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exepid process 1928 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exedescription pid process target process PID 1708 wrote to memory of 552 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe schtasks.exe PID 1708 wrote to memory of 552 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe schtasks.exe PID 1708 wrote to memory of 552 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe schtasks.exe PID 1708 wrote to memory of 552 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe schtasks.exe PID 1708 wrote to memory of 1620 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe cmd.exe PID 1708 wrote to memory of 1620 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe cmd.exe PID 1708 wrote to memory of 1620 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe cmd.exe PID 1708 wrote to memory of 1620 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe cmd.exe PID 1708 wrote to memory of 1928 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe PID 1708 wrote to memory of 1928 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe PID 1708 wrote to memory of 1928 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe PID 1708 wrote to memory of 1928 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe PID 1708 wrote to memory of 1928 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe PID 1708 wrote to memory of 1928 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe PID 1708 wrote to memory of 1928 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe PID 1708 wrote to memory of 1928 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe PID 1708 wrote to memory of 1928 1708 a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe"C:\Users\Admin\AppData\Local\Temp\a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\421f63af-3585-4410-b9ef-1ec5abd70f32" /XML "C:\Users\Admin\AppData\Local\Temp\avvvvv.xml"2⤵
- Creates scheduled task(s)
PID:552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe":ZONE.identifier & exit2⤵
- NTFS ADS
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe"C:\Users\Admin\AppData\Local\Temp\a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe
Filesize580KB
MD5f121fe09017c12ca9ba6326f34d1b754
SHA15630e45ca277fb15fd72e0f36ffa05106f9a1052
SHA256a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231
SHA51271d0510d0279d24449fdb535791448ac4d6fb0a5cf4e408bbbe8cd26fa478935740d162ca7198f882596be24a162223eaafaf64acb3ab120f2f8a3b428068c3e
-
C:\Users\Admin\AppData\Local\Temp\a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe
Filesize580KB
MD5f121fe09017c12ca9ba6326f34d1b754
SHA15630e45ca277fb15fd72e0f36ffa05106f9a1052
SHA256a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231
SHA51271d0510d0279d24449fdb535791448ac4d6fb0a5cf4e408bbbe8cd26fa478935740d162ca7198f882596be24a162223eaafaf64acb3ab120f2f8a3b428068c3e
-
Filesize
1KB
MD52ae2886512fe0945d0d8c039639dfa05
SHA1d0c17c69f87556ba1841ae90b9e87f3c3aee3b58
SHA25662919ed7e2bbbad1e9b64e6d69a3914b50c6c8053dd01e4d98d87103f16fa062
SHA5126754251cc6f55b963c426a8ac5fa6b16aefb8383225c0eb82a29b0e2be9b321b75ec423f5203ff9540e246d7e6d4ed8ca4f99fa1133fdc05561e5c23c8768a29
-
\Users\Admin\AppData\Local\Temp\a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231.exe
Filesize580KB
MD5f121fe09017c12ca9ba6326f34d1b754
SHA15630e45ca277fb15fd72e0f36ffa05106f9a1052
SHA256a65d51b98a09b48cd3a217a370de9492ad121db019786a37487449f1830a3231
SHA51271d0510d0279d24449fdb535791448ac4d6fb0a5cf4e408bbbe8cd26fa478935740d162ca7198f882596be24a162223eaafaf64acb3ab120f2f8a3b428068c3e