Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 06:19
Static task
static1
Behavioral task
behavioral1
Sample
4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe
Resource
win7-20220901-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe
-
Size
292KB
-
MD5
b5707c99e8efb84b4c4e241e59b213b1
-
SHA1
f679f3871f61771d6ce979483d41c8033f06ef2d
-
SHA256
4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562
-
SHA512
1d9496be34428d51bc4f297919b462b98027b049b184ee3acc6cf4139b70d4e242745d72d8dc94cdc3875ce3a6d3a88ad68df0f1e263d90b4db8780288bec7d1
-
SSDEEP
6144:E0I5pAVaHnVtoNSWelUZ54Cv2zznu+hTUH0qqIuAC0mx8TCvOxf72wrX+USctl:E0I5qCnvxWOa54KGK+r8hQe7iwrX+USI
Score
10/10
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 1624 taskmgr.exe 1624 taskmgr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Default Key = "C:\\Users\\Admin\\AppData\\Roaming\\Default Folder\\fbs.exe" 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Default Key = "\\Default Folder\\fbs.exe" 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1376 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 1376 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 1376 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1376 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1376 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe Token: SeDebugPrivilege 1376 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe Token: SeDebugPrivilege 1624 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe 1624 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1376 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1376 wrote to memory of 1624 1376 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 26 PID 1376 wrote to memory of 1624 1376 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 26 PID 1376 wrote to memory of 1624 1376 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 26 PID 1376 wrote to memory of 1624 1376 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe"C:\Users\Admin\AppData\Local\Temp\4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1624
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe
Filesize292KB
MD5b5707c99e8efb84b4c4e241e59b213b1
SHA1f679f3871f61771d6ce979483d41c8033f06ef2d
SHA2564a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562
SHA5121d9496be34428d51bc4f297919b462b98027b049b184ee3acc6cf4139b70d4e242745d72d8dc94cdc3875ce3a6d3a88ad68df0f1e263d90b4db8780288bec7d1
-
\Users\Admin\AppData\Local\Temp\4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe
Filesize292KB
MD5b5707c99e8efb84b4c4e241e59b213b1
SHA1f679f3871f61771d6ce979483d41c8033f06ef2d
SHA2564a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562
SHA5121d9496be34428d51bc4f297919b462b98027b049b184ee3acc6cf4139b70d4e242745d72d8dc94cdc3875ce3a6d3a88ad68df0f1e263d90b4db8780288bec7d1