Analysis
-
max time kernel
177s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 12:43
Static task
static1
Behavioral task
behavioral1
Sample
e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe
Resource
win10v2004-20220812-en
General
-
Target
e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe
-
Size
292KB
-
MD5
4214abf5fd8ede6d3d9d03b9f55713f5
-
SHA1
a2360c5577a67315fa5782f35c3bf97dc24089e9
-
SHA256
e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229
-
SHA512
2c96cd0b65e350233459617b6a15b91142b08dce328b1f04d895c40701f3a57d0212c0554c60c57d1b6585dc973986ef58fd0832e05d313ddbd42263c875fe8a
-
SSDEEP
6144:/CXnomEpWJmo2+gu5KFOPO3pZSytbAH0WJ0IgMbDMRlsQpOm:mofpWJmo2vuIeOZZSobAH0ZIx6CQpOm
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe" WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exedescription pid process target process PID 2024 set thread context of 1756 2024 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
CasPol.exepid process 1756 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exeCasPol.exedescription pid process Token: SeDebugPrivilege 2024 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe Token: SeDebugPrivilege 1756 CasPol.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
CasPol.exepid process 1756 CasPol.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.execmd.exedescription pid process target process PID 2024 wrote to memory of 1756 2024 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe PID 2024 wrote to memory of 1756 2024 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe PID 2024 wrote to memory of 1756 2024 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe PID 2024 wrote to memory of 1756 2024 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe PID 2024 wrote to memory of 1756 2024 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe PID 2024 wrote to memory of 1756 2024 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe PID 2024 wrote to memory of 1756 2024 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe PID 2024 wrote to memory of 1756 2024 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe PID 2024 wrote to memory of 1756 2024 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe PID 2024 wrote to memory of 1264 2024 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe cmd.exe PID 2024 wrote to memory of 1264 2024 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe cmd.exe PID 2024 wrote to memory of 1264 2024 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe cmd.exe PID 2024 wrote to memory of 1264 2024 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe cmd.exe PID 1264 wrote to memory of 580 1264 cmd.exe WScript.exe PID 1264 wrote to memory of 580 1264 cmd.exe WScript.exe PID 1264 wrote to memory of 580 1264 cmd.exe WScript.exe PID 1264 wrote to memory of 580 1264 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe"C:\Users\Admin\AppData\Local\Temp\e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe"c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1756 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs"3⤵
- Adds Run key to start application
PID:580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
219B
MD5a65f94d737d307f65def620728688123
SHA1ba22cfd98fa6aa8a28de32b3eac5f20fbf0843d8
SHA2563564dcda92b3ec106f0f9a2710a795a8eada973a9d50511c68cdaea5ec12f87e
SHA512fa008d1fa740bad8496f6678cb8345d4894afc0385b6abe86577c3f48dbdd1acee5a9ded9fa4e47a879592a1d4bdf8f491362279a94299b2473917d0f57c1847