Analysis
-
max time kernel
55s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-10-2022 12:06
Static task
static1
Behavioral task
behavioral1
Sample
c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe
Resource
win7-20220812-en
General
-
Target
c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe
-
Size
637KB
-
MD5
84feedb206ce6f56fcbea63636597780
-
SHA1
7563c8c9531b872b787190a0cdb6fc168a3117ab
-
SHA256
c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a
-
SHA512
1852cbaf9ce05f0539a160180ff0d2be4f75a1ea14d7acfa805402afd68e557cf600faab94877d619e40bffbf15002e8855c095829cb45902eef06369c2506ed
-
SSDEEP
12288:+CPBprQ64gRZR6WRgb14aB1BveN14I8RotUP6fUsSO:jZprXPR3xKr4qktUPcS
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exepid process 900 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exepid process 900 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exedescription pid process Token: SeDebugPrivilege 900 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exedescription pid process target process PID 900 wrote to memory of 1992 900 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe notepad.exe PID 900 wrote to memory of 1992 900 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe notepad.exe PID 900 wrote to memory of 1992 900 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe notepad.exe PID 900 wrote to memory of 1992 900 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe"C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\temp\notepad.exeC:\Windows\temp\notepad.exe2⤵PID:1992
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9