Overview

overview

8

Static

static

ceaeb5383e...78.exe

windows7-x64

8

ceaeb5383e...78.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    51s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02-11-2022 14:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ceaeb5383e6c0589de9a73e409896478.exe

  • Size

    424KB

  • MD5

    ceaeb5383e6c0589de9a73e409896478

  • SHA1

    4cabab69582fa3fb2e131ec4d84ba41e70b2919b

  • SHA256

    21659f7b55d30fd92b976f7eff8fc635d3e536926536ffeee79364afa68b77e9

  • SHA512

    cde384735bdc0c8d259d506bf6e229bbf7b7974b06fdadfe9734d9d8de3dc3852558cc92e868cd1c2b7b04b0961d1ca8ba1b166314a7a6cfdced0ef176e9e5c7

  • SSDEEP

    12288:kTjrxyMe1PKMK/lGRgOUqmq9kR6lhKXZ4juje8y:+j4fPKMK/cRgOnmq9g66GUe8y

Score
8/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ceaeb5383e6c0589de9a73e409896478.exe
    "C:\Users\Admin\AppData\Local\Temp\ceaeb5383e6c0589de9a73e409896478.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingToolkit\IntelGAS9.6.4.5." /TR "C:\ProgramData\IntelToolSkits\IntelGAS-Ver9.6.4.5.exe" /SC MINUTE
      2⤵
      • Creates scheduled task(s)
      PID:1100
    • C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\IntelToolSkits" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
      2⤵
      • Modifies file permissions
      PID:1524
    • C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\IntelToolSkits" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
      2⤵
      • Modifies file permissions
      PID:1080
    • C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\IntelToolSkits" /inheritance:e /deny "adMnepoxyFEYWGOLmin:(R,REA,RA,RD)"
      2⤵
      • Modifies file permissions
      PID:680
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {B1AA2E60-106D-4697-A390-37D502606791} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\ProgramData\IntelToolSkits\IntelGAS-Ver9.6.4.5.exe
      C:\ProgramData\IntelToolSkits\IntelGAS-Ver9.6.4.5.exe
      2⤵
      • Executes dropped EXE
      PID:1840

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\IntelToolSkits\IntelGAS-Ver9.6.4.5.exe
    Filesize

    424KB

    MD5

    ceaeb5383e6c0589de9a73e409896478

    SHA1

    4cabab69582fa3fb2e131ec4d84ba41e70b2919b

    SHA256

    21659f7b55d30fd92b976f7eff8fc635d3e536926536ffeee79364afa68b77e9

    SHA512

    cde384735bdc0c8d259d506bf6e229bbf7b7974b06fdadfe9734d9d8de3dc3852558cc92e868cd1c2b7b04b0961d1ca8ba1b166314a7a6cfdced0ef176e9e5c7

    Download Submit

  • C:\ProgramData\IntelToolSkits\IntelGAS-Ver9.6.4.5.exe
    Filesize

    424KB

    MD5

    ceaeb5383e6c0589de9a73e409896478

    SHA1

    4cabab69582fa3fb2e131ec4d84ba41e70b2919b

    SHA256

    21659f7b55d30fd92b976f7eff8fc635d3e536926536ffeee79364afa68b77e9

    SHA512

    cde384735bdc0c8d259d506bf6e229bbf7b7974b06fdadfe9734d9d8de3dc3852558cc92e868cd1c2b7b04b0961d1ca8ba1b166314a7a6cfdced0ef176e9e5c7

    Download Submit

  • memory/680-61-0x0000000000000000-mapping.dmp

    Download

  • memory/1080-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1100-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1416-58-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/1416-59-0x0000000000350000-0x00000000003B0000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1416-54-0x0000000075E81000-0x0000000075E83000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1416-62-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/1524-56-0x0000000000000000-mapping.dmp

    Download

  • memory/1840-63-0x0000000000000000-mapping.dmp

    Download

  • memory/1840-66-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/1840-67-0x0000000000320000-0x0000000000380000-memory.dmp

    Filesize

    384KB

    Download