e65bee5931c1b6a56847d37b422d5a45a9f5ebef25da7f37298ee08d01847c89

Analysis

max time kernel
84s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-11-2022 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document_9698.iso
Size

980KB
MD5

580ca5949eb9343c7ef11f4b33d18d34
SHA1

99c3d33be090aecdfaa0578e9241a67b4a9775b9
SHA256

e65bee5931c1b6a56847d37b422d5a45a9f5ebef25da7f37298ee08d01847c89
SHA512

dc672231d7adb1bee98fb3cb5321985f976eb040f2adc6fdccca8af0addf8fb1bbadcf69cf85d4aff18be43fd261fe9cd7676aaa862db8668be0a977149e87b5
SSDEEP

12288:bAth+FYv2Mo+Rp0XZL9xa/H+091EHXP7ZCID1iQhc7RAVG2o+WVwDXsHLfumzOip:cn+FY+mmV9QW005hayuQXsrfumFPR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	1220	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1220	AUDIODG.EXE
Token: 33	1220	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1220	AUDIODG.EXE
Token: SeRestorePrivilege	1484	7zG.exe
Token: 35	1484	7zG.exe
Token: SeSecurityPrivilege	1484	7zG.exe
Token: SeSecurityPrivilege	1484	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1484	7zG.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 1136	1280	cmd.exe	29
PID 1280 wrote to memory of 1136	1280	cmd.exe	29
PID 1280 wrote to memory of 1136	1280	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Document_9698.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Document_9698.iso"
  2⤵
  PID:1136

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1940

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x484
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Document_9698\" -spe -an -ai#7zMap9505:106:7zEvent8805
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1484

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Document_9698\maidservant\snider.bat" "
1⤵
PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Document_9698\maidservant\snider.bat

Filesize
283B

MD5
7e6d1bc20d129096671fce252f47d0a0

SHA1
adc169acf41fe024e20d2641fbd829fc7f0bc2af

SHA256
39a52f55d9ea659ac39d9f0513afbe01a809b59135414e6ee42e191681d0a228

SHA512
38bf1380a1d60c5cf62298953cc523e204c008d5689ef3db325ef434b598e45895970784f26edb2282becf10586efa031180999269eef57f085210353615f7a7

Download Submit
memory/1280-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download