Analysis
-
max time kernel
47s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 01:19
Static task
static1
Behavioral task
behavioral1
Sample
6eb9bb7518056bcbbda9567bddb9c0b48d5017884dc9876d40431a7f3e0988f7.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
6eb9bb7518056bcbbda9567bddb9c0b48d5017884dc9876d40431a7f3e0988f7.exe
Resource
win10v2004-20220901-en
General
-
Target
6eb9bb7518056bcbbda9567bddb9c0b48d5017884dc9876d40431a7f3e0988f7.exe
-
Size
73KB
-
MD5
2fd925cfe3e01e341010882bdb674689
-
SHA1
a2a01b89a9b1f10127187d2e7dfa1ec6f2543717
-
SHA256
6eb9bb7518056bcbbda9567bddb9c0b48d5017884dc9876d40431a7f3e0988f7
-
SHA512
f99b17a1aca5c830dbbccd9b038810a8917cb86ba0e2e710de4e7b23869d47058d1228505d0d26fe5f099ec83e5fb500ab993152a99f19a83f3d381a75a136f2
-
SSDEEP
1536:pPL30FzXG+9kz62hE52R8pZ0Fxf/1KNZ59NKln9msMoK15MfHOXM:pQ2thE52R8pSf/1KN9NKln9m15MfU
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 552 cmd.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 6eb9bb7518056bcbbda9567bddb9c0b48d5017884dc9876d40431a7f3e0988f7.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 6eb9bb7518056bcbbda9567bddb9c0b48d5017884dc9876d40431a7f3e0988f7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1912 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1912 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1552 6eb9bb7518056bcbbda9567bddb9c0b48d5017884dc9876d40431a7f3e0988f7.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1552 wrote to memory of 552 1552 6eb9bb7518056bcbbda9567bddb9c0b48d5017884dc9876d40431a7f3e0988f7.exe 27 PID 1552 wrote to memory of 552 1552 6eb9bb7518056bcbbda9567bddb9c0b48d5017884dc9876d40431a7f3e0988f7.exe 27 PID 1552 wrote to memory of 552 1552 6eb9bb7518056bcbbda9567bddb9c0b48d5017884dc9876d40431a7f3e0988f7.exe 27 PID 1552 wrote to memory of 552 1552 6eb9bb7518056bcbbda9567bddb9c0b48d5017884dc9876d40431a7f3e0988f7.exe 27 PID 552 wrote to memory of 1912 552 cmd.exe 29 PID 552 wrote to memory of 1912 552 cmd.exe 29 PID 552 wrote to memory of 1912 552 cmd.exe 29 PID 552 wrote to memory of 1912 552 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\6eb9bb7518056bcbbda9567bddb9c0b48d5017884dc9876d40431a7f3e0988f7.exe"C:\Users\Admin\AppData\Local\Temp\6eb9bb7518056bcbbda9567bddb9c0b48d5017884dc9876d40431a7f3e0988f7.exe"1⤵
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 6eb9bb7518056bcbbda9567bddb9c0b48d5017884dc9876d40431a7f3e0988f7.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-