Analysis
-
max time kernel
187s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2022 20:18
Behavioral task
behavioral1
Sample
d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe
Resource
win7-20221111-en
windows7-x64
4 signatures
150 seconds
General
-
Target
d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe
-
Size
658KB
-
MD5
ccc7fa962a403ca8c7cf0c713afd8bc6
-
SHA1
e5146146d74d630713414e92d025be1a8da70d5c
-
SHA256
d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903
-
SHA512
d93a76914c750b6d2a77de9fe583e3a64d54aa8cf27d4c61dbd0e0b6682e49ec56aafef4ac34188bb7194af66020aa972a56adb98f36ba531fb090e9064e84e8
-
SSDEEP
12288:q9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hT:mZ1xuVVjfFoynPaVBUR8f+kN10EB1
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exedescription pid process Token: SeIncreaseQuotaPrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeSecurityPrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeTakeOwnershipPrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeLoadDriverPrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeSystemProfilePrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeSystemtimePrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeProfSingleProcessPrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeIncBasePriorityPrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeCreatePagefilePrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeBackupPrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeRestorePrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeShutdownPrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeDebugPrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeSystemEnvironmentPrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeChangeNotifyPrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeRemoteShutdownPrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeUndockPrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeManageVolumePrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeImpersonatePrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: SeCreateGlobalPrivilege 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: 33 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: 34 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: 35 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe Token: 36 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exepid process 460 d2799d83e4d3c952e7f37caf3c2a0df1039a96ae600d53e7323e224745667903.exe