Overview

overview

9

Static

static

6849bf7b14...cb.exe

windows7-x64

6849bf7b14...cb.exe

windows10-2004-x64

Analysis

  • max time kernel
    165s
  • max time network
    196s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2022 19:39

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    6849bf7b141ad9ee2bf5aaa7ebd0ccbbf97105e06d9ef333a48b540b6de13dcb.exe

  • Size

    2.0MB

  • MD5

    208163a38ece0c2ca35ccdc28b04bd3b

  • SHA1

    2d969440afd52cd1d94a87822b885f4ea447b36e

  • SHA256

    6849bf7b141ad9ee2bf5aaa7ebd0ccbbf97105e06d9ef333a48b540b6de13dcb

  • SHA512

    f7ad0d180c3b9bbaff0c8c3d27ac0278f20479fc2b6f5d3d49fdd9d82601d96e4fa02556243843d2cec649fac7944e7138891f4d87aaae9fe9579e70022bacb1

  • SSDEEP

    49152:agkESlEQbdmNTs36OtsJ0MH9awJOusluKOY:agcEWmNAK2E9a9usl

Score
9/10
evasionransomware

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6849bf7b141ad9ee2bf5aaa7ebd0ccbbf97105e06d9ef333a48b540b6de13dcb.exe
    "C:\Users\Admin\AppData\Local\Temp\6849bf7b141ad9ee2bf5aaa7ebd0ccbbf97105e06d9ef333a48b540b6de13dcb.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\system32\cmd.exe
      cmd.exe /c bcdedit /set safeboot network
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set safeboot network
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1056
    • C:\Windows\system32\shutdown.exe
      shutdown -r -t 00
      2⤵
        PID:1464
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x1d8
      1⤵
        PID:556
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0
        1⤵
          PID:1528
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x1
          1⤵
            PID:732

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1056-60-0x0000000000000000-mapping.dmp

            Download

          • memory/1464-61-0x0000000000000000-mapping.dmp

            Download

          • memory/1528-63-0x000007FEFBF61000-0x000007FEFBF63000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1700-54-0x00000000002B0000-0x00000000004AE000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/1700-55-0x000000001B4D0000-0x000000001B696000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1700-56-0x000000001B8B0000-0x000000001BA84000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1700-57-0x000000001BD90000-0x000000001BFB0000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/1700-58-0x000000001AF36000-0x000000001AF55000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1700-62-0x000000001AF36000-0x000000001AF55000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1728-59-0x0000000000000000-mapping.dmp

            Download