Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23/11/2022, 23:59
General
-
Target
c13b977347db3a398588dc278049dc0c41881a877f0ec5eeeefd1e98a8976df1.exe
-
Size
43KB
-
MD5
16605dbbe10456fdebfd861f0a528990
-
SHA1
7dcf094125b482cfcbdb1b7997e6d5e06c20633a
-
SHA256
c13b977347db3a398588dc278049dc0c41881a877f0ec5eeeefd1e98a8976df1
-
SHA512
0c89b114868f1dad85fbc75ed5b6a77ef4453d7c18e280337c6f13c79e38d1aff773480809677f6a9a2d250f1819ed609d6e0f15cc67e2984a435a0f60964a94
-
SSDEEP
384:jBp7EtDo+k7qKZwr1D+um22Nw/tXRmmEtrNxvb53y2DCuLfgMBK2VuJYgHMOC8RE:jBb7Do1jDaw/q3Nm2VsMc1MO1
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c13b977347db3a398588dc278049dc0c41881a877f0ec5eeeefd1e98a8976df1.exe"C:\Users\Admin\AppData\Local\Temp\c13b977347db3a398588dc278049dc0c41881a877f0ec5eeeefd1e98a8976df1.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del c13b977347db3a398588dc278049dc0c41881a877f0ec5eeeefd1e98a8976df1.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-