Analysis
-
max time kernel
25s -
max time network
62s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 18:36
Static task
static1
Behavioral task
behavioral1
Sample
a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe
Resource
win10v2004-20221111-en
General
-
Target
a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe
-
Size
88KB
-
MD5
4a751d214c4288d8ecff827600eb2da0
-
SHA1
d4099af877347d4b356dd925c8ec6e4d2275dd5f
-
SHA256
a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01
-
SHA512
9a65aecaa060a854db2e0798fcd9677e566448874f8ee45ad667f6619a3760895a1644499887b918b1c5122422a00c42eb74bb36f0bbede0b4d723989b7800a9
-
SSDEEP
1536:WeWTfSa1figrpr6/rAR/0n27IvJguHs/2737IMlfPA:mSWFrqUR/029MlfPA
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 340 cmd.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tasklist.exedescription pid process Token: SeDebugPrivilege 612 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exepid process 1976 a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.execmd.exedescription pid process target process PID 1976 wrote to memory of 340 1976 a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe cmd.exe PID 1976 wrote to memory of 340 1976 a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe cmd.exe PID 1976 wrote to memory of 340 1976 a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe cmd.exe PID 1976 wrote to memory of 340 1976 a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe cmd.exe PID 340 wrote to memory of 612 340 cmd.exe tasklist.exe PID 340 wrote to memory of 612 340 cmd.exe tasklist.exe PID 340 wrote to memory of 612 340 cmd.exe tasklist.exe PID 340 wrote to memory of 612 340 cmd.exe tasklist.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe"C:\Users\Admin\AppData\Local\Temp\a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe"1⤵
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken