a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01

Analysis

max time kernel
25s
max time network
62s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe
Size

88KB
MD5

4a751d214c4288d8ecff827600eb2da0
SHA1

d4099af877347d4b356dd925c8ec6e4d2275dd5f
SHA256

a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01
SHA512

9a65aecaa060a854db2e0798fcd9677e566448874f8ee45ad667f6619a3760895a1644499887b918b1c5122422a00c42eb74bb36f0bbede0b4d723989b7800a9
SSDEEP

1536:WeWTfSa1figrpr6/rAR/0n27IvJguHs/2737IMlfPA:mSWFrqUR/029MlfPA

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

340 cmd.exe

pid	process
340	cmd.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

612 tasklist.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tasklist.exe

description pid process

Token: SeDebugPrivilege 612 tasklist.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe

pid process

1976 a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe

pid	process
612	tasklist.exe

description	pid	process
Token: SeDebugPrivilege	612	tasklist.exe

pid	process
1976	a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.execmd.exe

description	pid	process	target process
PID 1976 wrote to memory of 340	1976	a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe	cmd.exe
PID 1976 wrote to memory of 340	1976	a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe	cmd.exe
PID 1976 wrote to memory of 340	1976	a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe	cmd.exe
PID 1976 wrote to memory of 340	1976	a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe	cmd.exe
PID 340 wrote to memory of 612	340	cmd.exe	tasklist.exe
PID 340 wrote to memory of 612	340	cmd.exe	tasklist.exe
PID 340 wrote to memory of 612	340	cmd.exe	tasklist.exe
PID 340 wrote to memory of 612	340	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe
"C:\Users\Admin\AppData\Local\Temp\a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del a344b76f0a4a1d5be90dd9c4b7d8f9f70bcb8db81a56210b9e5ea38c03441c01.exe
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/340-58-0x0000000000000000-mapping.dmp

Download
memory/612-59-0x0000000000000000-mapping.dmp

Download
memory/1976-56-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1976-57-0x0000000003840000-0x00000000042FA000-memory.dmp

Filesize
10.7MB

Download