66a1b0febca26b59ac499f432f7a7be17348a3bfdab12f05859a0fa6b69a5f7e

Analysis

max time kernel
62s
max time network
49s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66a1b0febca26b59ac499f432f7a7be17348a3bfdab12f05859a0fa6b69a5f7e.exe
Size

73KB
MD5

44c1c5ddff0398554bbc20d66c2f9ea0
SHA1

f8a897c7f01dc5724b31bcace28d0a8c81fc8cb2
SHA256

66a1b0febca26b59ac499f432f7a7be17348a3bfdab12f05859a0fa6b69a5f7e
SHA512

19d4508a4103a9e626f63991e12152f9ff1550a4c0576f7a48664a22c6a03521def6d3e6bb6f6c69744b8dfebefa49ead0e88b64d4bfb6992ce121e102825e01
SSDEEP

768:+OEXA94anygNshmqluQ4UXUEPLsbaxlWuzG3k4TajMMEU5yeT7D7dmxmf:+Op4uyblkeLg40xhmrT7D7dQm

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

956 cmd.exe

pid	process
956	cmd.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

66a1b0febca26b59ac499f432f7a7be17348a3bfdab12f05859a0fa6b69a5f7e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	66a1b0febca26b59ac499f432f7a7be17348a3bfdab12f05859a0fa6b69a5f7e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	66a1b0febca26b59ac499f432f7a7be17348a3bfdab12f05859a0fa6b69a5f7e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1656 tasklist.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tasklist.exe

description pid process

Token: SeDebugPrivilege 1656 tasklist.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

66a1b0febca26b59ac499f432f7a7be17348a3bfdab12f05859a0fa6b69a5f7e.exe

pid process

1704 66a1b0febca26b59ac499f432f7a7be17348a3bfdab12f05859a0fa6b69a5f7e.exe

pid	process
1656	tasklist.exe

description	pid	process
Token: SeDebugPrivilege	1656	tasklist.exe

pid	process
1704	66a1b0febca26b59ac499f432f7a7be17348a3bfdab12f05859a0fa6b69a5f7e.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

66a1b0febca26b59ac499f432f7a7be17348a3bfdab12f05859a0fa6b69a5f7e.execmd.exe

description	pid	process	target process
PID 1704 wrote to memory of 956	1704	66a1b0febca26b59ac499f432f7a7be17348a3bfdab12f05859a0fa6b69a5f7e.exe	cmd.exe
PID 1704 wrote to memory of 956	1704	66a1b0febca26b59ac499f432f7a7be17348a3bfdab12f05859a0fa6b69a5f7e.exe	cmd.exe
PID 1704 wrote to memory of 956	1704	66a1b0febca26b59ac499f432f7a7be17348a3bfdab12f05859a0fa6b69a5f7e.exe	cmd.exe
PID 1704 wrote to memory of 956	1704	66a1b0febca26b59ac499f432f7a7be17348a3bfdab12f05859a0fa6b69a5f7e.exe	cmd.exe
PID 956 wrote to memory of 1656	956	cmd.exe	tasklist.exe
PID 956 wrote to memory of 1656	956	cmd.exe	tasklist.exe
PID 956 wrote to memory of 1656	956	cmd.exe	tasklist.exe
PID 956 wrote to memory of 1656	956	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\66a1b0febca26b59ac499f432f7a7be17348a3bfdab12f05859a0fa6b69a5f7e.exe
"C:\Users\Admin\AppData\Local\Temp\66a1b0febca26b59ac499f432f7a7be17348a3bfdab12f05859a0fa6b69a5f7e.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 66a1b0febca26b59ac499f432f7a7be17348a3bfdab12f05859a0fa6b69a5f7e.exe
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-57-0x0000000000000000-mapping.dmp

Download
memory/1656-58-0x0000000000000000-mapping.dmp

Download
memory/1704-56-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download