Overview

overview

7

Static

static

eb00eb301c...9b.exe

windows7-x64

6

eb00eb301c...9b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    29s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 18:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb00eb301cd92f639ed0eca4d7915beab5be0d45f41f050dc68858c3b2e5999b.exe

  • Size

    92KB

  • MD5

    4736f438969d72afce6a77e9da63f9a0

  • SHA1

    6aceb006cf483cd9669924eff2affd520475b0a0

  • SHA256

    eb00eb301cd92f639ed0eca4d7915beab5be0d45f41f050dc68858c3b2e5999b

  • SHA512

    1a33e9a139adf821fe1399decac0d76188ee316c89520f624759c9f6c9919e17001beaa77457dd5afdab31ea6bc7ad9d7aa18c3550bd80b3d1ee5246a98fc2f1

  • SSDEEP

    1536:BawyQ/W+REElorg8/iwHdk6SzuAatLfts4V0dVnjy+Wm0eBecl1j:7Rborg8/bHdk6SzuAatLfts4KVnjy+Wg

Score
6/10

Malware Config

Signatures

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb00eb301cd92f639ed0eca4d7915beab5be0d45f41f050dc68858c3b2e5999b.exe
    "C:\Users\Admin\AppData\Local\Temp\eb00eb301cd92f639ed0eca4d7915beab5be0d45f41f050dc68858c3b2e5999b.exe"
    1⤵
    • Maps connected drives based on registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del eb00eb301cd92f639ed0eca4d7915beab5
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:680

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/268-58-0x0000000000000000-mapping.dmp

    Download

  • memory/680-59-0x0000000000000000-mapping.dmp

    Download

  • memory/2020-56-0x00000000760C1000-0x00000000760C3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2020-57-0x00000000033A0000-0x0000000003E5A000-memory.dmp

    Filesize

    10.7MB

    Download