Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 18:58
Static task
static1
Behavioral task
behavioral1
Sample
03722b1e8137933520916ffa823a3d1e2bfd41ba515da0610ca526fb081cc371.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
03722b1e8137933520916ffa823a3d1e2bfd41ba515da0610ca526fb081cc371.exe
Resource
win10v2004-20220812-en
General
-
Target
03722b1e8137933520916ffa823a3d1e2bfd41ba515da0610ca526fb081cc371.exe
-
Size
33KB
-
MD5
43ac94cc596ef35eae8054b8bb4e92a0
-
SHA1
64d8758bb4e5f1364ec8f9e5089a27b76f64f687
-
SHA256
03722b1e8137933520916ffa823a3d1e2bfd41ba515da0610ca526fb081cc371
-
SHA512
d0b149abc999e3b3c3540a6aa8ec0d04696afc191d8e4b36dd8001b064c23b0c41e687008b77f9622e5e33fe3aa63b7be96986dcec8b8a38b5856d5179a8e916
-
SSDEEP
384:Z6tIquqAdVRHvejM+pUgqsJGE2bh0nCWSynIxLT6aXLA0JvOfEdS6NDE7ThU:0tIquq+VdvejMiWsCbkIL+mAe4EkT7+
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 680 cmd.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
03722b1e8137933520916ffa823a3d1e2bfd41ba515da0610ca526fb081cc371.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 03722b1e8137933520916ffa823a3d1e2bfd41ba515da0610ca526fb081cc371.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 03722b1e8137933520916ffa823a3d1e2bfd41ba515da0610ca526fb081cc371.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tasklist.exedescription pid process Token: SeDebugPrivilege 1212 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
03722b1e8137933520916ffa823a3d1e2bfd41ba515da0610ca526fb081cc371.exepid process 1528 03722b1e8137933520916ffa823a3d1e2bfd41ba515da0610ca526fb081cc371.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
03722b1e8137933520916ffa823a3d1e2bfd41ba515da0610ca526fb081cc371.execmd.exedescription pid process target process PID 1528 wrote to memory of 680 1528 03722b1e8137933520916ffa823a3d1e2bfd41ba515da0610ca526fb081cc371.exe cmd.exe PID 1528 wrote to memory of 680 1528 03722b1e8137933520916ffa823a3d1e2bfd41ba515da0610ca526fb081cc371.exe cmd.exe PID 1528 wrote to memory of 680 1528 03722b1e8137933520916ffa823a3d1e2bfd41ba515da0610ca526fb081cc371.exe cmd.exe PID 1528 wrote to memory of 680 1528 03722b1e8137933520916ffa823a3d1e2bfd41ba515da0610ca526fb081cc371.exe cmd.exe PID 680 wrote to memory of 1212 680 cmd.exe tasklist.exe PID 680 wrote to memory of 1212 680 cmd.exe tasklist.exe PID 680 wrote to memory of 1212 680 cmd.exe tasklist.exe PID 680 wrote to memory of 1212 680 cmd.exe tasklist.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03722b1e8137933520916ffa823a3d1e2bfd41ba515da0610ca526fb081cc371.exe"C:\Users\Admin\AppData\Local\Temp\03722b1e8137933520916ffa823a3d1e2bfd41ba515da0610ca526fb081cc371.exe"1⤵
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 03722b1e8137933520916ffa823a3d1e2bfd41ba515da0610ca526fb081cc371.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1212