Analysis
-
max time kernel
132s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 16:58
Static task
static1
Behavioral task
behavioral1
Sample
.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
.exe
Resource
win10v2004-20220812-en
General
-
Target
.exe
-
Size
176KB
-
MD5
eebfdbc8bf820a7751f02050b0f5cd16
-
SHA1
721db8bf3778570d6cd18fb749030ce99704d094
-
SHA256
8ba41c7311481426b3858304c2ef122c3121123abcb9387c8b0bd300b1c5fe39
-
SHA512
aaa37c396de5e3bdc7ef2c5ce620646192349953f7fbf7dedcdb0f3d81c24b33a6ef05a5d501c08f58df86f1fd0356ee902fccd24da20c9c5ae90aa87c15cf3f
-
SSDEEP
3072:tsGkrEM7aAMll8bqndiaxemXELx9HRkF/aZNJosLtFLFEKWP1Ih:+V7El8bIdia50TzNJoUHLCl
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Wbem.exepid process 1616 Wbem.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update Service = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Wbem.exe\"" .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
.exedescription pid process target process PID 548 wrote to memory of 1616 548 .exe Wbem.exe PID 548 wrote to memory of 1616 548 .exe Wbem.exe PID 548 wrote to memory of 1616 548 .exe Wbem.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\.exe"C:\Users\Admin\AppData\Local\Temp\.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Wbem.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Wbem.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\win32host.sysFilesize
119B
MD560c74f2b03a54c0fa7755cd991881978
SHA10eb4753615d1d8349a5cd823ff1e07112e79c4fe
SHA256fc96204efe0f5bafac1d66d891e26d66cc41c5165492032dd9ee1afdce1df703
SHA5125511749592c2ae653801492a4b92bcd5091e5dfc2d1cc70f4fd96b9433e41bd36c0cfe40b2b29bda3f880d83904fdc5a213c38c1e7a1c28c7c4bfa1cdcd08bdd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Wbem.exeFilesize
176KB
MD5eebfdbc8bf820a7751f02050b0f5cd16
SHA1721db8bf3778570d6cd18fb749030ce99704d094
SHA2568ba41c7311481426b3858304c2ef122c3121123abcb9387c8b0bd300b1c5fe39
SHA512aaa37c396de5e3bdc7ef2c5ce620646192349953f7fbf7dedcdb0f3d81c24b33a6ef05a5d501c08f58df86f1fd0356ee902fccd24da20c9c5ae90aa87c15cf3f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Wbem.exeFilesize
176KB
MD5eebfdbc8bf820a7751f02050b0f5cd16
SHA1721db8bf3778570d6cd18fb749030ce99704d094
SHA2568ba41c7311481426b3858304c2ef122c3121123abcb9387c8b0bd300b1c5fe39
SHA512aaa37c396de5e3bdc7ef2c5ce620646192349953f7fbf7dedcdb0f3d81c24b33a6ef05a5d501c08f58df86f1fd0356ee902fccd24da20c9c5ae90aa87c15cf3f
-
memory/548-54-0x000007FEF4830000-0x000007FEF5253000-memory.dmpFilesize
10.1MB
-
memory/548-55-0x000007FEFC281000-0x000007FEFC283000-memory.dmpFilesize
8KB
-
memory/1616-56-0x0000000000000000-mapping.dmp
-
memory/1616-59-0x000007FEF5710000-0x000007FEF6133000-memory.dmpFilesize
10.1MB