Analysis
-
max time kernel
150s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 08:53
Static task
static1
Behavioral task
behavioral1
Sample
55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe
Resource
win7-20220901-en
General
-
Target
55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe
-
Size
207KB
-
MD5
4a9eab928b94427188ef30782f14d181
-
SHA1
08554b3ab7044a918e782f12a09b83970fe3d47e
-
SHA256
55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b
-
SHA512
24e2aa30dacf9b5b07a9381cbaa79c35e8a0af15b380588ac073d5679b54a8b0d2b3a95949fcc2ecbe045e530cde846da88b600ba790dccb7aa6faaf2177f67b
-
SSDEEP
3072:vtK8sN3+yM6f0tH5KWR8iIKyVppK3kQIzl6r0WZH0ZxiCcWMKj1NPjet:vo5MyStjRDybMkQTv0Zx+bG1Nw
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exepid process 1376 55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exeservdiag.exedescription pid process target process PID 1748 wrote to memory of 1376 1748 55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe 55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe PID 1748 wrote to memory of 1376 1748 55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe 55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe PID 1748 wrote to memory of 1376 1748 55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe 55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe PID 4092 wrote to memory of 364 4092 servdiag.exe servdiag.exe PID 4092 wrote to memory of 364 4092 servdiag.exe servdiag.exe PID 4092 wrote to memory of 364 4092 servdiag.exe servdiag.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe"C:\Users\Admin\AppData\Local\Temp\55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe--bef9fffa2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\servdiag.exe"C:\Windows\SysWOW64\servdiag.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\servdiag.exe--4f8f3a132⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/364-139-0x0000000000000000-mapping.dmp
-
memory/364-141-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/364-142-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1376-133-0x0000000000000000-mapping.dmp
-
memory/1376-135-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1376-136-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1376-140-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1748-132-0x00000000005F0000-0x000000000060B000-memory.dmpFilesize
108KB
-
memory/1748-134-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4092-137-0x0000000000590000-0x00000000005AB000-memory.dmpFilesize
108KB
-
memory/4092-138-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB