Analysis
-
max time kernel
83s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 04:20
Static task
static1
Behavioral task
behavioral1
Sample
510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe
Resource
win10v2004-20220812-en
General
-
Target
510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe
-
Size
688KB
-
MD5
42d085dff1bf12f8ab7f57fafdf9dc15
-
SHA1
62103dbeacf57605baf13802d1eb2a18d7a3656c
-
SHA256
510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac
-
SHA512
a73bbae819123ed1fdafc75c4ee6be4df82aa042ac564c9e89efe90f4c3c94c3964628d70a5fca41093101e946b23e58eed8244024e29cc656c06e5c537efccf
-
SSDEEP
12288:WnvpS1w3sPVESMn/QLPNPjQ6XlsZwOcmxwaxIxVdWYRJJJkXu19TDbJ:WnvUq3sdW/qjQ6X5OlwaxInddLkunPb
Malware Config
Signatures
-
Downloads MZ/PE file
-
Processes:
resource yara_rule behavioral1/memory/1172-55-0x0000000001CA0000-0x0000000001DE6000-memory.dmp upx behavioral1/memory/1172-59-0x0000000001CA0000-0x0000000001DE6000-memory.dmp upx behavioral1/memory/1172-58-0x0000000001CA0000-0x0000000001DE6000-memory.dmp upx behavioral1/memory/1172-62-0x0000000001CA0000-0x0000000001DE6000-memory.dmp upx behavioral1/memory/1172-63-0x0000000001CA0000-0x0000000001DE6000-memory.dmp upx behavioral1/memory/1172-64-0x0000000001CA0000-0x0000000001DE6000-memory.dmp upx behavioral1/memory/1704-67-0x0000000001DB0000-0x0000000001EF6000-memory.dmp upx behavioral1/memory/1704-70-0x0000000001DB0000-0x0000000001EF6000-memory.dmp upx behavioral1/memory/1704-71-0x0000000001DB0000-0x0000000001EF6000-memory.dmp upx behavioral1/memory/1704-72-0x0000000001DB0000-0x0000000001EF6000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exepid process 1172 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe 1172 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exedescription pid process Token: SeShutdownPrivilege 1172 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exepid process 1172 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe 1172 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exedescription pid process target process PID 1172 wrote to memory of 1704 1172 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe PID 1172 wrote to memory of 1704 1172 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe PID 1172 wrote to memory of 1704 1172 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe PID 1172 wrote to memory of 1704 1172 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe"C:\Users\Admin\AppData\Local\Temp\510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe"C:\Users\Admin\AppData\Local\Temp\510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe" /_ShowProgress2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1172-54-0x0000000076711000-0x0000000076713000-memory.dmpFilesize
8KB
-
memory/1172-55-0x0000000001CA0000-0x0000000001DE6000-memory.dmpFilesize
1.3MB
-
memory/1172-59-0x0000000001CA0000-0x0000000001DE6000-memory.dmpFilesize
1.3MB
-
memory/1172-58-0x0000000001CA0000-0x0000000001DE6000-memory.dmpFilesize
1.3MB
-
memory/1172-60-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1172-61-0x0000000000250000-0x00000000002FD000-memory.dmpFilesize
692KB
-
memory/1172-62-0x0000000001CA0000-0x0000000001DE6000-memory.dmpFilesize
1.3MB
-
memory/1172-63-0x0000000001CA0000-0x0000000001DE6000-memory.dmpFilesize
1.3MB
-
memory/1172-64-0x0000000001CA0000-0x0000000001DE6000-memory.dmpFilesize
1.3MB
-
memory/1704-65-0x0000000000000000-mapping.dmp
-
memory/1704-67-0x0000000001DB0000-0x0000000001EF6000-memory.dmpFilesize
1.3MB
-
memory/1704-70-0x0000000001DB0000-0x0000000001EF6000-memory.dmpFilesize
1.3MB
-
memory/1704-71-0x0000000001DB0000-0x0000000001EF6000-memory.dmpFilesize
1.3MB
-
memory/1704-72-0x0000000001DB0000-0x0000000001EF6000-memory.dmpFilesize
1.3MB