Analysis
-
max time kernel
194s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 04:20
Static task
static1
Behavioral task
behavioral1
Sample
510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe
Resource
win10v2004-20220812-en
General
-
Target
510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe
-
Size
688KB
-
MD5
42d085dff1bf12f8ab7f57fafdf9dc15
-
SHA1
62103dbeacf57605baf13802d1eb2a18d7a3656c
-
SHA256
510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac
-
SHA512
a73bbae819123ed1fdafc75c4ee6be4df82aa042ac564c9e89efe90f4c3c94c3964628d70a5fca41093101e946b23e58eed8244024e29cc656c06e5c537efccf
-
SSDEEP
12288:WnvpS1w3sPVESMn/QLPNPjQ6XlsZwOcmxwaxIxVdWYRJJJkXu19TDbJ:WnvUq3sdW/qjQ6X5OlwaxInddLkunPb
Malware Config
Signatures
-
Downloads MZ/PE file
-
Processes:
resource yara_rule behavioral2/memory/1756-134-0x00000000022A0000-0x00000000023E6000-memory.dmp upx behavioral2/memory/1756-137-0x00000000022A0000-0x00000000023E6000-memory.dmp upx behavioral2/memory/1756-138-0x00000000022A0000-0x00000000023E6000-memory.dmp upx behavioral2/memory/1756-139-0x00000000022A0000-0x00000000023E6000-memory.dmp upx behavioral2/memory/1756-140-0x00000000022A0000-0x00000000023E6000-memory.dmp upx behavioral2/memory/1756-141-0x00000000022A0000-0x00000000023E6000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exepid process 1756 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe 1756 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe 1756 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe 1756 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exedescription pid process Token: SeShutdownPrivilege 1756 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe Token: SeCreatePagefilePrivilege 1756 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exepid process 1756 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe 1756 510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe"C:\Users\Admin\AppData\Local\Temp\510b0abed1d9560ec050a2b291231931e85d7f7e7f15ed7dfd1a41a22f0f34ac.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1756-132-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1756-133-0x00000000021F0000-0x000000000229D000-memory.dmpFilesize
692KB
-
memory/1756-134-0x00000000022A0000-0x00000000023E6000-memory.dmpFilesize
1.3MB
-
memory/1756-137-0x00000000022A0000-0x00000000023E6000-memory.dmpFilesize
1.3MB
-
memory/1756-138-0x00000000022A0000-0x00000000023E6000-memory.dmpFilesize
1.3MB
-
memory/1756-139-0x00000000022A0000-0x00000000023E6000-memory.dmpFilesize
1.3MB
-
memory/1756-140-0x00000000022A0000-0x00000000023E6000-memory.dmpFilesize
1.3MB
-
memory/1756-141-0x00000000022A0000-0x00000000023E6000-memory.dmpFilesize
1.3MB