Overview

overview

9

Static

static

1a0b133f8d...26.exe

windows7-x64

9

1a0b133f8d...26.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    186s
  • max time network
    207s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 07:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a0b133f8d511e0a78ace8b21056f164199c9e502c6f9013f779a8c2584a2626.exe

  • Size

    216KB

  • MD5

    18da21337a68b2edf0abedc4a6cb6b0c

  • SHA1

    a42a59f6a2a778ece6cdf55d58ba58243e06a57c

  • SHA256

    1a0b133f8d511e0a78ace8b21056f164199c9e502c6f9013f779a8c2584a2626

  • SHA512

    60ad568cf5dcf02fc612972d1ff1836af924815c7be7ef106b4d565d81326fb3565ba7fa4e98016385a1f093c4b1a84fae0d4a44b84fcee92c29425dfe435487

  • SSDEEP

    3072:rawhW9eOEtiOOrKOoVfyAvs56z/fBTZ+J/h/GfJYO/SB+NvXY7JMW:rq/BpZooAkYfRZ+J/UR/HvXY

Score
9/10
ransomware

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops startup file 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a0b133f8d511e0a78ace8b21056f164199c9e502c6f9013f779a8c2584a2626.exe
    "C:\Users\Admin\AppData\Local\Temp\1a0b133f8d511e0a78ace8b21056f164199c9e502c6f9013f779a8c2584a2626.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\syswow64\explorer.exe
      "C:\Windows\syswow64\explorer.exe"
      2⤵
      • Drops startup file
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Windows\syswow64\svchost.exe
        -k netsvcs
        3⤵
        • Modifies data under HKEY_USERS
        PID:960
      • C:\Windows\syswow64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:916
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1292

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/916-71-0x0000000000000000-mapping.dmp

    Download

  • memory/960-74-0x00000000000E0000-0x000000000010B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/960-73-0x00000000000E0000-0x000000000010B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/960-70-0x0000000000000000-mapping.dmp

    Download

  • memory/1216-62-0x0000000001DD0000-0x0000000001DDC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1216-63-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/1656-68-0x00000000745B1000-0x00000000745B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1656-65-0x0000000000000000-mapping.dmp

    Download

  • memory/1656-69-0x0000000000080000-0x00000000000AB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1984-61-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1984-66-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1984-64-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1984-54-0x0000000075571000-0x0000000075573000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1984-57-0x0000000000280000-0x000000000028C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1984-55-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download