Analysis
-
max time kernel
54s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 12:38
Static task
static1
Behavioral task
behavioral1
Sample
Scan copies of YR2020EXP02-005A.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Scan copies of YR2020EXP02-005A.exe
Resource
win10v2004-20220812-en
General
-
Target
Scan copies of YR2020EXP02-005A.exe
-
Size
985KB
-
MD5
7c997b40e724596134150d838380d8fc
-
SHA1
4f352918c60a77f25b74d3bb48df397e7ad54a66
-
SHA256
79fe46d2be00c4f28ed865d1fec837d8d34d16fdaf74b901d05018dc03e67686
-
SHA512
dce5e073f67d554b4265dfa143074b1dc2887d3629d1800ce329871d593b709eb85f9a596097af3f8dd1f52ffdbecd15a86666ee8d8adc7654854c386a842a80
-
SSDEEP
24576:1+gG7tqzU376CskFg/IyXt9hLJYdNmpmIkrgD968WlG6ZPnEmd+Qu:E7hekoXQmpmIkrgD96lTNnH8Qu
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Scan copies of YR2020EXP02-005A.exepid process 2036 Scan copies of YR2020EXP02-005A.exe 2036 Scan copies of YR2020EXP02-005A.exe 2036 Scan copies of YR2020EXP02-005A.exe 2036 Scan copies of YR2020EXP02-005A.exe 2036 Scan copies of YR2020EXP02-005A.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Scan copies of YR2020EXP02-005A.exedescription pid process Token: SeDebugPrivilege 2036 Scan copies of YR2020EXP02-005A.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Scan copies of YR2020EXP02-005A.exedescription pid process target process PID 2036 wrote to memory of 976 2036 Scan copies of YR2020EXP02-005A.exe schtasks.exe PID 2036 wrote to memory of 976 2036 Scan copies of YR2020EXP02-005A.exe schtasks.exe PID 2036 wrote to memory of 976 2036 Scan copies of YR2020EXP02-005A.exe schtasks.exe PID 2036 wrote to memory of 976 2036 Scan copies of YR2020EXP02-005A.exe schtasks.exe PID 2036 wrote to memory of 1484 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 1484 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 1484 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 1484 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 1968 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 1968 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 1968 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 1968 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 1604 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 1604 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 1604 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 1604 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 952 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 952 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 952 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 952 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 1804 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 1804 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 1804 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe PID 2036 wrote to memory of 1804 2036 Scan copies of YR2020EXP02-005A.exe Scan copies of YR2020EXP02-005A.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan copies of YR2020EXP02-005A.exe"C:\Users\Admin\AppData\Local\Temp\Scan copies of YR2020EXP02-005A.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gDqcOkt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp281.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Scan copies of YR2020EXP02-005A.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Scan copies of YR2020EXP02-005A.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Scan copies of YR2020EXP02-005A.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Scan copies of YR2020EXP02-005A.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Scan copies of YR2020EXP02-005A.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp281.tmpFilesize
1KB
MD5d17a9113b925053c7dfc0c1a6256aa54
SHA1aa9114da1e305bd829e556a5c438aa752c4a4d88
SHA25672bbb8366b414e99b710da73e0155ba8ac7c93a09bc436de65ecd7099e5a827a
SHA5124710e202a5197f4466a01ee1572ba10764a98fa6063a0f6dd9e78339e39c31eefa00674e44486e333b496bccb48aa5059ca6d5d5f4fcc79d1f7d3eb1c2ccd268
-
memory/976-59-0x0000000000000000-mapping.dmp
-
memory/2036-54-0x0000000000340000-0x000000000043C000-memory.dmpFilesize
1008KB
-
memory/2036-55-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB
-
memory/2036-56-0x0000000000320000-0x0000000000332000-memory.dmpFilesize
72KB
-
memory/2036-57-0x00000000058D0000-0x0000000005992000-memory.dmpFilesize
776KB
-
memory/2036-58-0x00000000051C0000-0x000000000523A000-memory.dmpFilesize
488KB