Overview

overview

10

Static

static

Scan copie...5A.exe

windows7-x64

3

Scan copie...5A.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Scan copies of YR2020EXP02-005A.exe

  • Size

    985KB

  • MD5

    7c997b40e724596134150d838380d8fc

  • SHA1

    4f352918c60a77f25b74d3bb48df397e7ad54a66

  • SHA256

    79fe46d2be00c4f28ed865d1fec837d8d34d16fdaf74b901d05018dc03e67686

  • SHA512

    dce5e073f67d554b4265dfa143074b1dc2887d3629d1800ce329871d593b709eb85f9a596097af3f8dd1f52ffdbecd15a86666ee8d8adc7654854c386a842a80

  • SSDEEP

    24576:1+gG7tqzU376CskFg/IyXt9hLJYdNmpmIkrgD968WlG6ZPnEmd+Qu:E7hekoXQmpmIkrgD96lTNnH8Qu

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Scan copies of YR2020EXP02-005A.exe
    "C:\Users\Admin\AppData\Local\Temp\Scan copies of YR2020EXP02-005A.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gDqcOkt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp281.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:976
    • C:\Users\Admin\AppData\Local\Temp\Scan copies of YR2020EXP02-005A.exe
      "{path}"
      2⤵
        PID:1484
      • C:\Users\Admin\AppData\Local\Temp\Scan copies of YR2020EXP02-005A.exe
        "{path}"
        2⤵
          PID:1968
        • C:\Users\Admin\AppData\Local\Temp\Scan copies of YR2020EXP02-005A.exe
          "{path}"
          2⤵
            PID:1604
          • C:\Users\Admin\AppData\Local\Temp\Scan copies of YR2020EXP02-005A.exe
            "{path}"
            2⤵
              PID:952
            • C:\Users\Admin\AppData\Local\Temp\Scan copies of YR2020EXP02-005A.exe
              "{path}"
              2⤵
                PID:1804

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp281.tmp
              Filesize

              1KB

              MD5

              d17a9113b925053c7dfc0c1a6256aa54

              SHA1

              aa9114da1e305bd829e556a5c438aa752c4a4d88

              SHA256

              72bbb8366b414e99b710da73e0155ba8ac7c93a09bc436de65ecd7099e5a827a

              SHA512

              4710e202a5197f4466a01ee1572ba10764a98fa6063a0f6dd9e78339e39c31eefa00674e44486e333b496bccb48aa5059ca6d5d5f4fcc79d1f7d3eb1c2ccd268

              Download Submit
            • memory/976-59-0x0000000000000000-mapping.dmp
              Download
            • memory/2036-54-0x0000000000340000-0x000000000043C000-memory.dmp
              Filesize

              1008KB

              Download
            • memory/2036-55-0x0000000076151000-0x0000000076153000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2036-56-0x0000000000320000-0x0000000000332000-memory.dmp
              Filesize

              72KB

              Download
            • memory/2036-57-0x00000000058D0000-0x0000000005992000-memory.dmp
              Filesize

              776KB

              Download
            • memory/2036-58-0x00000000051C0000-0x000000000523A000-memory.dmp
              Filesize

              488KB

              Download