Analysis
-
max time kernel
251s -
max time network
333s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 22:28
Static task
static1
Behavioral task
behavioral1
Sample
fcd6f1cc2f300673b3940b9623f4267f.exe
Resource
win7-20221111-en
General
-
Target
fcd6f1cc2f300673b3940b9623f4267f.exe
-
Size
643KB
-
MD5
fcd6f1cc2f300673b3940b9623f4267f
-
SHA1
d8f8e1b07996ba6d8d3f482c2ab710853ee91f8b
-
SHA256
987834ddf97f12dbb06e1f6820fd3436f0226dffa78ac6fcec8b31cc52fdb26b
-
SHA512
d31c8238e17de73f352e6a7bb62449e7de951b6d5a9e3cc7ebb47403c1b22ffa8e504a979f915fa28f25d3bdf6be7471f72d19d57567a86ff79892a77c094c50
-
SSDEEP
12288:dec3pbKbflZUMvkEN2KMK+SknwYDZD5BUUEwcfJZSpH+:d1ZbKbUM7MKJYVEEbp
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
fcd6f1cc2f300673b3940b9623f4267f.exedescription pid process target process PID 656 wrote to memory of 1976 656 fcd6f1cc2f300673b3940b9623f4267f.exe powershell.exe PID 656 wrote to memory of 1976 656 fcd6f1cc2f300673b3940b9623f4267f.exe powershell.exe PID 656 wrote to memory of 1976 656 fcd6f1cc2f300673b3940b9623f4267f.exe powershell.exe PID 656 wrote to memory of 1976 656 fcd6f1cc2f300673b3940b9623f4267f.exe powershell.exe PID 656 wrote to memory of 1088 656 fcd6f1cc2f300673b3940b9623f4267f.exe schtasks.exe PID 656 wrote to memory of 1088 656 fcd6f1cc2f300673b3940b9623f4267f.exe schtasks.exe PID 656 wrote to memory of 1088 656 fcd6f1cc2f300673b3940b9623f4267f.exe schtasks.exe PID 656 wrote to memory of 1088 656 fcd6f1cc2f300673b3940b9623f4267f.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcd6f1cc2f300673b3940b9623f4267f.exe"C:\Users\Admin\AppData\Local\Temp\fcd6f1cc2f300673b3940b9623f4267f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NdTjnguQflTNNq.exe"2⤵PID:1976
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NdTjnguQflTNNq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp82A8.tmp"2⤵
- Creates scheduled task(s)
PID:1088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp82A8.tmpFilesize
1KB
MD5edb3e309e397be0cbcabcaabe2d27fd3
SHA1f017b40de5560247fe2d200be80614d211fbc1df
SHA256a56278f5ff13d429c1b98318d68ba03046da9e1f71817bb0f57495b4a0859de1
SHA51299ecfc4f34f1719b939ed5a2c45bdbf57406847558a9d25e656e583e51e607ae6bec75c04181d03b5f2af29f11791ddff1f4e3eea714094a78446c369f8e4f5f
-
memory/656-54-0x0000000000110000-0x00000000001B6000-memory.dmpFilesize
664KB
-
memory/656-55-0x00000000753F1000-0x00000000753F3000-memory.dmpFilesize
8KB
-
memory/656-56-0x00000000005B0000-0x00000000005C6000-memory.dmpFilesize
88KB
-
memory/656-57-0x00000000005C0000-0x00000000005CE000-memory.dmpFilesize
56KB
-
memory/656-58-0x0000000007D20000-0x0000000007D90000-memory.dmpFilesize
448KB
-
memory/1088-60-0x0000000000000000-mapping.dmp
-
memory/1976-59-0x0000000000000000-mapping.dmp
-
memory/1976-63-0x000000006E3C0000-0x000000006E96B000-memory.dmpFilesize
5.7MB
-
memory/1976-64-0x000000006E3C0000-0x000000006E96B000-memory.dmpFilesize
5.7MB