Analysis
-
max time kernel
3s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 10:47
Static task
static1
Behavioral task
behavioral1
Sample
976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe
Resource
win10v2004-20220812-en
General
-
Target
976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe
-
Size
4.2MB
-
MD5
1f06e8241b23ea4b8d201fe24a226297
-
SHA1
3af0e57f43026a9a06e55f5c8ab8f57028179b21
-
SHA256
976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92
-
SHA512
29639a9e66217f3afc71e89b61d5a1fbaa77a5abb85dd45402e4fcf46a5aec2b47c531b67698fc7274ecb111b4d27452bdace90892674a0a8f11f3b28133b280
-
SSDEEP
98304:fziRRJruXmuiaT5a45SOmnL0YH/f5jsKZo4ZvygUT/yqlm6+:Li5rMT5ahnLRVsAo4ZvyZTjK
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1228 wrote to memory of 2028 1228 976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe 28 PID 1228 wrote to memory of 2028 1228 976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe 28 PID 1228 wrote to memory of 2028 1228 976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe 28 PID 1228 wrote to memory of 2028 1228 976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe 28 PID 1228 wrote to memory of 2028 1228 976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe 28 PID 1228 wrote to memory of 2028 1228 976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe 28 PID 1228 wrote to memory of 2028 1228 976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe 28 PID 2028 wrote to memory of 628 2028 Net.exe 30 PID 2028 wrote to memory of 628 2028 Net.exe 30 PID 2028 wrote to memory of 628 2028 Net.exe 30 PID 2028 wrote to memory of 628 2028 Net.exe 30 PID 2028 wrote to memory of 628 2028 Net.exe 30 PID 2028 wrote to memory of 628 2028 Net.exe 30 PID 2028 wrote to memory of 628 2028 Net.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe"C:\Users\Admin\AppData\Local\Temp\976e6989b44bde89090de604cb856128b158a83eddbdcf34115c0b3e68be0c92.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Net.exeNet Stop PcaSvc2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 Stop PcaSvc3⤵PID:628
-
-