c21b4eb23258262e9effc08936edf4422c2c5a1affb42985a80409654c7d07b0

Analysis

max time kernel
105s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA.exe
Size

978KB
MD5

98603949f815efdfd979a49b6429f833
SHA1

3f7e76bedd0d44a913793a1e70dae3d9e782f211
SHA256

c21b4eb23258262e9effc08936edf4422c2c5a1affb42985a80409654c7d07b0
SHA512

85da4250d39c2f844fee49a8633a9eb641ac0f76f35f546ed0c6032a43ccf658228f130bca3b11a314e81de6cc0f1efe047a48cc6f5f49220017b699637f91e9
SSDEEP

24576:/MH5lP8dmZWHeURvTW6GjJQ5B8pnzTOcO:kH5lgeURiJDZvz

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1956	SOA.exe
1956	SOA.exe
1956	SOA.exe
1956	SOA.exe
1956	SOA.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	SOA.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1168	1956	SOA.exe	28
PID 1956 wrote to memory of 1168	1956	SOA.exe	28
PID 1956 wrote to memory of 1168	1956	SOA.exe	28
PID 1956 wrote to memory of 1168	1956	SOA.exe	28
PID 1956 wrote to memory of 696	1956	SOA.exe	30
PID 1956 wrote to memory of 696	1956	SOA.exe	30
PID 1956 wrote to memory of 696	1956	SOA.exe	30
PID 1956 wrote to memory of 696	1956	SOA.exe	30
PID 1956 wrote to memory of 1196	1956	SOA.exe	32
PID 1956 wrote to memory of 1196	1956	SOA.exe	32
PID 1956 wrote to memory of 1196	1956	SOA.exe	32
PID 1956 wrote to memory of 1196	1956	SOA.exe	32
PID 1956 wrote to memory of 1776	1956	SOA.exe	31
PID 1956 wrote to memory of 1776	1956	SOA.exe	31
PID 1956 wrote to memory of 1776	1956	SOA.exe	31
PID 1956 wrote to memory of 1776	1956	SOA.exe	31
PID 1956 wrote to memory of 1740	1956	SOA.exe	33
PID 1956 wrote to memory of 1740	1956	SOA.exe	33
PID 1956 wrote to memory of 1740	1956	SOA.exe	33
PID 1956 wrote to memory of 1740	1956	SOA.exe	33
PID 1956 wrote to memory of 1544	1956	SOA.exe	34
PID 1956 wrote to memory of 1544	1956	SOA.exe	34
PID 1956 wrote to memory of 1544	1956	SOA.exe	34
PID 1956 wrote to memory of 1544	1956	SOA.exe	34

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vJhKYOTGXvYQr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA287.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1168
- C:\Users\Admin\AppData\Local\Temp\SOA.exe
  "{path}"
  2⤵
  PID:696
- C:\Users\Admin\AppData\Local\Temp\SOA.exe
  "{path}"
  2⤵
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\SOA.exe
  "{path}"
  2⤵
  PID:1196
- C:\Users\Admin\AppData\Local\Temp\SOA.exe
  "{path}"
  2⤵
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\SOA.exe
  "{path}"
  2⤵
  PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA287.tmp

Filesize
1KB

MD5
2702166a68bbf89e72a11b3872e08313

SHA1
347080bfe72a90b47880eda3e8b91862ab159da5

SHA256
fccc69d9ee6ac390c0f45f4f61a3e98a0946c0c5b2979dc155f1b4f0d1b6327f

SHA512
2cba50a75b157599b18d08ecae067862da19c35c6581136d4cdc651c013243a251b74f09feabd8e75509d407128d67441ffdf9a93aedba16c71ee04a2fe1aa3c

Download Submit
memory/1168-59-0x0000000000000000-mapping.dmp

Download
memory/1956-54-0x00000000003D0000-0x00000000004CA000-memory.dmp

Filesize
1000KB

Download
memory/1956-55-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1956-56-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/1956-57-0x0000000005BA0000-0x0000000005C24000-memory.dmp

Filesize
528KB

Download
memory/1956-58-0x0000000005B00000-0x0000000005B3C000-memory.dmp

Filesize
240KB

Download