Analysis
-
max time kernel
40s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 22:25
Static task
static1
Behavioral task
behavioral1
Sample
8319f1cccd788a06bc2a257d74f1acf0dc9ce73be05eec08e2a6c7d82b064504.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8319f1cccd788a06bc2a257d74f1acf0dc9ce73be05eec08e2a6c7d82b064504.exe
Resource
win10v2004-20221111-en
General
-
Target
8319f1cccd788a06bc2a257d74f1acf0dc9ce73be05eec08e2a6c7d82b064504.exe
-
Size
126KB
-
MD5
55744607f808fd894acfc5a5f1df1aa1
-
SHA1
bb7e62503a6f7512ff2651ebc67836f76b4cc5d8
-
SHA256
8319f1cccd788a06bc2a257d74f1acf0dc9ce73be05eec08e2a6c7d82b064504
-
SHA512
784e912c5cf84ff3a5bad9026de4ada1bb27399e597a0ab24fb69f5dd019bcab00b7a9ec0199f00c6893ad83c6f605d2b5a402b918b9e78c87ee716cbdf0fb87
-
SSDEEP
3072:1d9xR3G2BZMbBLBaYw0coLujNH1HVbaXh1S6/:1d93ZBZMbqYgomH11axP/
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1488 wrote to memory of 1968 1488 8319f1cccd788a06bc2a257d74f1acf0dc9ce73be05eec08e2a6c7d82b064504.exe 26 PID 1488 wrote to memory of 1968 1488 8319f1cccd788a06bc2a257d74f1acf0dc9ce73be05eec08e2a6c7d82b064504.exe 26 PID 1488 wrote to memory of 1968 1488 8319f1cccd788a06bc2a257d74f1acf0dc9ce73be05eec08e2a6c7d82b064504.exe 26 PID 1488 wrote to memory of 1968 1488 8319f1cccd788a06bc2a257d74f1acf0dc9ce73be05eec08e2a6c7d82b064504.exe 26 PID 1488 wrote to memory of 1968 1488 8319f1cccd788a06bc2a257d74f1acf0dc9ce73be05eec08e2a6c7d82b064504.exe 26 PID 1488 wrote to memory of 1968 1488 8319f1cccd788a06bc2a257d74f1acf0dc9ce73be05eec08e2a6c7d82b064504.exe 26 PID 1488 wrote to memory of 1968 1488 8319f1cccd788a06bc2a257d74f1acf0dc9ce73be05eec08e2a6c7d82b064504.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\8319f1cccd788a06bc2a257d74f1acf0dc9ce73be05eec08e2a6c7d82b064504.exe"C:\Users\Admin\AppData\Local\Temp\8319f1cccd788a06bc2a257d74f1acf0dc9ce73be05eec08e2a6c7d82b064504.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\AntiWPA3.cmd" "2⤵PID:1968
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD589580a85fdc0ef1ff90e7ee55a27bc0e
SHA1ab0569ba7de81206df6e21a0db1d8fba210bcccb
SHA256f4cd4297ce5b34756d2062f1d6cab9a6f52011cf98bc08018168b00deb916742
SHA5125fab135303b55e9d06f7273dc852eb78da0340359cd21a9c75f83f3837654b7e23ef415c1bd46be596e46b18343dcca68a674d219a1c204360c6424a609f2a49