Analysis
-
max time kernel
151s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/12/2022, 21:16
Static task
static1
Behavioral task
behavioral1
Sample
c47268124010ae73b01d75392d8323479fa1cfccc9d7a1f85e6435ba8a8243b2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c47268124010ae73b01d75392d8323479fa1cfccc9d7a1f85e6435ba8a8243b2.exe
Resource
win10v2004-20221111-en
General
-
Target
c47268124010ae73b01d75392d8323479fa1cfccc9d7a1f85e6435ba8a8243b2.exe
-
Size
484KB
-
MD5
483d3507611fef4ead4182287ce40f7a
-
SHA1
9a2f5cd74418c2ec208b6bac6a4f35dcf644f742
-
SHA256
c47268124010ae73b01d75392d8323479fa1cfccc9d7a1f85e6435ba8a8243b2
-
SHA512
0f82df768c955d7eb233e750df9f942216a803f33ff8686975fb2e142aef0b35feb1e50fc4802101b02969f5bd267e1da9be3ea05d63f863d166e47a423cd5ea
-
SSDEEP
12288:BIZGjfj9cXsF/lnXR8VSRsja7zHIW7hqsMw:qZGjb9pvXR8YOjaPT7hqT
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 980 pgnew.exe -
Deletes itself 1 IoCs
pid Process 900 cmd.exe -
Loads dropped DLL 3 IoCs
pid Process 900 cmd.exe 900 cmd.exe 980 pgnew.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce c47268124010ae73b01d75392d8323479fa1cfccc9d7a1f85e6435ba8a8243b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 996 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1136 PING.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 996 taskkill.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe 980 pgnew.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 832 wrote to memory of 900 832 c47268124010ae73b01d75392d8323479fa1cfccc9d7a1f85e6435ba8a8243b2.exe 28 PID 832 wrote to memory of 900 832 c47268124010ae73b01d75392d8323479fa1cfccc9d7a1f85e6435ba8a8243b2.exe 28 PID 832 wrote to memory of 900 832 c47268124010ae73b01d75392d8323479fa1cfccc9d7a1f85e6435ba8a8243b2.exe 28 PID 832 wrote to memory of 900 832 c47268124010ae73b01d75392d8323479fa1cfccc9d7a1f85e6435ba8a8243b2.exe 28 PID 900 wrote to memory of 996 900 cmd.exe 30 PID 900 wrote to memory of 996 900 cmd.exe 30 PID 900 wrote to memory of 996 900 cmd.exe 30 PID 900 wrote to memory of 996 900 cmd.exe 30 PID 900 wrote to memory of 1136 900 cmd.exe 32 PID 900 wrote to memory of 1136 900 cmd.exe 32 PID 900 wrote to memory of 1136 900 cmd.exe 32 PID 900 wrote to memory of 1136 900 cmd.exe 32 PID 900 wrote to memory of 980 900 cmd.exe 33 PID 900 wrote to memory of 980 900 cmd.exe 33 PID 900 wrote to memory of 980 900 cmd.exe 33 PID 900 wrote to memory of 980 900 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\c47268124010ae73b01d75392d8323479fa1cfccc9d7a1f85e6435ba8a8243b2.exe"C:\Users\Admin\AppData\Local\Temp\c47268124010ae73b01d75392d8323479fa1cfccc9d7a1f85e6435ba8a8243b2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 832 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\c47268124010ae73b01d75392d8323479fa1cfccc9d7a1f85e6435ba8a8243b2.exe" & start C:\Users\Admin\AppData\Local\pgnew.exe -f2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 8323⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:996
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:1136
-
-
C:\Users\Admin\AppData\Local\pgnew.exeC:\Users\Admin\AppData\Local\pgnew.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:980
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484KB
MD5483d3507611fef4ead4182287ce40f7a
SHA19a2f5cd74418c2ec208b6bac6a4f35dcf644f742
SHA256c47268124010ae73b01d75392d8323479fa1cfccc9d7a1f85e6435ba8a8243b2
SHA5120f82df768c955d7eb233e750df9f942216a803f33ff8686975fb2e142aef0b35feb1e50fc4802101b02969f5bd267e1da9be3ea05d63f863d166e47a423cd5ea
-
Filesize
484KB
MD5483d3507611fef4ead4182287ce40f7a
SHA19a2f5cd74418c2ec208b6bac6a4f35dcf644f742
SHA256c47268124010ae73b01d75392d8323479fa1cfccc9d7a1f85e6435ba8a8243b2
SHA5120f82df768c955d7eb233e750df9f942216a803f33ff8686975fb2e142aef0b35feb1e50fc4802101b02969f5bd267e1da9be3ea05d63f863d166e47a423cd5ea
-
Filesize
484KB
MD5483d3507611fef4ead4182287ce40f7a
SHA19a2f5cd74418c2ec208b6bac6a4f35dcf644f742
SHA256c47268124010ae73b01d75392d8323479fa1cfccc9d7a1f85e6435ba8a8243b2
SHA5120f82df768c955d7eb233e750df9f942216a803f33ff8686975fb2e142aef0b35feb1e50fc4802101b02969f5bd267e1da9be3ea05d63f863d166e47a423cd5ea
-
Filesize
484KB
MD5483d3507611fef4ead4182287ce40f7a
SHA19a2f5cd74418c2ec208b6bac6a4f35dcf644f742
SHA256c47268124010ae73b01d75392d8323479fa1cfccc9d7a1f85e6435ba8a8243b2
SHA5120f82df768c955d7eb233e750df9f942216a803f33ff8686975fb2e142aef0b35feb1e50fc4802101b02969f5bd267e1da9be3ea05d63f863d166e47a423cd5ea
-
Filesize
484KB
MD5483d3507611fef4ead4182287ce40f7a
SHA19a2f5cd74418c2ec208b6bac6a4f35dcf644f742
SHA256c47268124010ae73b01d75392d8323479fa1cfccc9d7a1f85e6435ba8a8243b2
SHA5120f82df768c955d7eb233e750df9f942216a803f33ff8686975fb2e142aef0b35feb1e50fc4802101b02969f5bd267e1da9be3ea05d63f863d166e47a423cd5ea