Analysis
-
max time kernel
167s -
max time network
227s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
04/12/2022, 07:10
Static task
static1
Behavioral task
behavioral1
Sample
bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8.exe
Resource
win10v2004-20220812-en
General
-
Target
bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8.exe
-
Size
381KB
-
MD5
5e536be0b235d4857d45b2924dc51a25
-
SHA1
6370d9c049c457baa9614744d5cd1d713d7a5ae4
-
SHA256
bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8
-
SHA512
0026cbd10f803b1dd1c56087c9ea7824774a9254a1f94f0075dab6b265fde657c1b9c2c7587a9121f99b2c81973f6455e0eb59d6dcf62b6aacf9108966841fae
-
SSDEEP
6144:v3KwV9fguO+AHqTy34CL7eaiXSQ58x6wdPZE9pR3mOyUXybjvkc1BAiL0zuvY:H/OPqTy34CtiXSQahPWPR3mDJf11BA0D
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1512 634735.exe -
Deletes itself 1 IoCs
pid Process 1064 cmd.exe -
Loads dropped DLL 4 IoCs
pid Process 1064 cmd.exe 1064 cmd.exe 1512 634735.exe 1512 634735.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 884 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1464 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 884 taskkill.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1512 634735.exe 1512 634735.exe 1512 634735.exe 1512 634735.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1512 634735.exe 1512 634735.exe 1512 634735.exe 1512 634735.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1372 wrote to memory of 1064 1372 bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8.exe 28 PID 1372 wrote to memory of 1064 1372 bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8.exe 28 PID 1372 wrote to memory of 1064 1372 bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8.exe 28 PID 1372 wrote to memory of 1064 1372 bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8.exe 28 PID 1064 wrote to memory of 884 1064 cmd.exe 30 PID 1064 wrote to memory of 884 1064 cmd.exe 30 PID 1064 wrote to memory of 884 1064 cmd.exe 30 PID 1064 wrote to memory of 884 1064 cmd.exe 30 PID 1064 wrote to memory of 1464 1064 cmd.exe 32 PID 1064 wrote to memory of 1464 1064 cmd.exe 32 PID 1064 wrote to memory of 1464 1064 cmd.exe 32 PID 1064 wrote to memory of 1464 1064 cmd.exe 32 PID 1064 wrote to memory of 1512 1064 cmd.exe 33 PID 1064 wrote to memory of 1512 1064 cmd.exe 33 PID 1064 wrote to memory of 1512 1064 cmd.exe 33 PID 1064 wrote to memory of 1512 1064 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8.exe"C:\Users\Admin\AppData\Local\Temp\bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1372 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8.exe" & start C:\Users\Admin\AppData\Local\634735.exe -f2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 13723⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:1464
-
-
C:\Users\Admin\AppData\Local\634735.exeC:\Users\Admin\AppData\Local\634735.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1512
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD55e536be0b235d4857d45b2924dc51a25
SHA16370d9c049c457baa9614744d5cd1d713d7a5ae4
SHA256bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8
SHA5120026cbd10f803b1dd1c56087c9ea7824774a9254a1f94f0075dab6b265fde657c1b9c2c7587a9121f99b2c81973f6455e0eb59d6dcf62b6aacf9108966841fae
-
Filesize
381KB
MD55e536be0b235d4857d45b2924dc51a25
SHA16370d9c049c457baa9614744d5cd1d713d7a5ae4
SHA256bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8
SHA5120026cbd10f803b1dd1c56087c9ea7824774a9254a1f94f0075dab6b265fde657c1b9c2c7587a9121f99b2c81973f6455e0eb59d6dcf62b6aacf9108966841fae
-
Filesize
381KB
MD55e536be0b235d4857d45b2924dc51a25
SHA16370d9c049c457baa9614744d5cd1d713d7a5ae4
SHA256bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8
SHA5120026cbd10f803b1dd1c56087c9ea7824774a9254a1f94f0075dab6b265fde657c1b9c2c7587a9121f99b2c81973f6455e0eb59d6dcf62b6aacf9108966841fae
-
Filesize
381KB
MD55e536be0b235d4857d45b2924dc51a25
SHA16370d9c049c457baa9614744d5cd1d713d7a5ae4
SHA256bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8
SHA5120026cbd10f803b1dd1c56087c9ea7824774a9254a1f94f0075dab6b265fde657c1b9c2c7587a9121f99b2c81973f6455e0eb59d6dcf62b6aacf9108966841fae
-
Filesize
381KB
MD55e536be0b235d4857d45b2924dc51a25
SHA16370d9c049c457baa9614744d5cd1d713d7a5ae4
SHA256bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8
SHA5120026cbd10f803b1dd1c56087c9ea7824774a9254a1f94f0075dab6b265fde657c1b9c2c7587a9121f99b2c81973f6455e0eb59d6dcf62b6aacf9108966841fae
-
Filesize
381KB
MD55e536be0b235d4857d45b2924dc51a25
SHA16370d9c049c457baa9614744d5cd1d713d7a5ae4
SHA256bbdde3d39a4ab94795578be54e1e499fa50777ef6ef41831494ffab26a331ab8
SHA5120026cbd10f803b1dd1c56087c9ea7824774a9254a1f94f0075dab6b265fde657c1b9c2c7587a9121f99b2c81973f6455e0eb59d6dcf62b6aacf9108966841fae