Analysis
-
max time kernel
151s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
05/12/2022, 17:46
Static task
static1
Behavioral task
behavioral1
Sample
6af63de4b9416803436d3da4eee02f46e03aeeea99052f652f99837442fdf0d1.exe
Resource
win7-20221111-en
windows7-x64
General
-
Target
6af63de4b9416803436d3da4eee02f46e03aeeea99052f652f99837442fdf0d1.exe
-
Size
1.3MB
-
MD5
9fe9bb67006647968587eacfbb2e1e3e
-
SHA1
20be04497ebf655a659a45351b389ff1a20fc449
-
SHA256
6af63de4b9416803436d3da4eee02f46e03aeeea99052f652f99837442fdf0d1
-
SHA512
9d49982357396acbc5892bb9e5188b7e4f4b1501f3466be78a5fbf7994afc74f356eb82df96f1f92a86cf9ddb5cdbdeb41ee7e319eccf0648ff1689bba6c447f
-
SSDEEP
24576:xjqAiVsGgwSxFtBWx9KKE0hyPKbDOw/yvqtygC1M8LKgez0r8w:x2Ai+GgXx30xgE4KbDXmqaM8bW0r8w
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1972 ~GM9E53.exe -
resource yara_rule behavioral1/files/0x000900000001314f-55.dat upx behavioral1/files/0x000900000001314f-57.dat upx behavioral1/files/0x000900000001314f-59.dat upx behavioral1/memory/1972-61-0x0000000000400000-0x00000000004F2000-memory.dmp upx behavioral1/memory/1972-62-0x0000000000400000-0x00000000004F2000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 1712 6af63de4b9416803436d3da4eee02f46e03aeeea99052f652f99837442fdf0d1.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: ~GM9E53.exe File opened (read-only) \??\r: ~GM9E53.exe File opened (read-only) \??\b: ~GM9E53.exe File opened (read-only) \??\e: ~GM9E53.exe File opened (read-only) \??\f: ~GM9E53.exe File opened (read-only) \??\h: ~GM9E53.exe File opened (read-only) \??\i: ~GM9E53.exe File opened (read-only) \??\n: ~GM9E53.exe File opened (read-only) \??\z: ~GM9E53.exe File opened (read-only) \??\v: ~GM9E53.exe File opened (read-only) \??\x: ~GM9E53.exe File opened (read-only) \??\a: ~GM9E53.exe File opened (read-only) \??\k: ~GM9E53.exe File opened (read-only) \??\l: ~GM9E53.exe File opened (read-only) \??\o: ~GM9E53.exe File opened (read-only) \??\p: ~GM9E53.exe File opened (read-only) \??\u: ~GM9E53.exe File opened (read-only) \??\y: ~GM9E53.exe File opened (read-only) \??\j: ~GM9E53.exe File opened (read-only) \??\w: ~GM9E53.exe File opened (read-only) \??\g: ~GM9E53.exe File opened (read-only) \??\m: ~GM9E53.exe File opened (read-only) \??\s: ~GM9E53.exe File opened (read-only) \??\t: ~GM9E53.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1972-61-0x0000000000400000-0x00000000004F2000-memory.dmp autoit_exe behavioral1/memory/1972-62-0x0000000000400000-0x00000000004F2000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1972 ~GM9E53.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1712 6af63de4b9416803436d3da4eee02f46e03aeeea99052f652f99837442fdf0d1.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe 1972 ~GM9E53.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1712 wrote to memory of 1972 1712 6af63de4b9416803436d3da4eee02f46e03aeeea99052f652f99837442fdf0d1.exe 28 PID 1712 wrote to memory of 1972 1712 6af63de4b9416803436d3da4eee02f46e03aeeea99052f652f99837442fdf0d1.exe 28 PID 1712 wrote to memory of 1972 1712 6af63de4b9416803436d3da4eee02f46e03aeeea99052f652f99837442fdf0d1.exe 28 PID 1712 wrote to memory of 1972 1712 6af63de4b9416803436d3da4eee02f46e03aeeea99052f652f99837442fdf0d1.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\6af63de4b9416803436d3da4eee02f46e03aeeea99052f652f99837442fdf0d1.exe"C:\Users\Admin\AppData\Local\Temp\6af63de4b9416803436d3da4eee02f46e03aeeea99052f652f99837442fdf0d1.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\~GM9E53.exe"C:\Users\Admin\AppData\Local\Temp\~GM9E53.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1972
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
930KB
MD53f9112ce0d6128cff60ae9fe5b01d5c2
SHA1fc7ab62544faef75ace0a05a3e8f0e28935286d6
SHA256cb14c771ff4270cc8be89ce012c5ea118d5b162afc1112c0d58b058db79b36c8
SHA512730805209cb0b56b9c025f9b024f01d4644072a3516ac3c4535ce3d004ffbcf6bea5a9960a338203d793efab000c34beae080fcaac14a25520ca089f4f4fa268
-
Filesize
930KB
MD53f9112ce0d6128cff60ae9fe5b01d5c2
SHA1fc7ab62544faef75ace0a05a3e8f0e28935286d6
SHA256cb14c771ff4270cc8be89ce012c5ea118d5b162afc1112c0d58b058db79b36c8
SHA512730805209cb0b56b9c025f9b024f01d4644072a3516ac3c4535ce3d004ffbcf6bea5a9960a338203d793efab000c34beae080fcaac14a25520ca089f4f4fa268
-
Filesize
930KB
MD53f9112ce0d6128cff60ae9fe5b01d5c2
SHA1fc7ab62544faef75ace0a05a3e8f0e28935286d6
SHA256cb14c771ff4270cc8be89ce012c5ea118d5b162afc1112c0d58b058db79b36c8
SHA512730805209cb0b56b9c025f9b024f01d4644072a3516ac3c4535ce3d004ffbcf6bea5a9960a338203d793efab000c34beae080fcaac14a25520ca089f4f4fa268