Analysis

  • max time kernel
    175s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 19:18

General

  • Target

    b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e.exe

  • Size

    380KB

  • MD5

    cf1812d681e04ce29fb722887554418d

  • SHA1

    18c2fd6b5f04ec343e6266a905651b34e0898eaa

  • SHA256

    b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e

  • SHA512

    6f023666c8473ca19a200680ae9b43f4c219c67c2035e90a9a746c8607c75b54d42388aa9bb9f3fd9066e2979661d8cf035a0584611c99c8bb42433c92859372

  • SSDEEP

    6144:rM2v/JT0N5hwEtS1Wtrpub1V/8oA9sJlZfiUTP/pAClP0pAivpmU0ovY:bJMhwEtS1SY1V/wmTZqUTPm3bvpx0o

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e.exe
    "C:\Users\Admin\AppData\Local\Temp\b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2896

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2896-132-0x0000000000400000-0x00000000004AC000-memory.dmp

    Filesize

    688KB