Analysis
-
max time kernel
175s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 19:18
Static task
static1
Behavioral task
behavioral1
Sample
b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e.exe
Resource
win10v2004-20221111-en
General
-
Target
b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e.exe
-
Size
380KB
-
MD5
cf1812d681e04ce29fb722887554418d
-
SHA1
18c2fd6b5f04ec343e6266a905651b34e0898eaa
-
SHA256
b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e
-
SHA512
6f023666c8473ca19a200680ae9b43f4c219c67c2035e90a9a746c8607c75b54d42388aa9bb9f3fd9066e2979661d8cf035a0584611c99c8bb42433c92859372
-
SSDEEP
6144:rM2v/JT0N5hwEtS1Wtrpub1V/8oA9sJlZfiUTP/pAClP0pAivpmU0ovY:bJMhwEtS1SY1V/wmTZqUTPm3bvpx0o
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e Agent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e.exe" b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2896 b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e.exe Token: SeIncBasePriorityPrivilege 2896 b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2896 b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2896 b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2896 b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e.exe"C:\Users\Admin\AppData\Local\Temp\b5ce5ba34ef0c7eca1b85c0d7396e19631d50f94db1957b807cfd4a02a05354e.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2896