Analysis
-
max time kernel
49s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29/12/2022, 13:15
Behavioral task
behavioral1
Sample
f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe
Resource
win10v2004-20221111-en
General
-
Target
f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe
-
Size
251KB
-
MD5
25b11ce189d36095c214ec12fd1c4e78
-
SHA1
fb194c5a31b57b4fda3ca58145636be85e5f5172
-
SHA256
f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3
-
SHA512
0be17810ddbcfad5eddc5086962a8ee44451fc8c20035dbc1660e2339cdcc29ad65701b1538fa32f25eb5be7e68f4a3235cda4c80c21d8ca165eed49cda465da
-
SSDEEP
6144:ByX9Id6xvIhgsQkhTSTou+e0+WMf97z8IAO0TJTbw:ByX86xvIhgZkhTcJbebw
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1716 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1736 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1736 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1364 wrote to memory of 1716 1364 f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe 28 PID 1364 wrote to memory of 1716 1364 f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe 28 PID 1364 wrote to memory of 1716 1364 f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe 28 PID 1364 wrote to memory of 1716 1364 f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe 28 PID 1716 wrote to memory of 1736 1716 cmd.exe 30 PID 1716 wrote to memory of 1736 1716 cmd.exe 30 PID 1716 wrote to memory of 1736 1716 cmd.exe 30 PID 1716 wrote to memory of 1736 1716 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe"C:\Users\Admin\AppData\Local\Temp\f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-