Analysis

  • max time kernel
    139s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/01/2023, 07:41

General

  • Target

    0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe

  • Size

    2.0MB

  • MD5

    a1ef07a2b47cd13ec724585a65a0054f

  • SHA1

    aea02fd36e9951ef5c30ed91151f6edb3b7520e0

  • SHA256

    0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549

  • SHA512

    a3941f85e28a0ce48246ef5211afc147b3f552b1108eb7416d532f517a79f4e81f8b7dfceea70032582fa76afb3acd7f1a49ccefc9ab9a2b27b3fdabb01690eb

  • SSDEEP

    49152:29M4dWzbZTOJDoWTV5+gBzqpUp3D50c9mcPNa1v:2q4dYZTARTf+gB2pUp3DnlMv

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe
    "C:\Users\Admin\AppData\Local\Temp\0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4500
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c set
      2⤵
        PID:4232
      • C:\Users\Admin\AppData\Local\Temp\~7837897172764831759~\sg.tmp
        7zG_exe x "C:\Users\Admin\AppData\Local\Temp\0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~7111226896324501815"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3052
      • C:\Users\Admin\AppData\Local\Temp\~7111226896324501815\loader.exe
        "C:\Users\Admin\AppData\Local\Temp\~7111226896324501815\loader.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4416

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~7111226896324501815\app.bin

      Filesize

      517KB

      MD5

      632db56ddfc587812da2cb482ab430c6

      SHA1

      00ef4c88ce9c920998885c98f1d636b241389531

      SHA256

      94c93329954c37a0cb402c733bd24b8057837fa98d5361bfc0d54536490f3c46

      SHA512

      a1c712bf7ffc4065ae5bf6a1471c116d86590ae4a08999e23020c42b9e781065882a8ced24f78be9a5fcd2080fa873c52ec1e92d9057b631554b5bbd8e3b3705

    • C:\Users\Admin\AppData\Local\Temp\~7111226896324501815\loader.exe

      Filesize

      1.5MB

      MD5

      3f9c08c6ac811c44e9342ad3df4d2948

      SHA1

      b05e04558d24251c0e3a34fc022e4121d276543b

      SHA256

      026af6d40ae1d1bb5a948180d0d45c691abe8d5b8165f744586af8ae4d9d774b

      SHA512

      cc8e4e21e4213e8c616b37b03711ac22c0ef17d2c666f8ff1429f0936eb486d5c14c73d6ea2bf6d4240bf65823e4ab99db1a5f6f3ab500ba435db9880efc7072

    • C:\Users\Admin\AppData\Local\Temp\~7111226896324501815\loader.exe

      Filesize

      1.5MB

      MD5

      3f9c08c6ac811c44e9342ad3df4d2948

      SHA1

      b05e04558d24251c0e3a34fc022e4121d276543b

      SHA256

      026af6d40ae1d1bb5a948180d0d45c691abe8d5b8165f744586af8ae4d9d774b

      SHA512

      cc8e4e21e4213e8c616b37b03711ac22c0ef17d2c666f8ff1429f0936eb486d5c14c73d6ea2bf6d4240bf65823e4ab99db1a5f6f3ab500ba435db9880efc7072

    • C:\Users\Admin\AppData\Local\Temp\~7837897172764831759~\sg.tmp

      Filesize

      715KB

      MD5

      7c4718943bd3f66ebdb47ccca72c7b1e

      SHA1

      f9edfaa7adb8fa528b2e61b2b251f18da10a6969

      SHA256

      4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

      SHA512

      e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

    • memory/4416-140-0x0000011225600000-0x0000011225682000-memory.dmp

      Filesize

      520KB

    • memory/4416-141-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

      Filesize

      10.8MB

    • memory/4416-142-0x000001127FEF0000-0x000001127FF40000-memory.dmp

      Filesize

      320KB

    • memory/4416-143-0x0000011280000000-0x00000112800B2000-memory.dmp

      Filesize

      712KB

    • memory/4416-145-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

      Filesize

      10.8MB

    • memory/4500-132-0x0000000000400000-0x0000000000563000-memory.dmp

      Filesize

      1.4MB

    • memory/4500-144-0x0000000000400000-0x0000000000563000-memory.dmp

      Filesize

      1.4MB