Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2023, 07:41
Static task
static1
Behavioral task
behavioral1
Sample
0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe
Resource
win10v2004-20220812-en
General
-
Target
0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe
-
Size
2.0MB
-
MD5
a1ef07a2b47cd13ec724585a65a0054f
-
SHA1
aea02fd36e9951ef5c30ed91151f6edb3b7520e0
-
SHA256
0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549
-
SHA512
a3941f85e28a0ce48246ef5211afc147b3f552b1108eb7416d532f517a79f4e81f8b7dfceea70032582fa76afb3acd7f1a49ccefc9ab9a2b27b3fdabb01690eb
-
SSDEEP
49152:29M4dWzbZTOJDoWTV5+gBzqpUp3D50c9mcPNa1v:2q4dYZTARTf+gB2pUp3DnlMv
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3052 sg.tmp 4416 loader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeBackupPrivilege 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: SeRestorePrivilege 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: 33 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: SeIncBasePriorityPrivilege 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: SeCreateGlobalPrivilege 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: 33 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: SeIncBasePriorityPrivilege 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: 33 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: SeIncBasePriorityPrivilege 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: SeRestorePrivilege 3052 sg.tmp Token: 35 3052 sg.tmp Token: SeSecurityPrivilege 3052 sg.tmp Token: SeSecurityPrivilege 3052 sg.tmp Token: 33 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: SeIncBasePriorityPrivilege 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: SeDebugPrivilege 4416 loader.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4416 loader.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4416 loader.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4500 wrote to memory of 4232 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 80 PID 4500 wrote to memory of 4232 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 80 PID 4500 wrote to memory of 3052 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 82 PID 4500 wrote to memory of 3052 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 82 PID 4500 wrote to memory of 3052 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 82 PID 4500 wrote to memory of 4416 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 84 PID 4500 wrote to memory of 4416 4500 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe"C:\Users\Admin\AppData\Local\Temp\0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c set2⤵PID:4232
-
-
C:\Users\Admin\AppData\Local\Temp\~7837897172764831759~\sg.tmp7zG_exe x "C:\Users\Admin\AppData\Local\Temp\0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~7111226896324501815"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
C:\Users\Admin\AppData\Local\Temp\~7111226896324501815\loader.exe"C:\Users\Admin\AppData\Local\Temp\~7111226896324501815\loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4416
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD5632db56ddfc587812da2cb482ab430c6
SHA100ef4c88ce9c920998885c98f1d636b241389531
SHA25694c93329954c37a0cb402c733bd24b8057837fa98d5361bfc0d54536490f3c46
SHA512a1c712bf7ffc4065ae5bf6a1471c116d86590ae4a08999e23020c42b9e781065882a8ced24f78be9a5fcd2080fa873c52ec1e92d9057b631554b5bbd8e3b3705
-
Filesize
1.5MB
MD53f9c08c6ac811c44e9342ad3df4d2948
SHA1b05e04558d24251c0e3a34fc022e4121d276543b
SHA256026af6d40ae1d1bb5a948180d0d45c691abe8d5b8165f744586af8ae4d9d774b
SHA512cc8e4e21e4213e8c616b37b03711ac22c0ef17d2c666f8ff1429f0936eb486d5c14c73d6ea2bf6d4240bf65823e4ab99db1a5f6f3ab500ba435db9880efc7072
-
Filesize
1.5MB
MD53f9c08c6ac811c44e9342ad3df4d2948
SHA1b05e04558d24251c0e3a34fc022e4121d276543b
SHA256026af6d40ae1d1bb5a948180d0d45c691abe8d5b8165f744586af8ae4d9d774b
SHA512cc8e4e21e4213e8c616b37b03711ac22c0ef17d2c666f8ff1429f0936eb486d5c14c73d6ea2bf6d4240bf65823e4ab99db1a5f6f3ab500ba435db9880efc7072
-
Filesize
715KB
MD57c4718943bd3f66ebdb47ccca72c7b1e
SHA1f9edfaa7adb8fa528b2e61b2b251f18da10a6969
SHA2564cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc
SHA512e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516