Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-01-2023 07:41
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
364KB
-
MD5
857213733ec87a3449d87551b4e9b480
-
SHA1
50dcee9476d0a277e6594855bc2bd9d346eec34b
-
SHA256
e6f1142d31761fb10385b5f535aeebc3e0deaf71bf231fe8bb6925eb25b41759
-
SHA512
e0982c4a84bee1bbe446e082495d956e4d13d62e4b10661488a89c266ef76c14497801a2966c05fb248bb99a5c97ed474939c53a83e3dc8de6a876e755a7c9e9
-
SSDEEP
6144:kuGLs+bLo1Kd52UDsvg19UK7z+BsptYXX/ASf8JyI98vuZzxEmXCgyG:kuGw+bLEOsv+9tqsnYH/hfCKmZznS
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1996 svcupdater.exe -
Loads dropped DLL 3 IoCs
pid Process 1996 svcupdater.exe 1996 svcupdater.exe 1996 svcupdater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 824 schtasks.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 752 wrote to memory of 824 752 file.exe 27 PID 752 wrote to memory of 824 752 file.exe 27 PID 752 wrote to memory of 824 752 file.exe 27 PID 752 wrote to memory of 824 752 file.exe 27 PID 2044 wrote to memory of 1996 2044 taskeng.exe 30 PID 2044 wrote to memory of 1996 2044 taskeng.exe 30 PID 2044 wrote to memory of 1996 2044 taskeng.exe 30 PID 2044 wrote to memory of 1996 2044 taskeng.exe 30 PID 2044 wrote to memory of 1996 2044 taskeng.exe 30 PID 2044 wrote to memory of 1996 2044 taskeng.exe 30 PID 2044 wrote to memory of 1996 2044 taskeng.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f2⤵
- Creates scheduled task(s)
PID:824
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0EECDE02-71B7-4572-9714-591760F9AA0C} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeC:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
430.5MB
MD5e5ae64a8624285844ed5d211bafaf070
SHA104951e22307c18dff4aedb2a861c7bf63a967e89
SHA256174134c945c9be69013f854f9774d6401a6b596311cc1085bd35df387209dd7d
SHA5128473956e1431622ca48c2f6a23808059b21b0717589095b914118dace5ccaaa48dcf8b87c7467c42f6b690009ebdaa9966702f21964e1cc78d425f3aa36a09b4
-
Filesize
409.4MB
MD5adbebd5effb33119ce9acb00ab5c00b2
SHA1b975f4d0327a7b9c81d80c860925604004ecdec7
SHA25628036d6e405597cec68a83c98b9d17617945f17c67339ef200d7ddef3c35e9ff
SHA5129b69580a0b573906d701afb8aea8d5d34294b9c2e0a5bb7bebe166b3b9346e44d0909f763976b6351c2758aba64ef8c71c284a2b9923d7e2292b0adabf3d807d
-
Filesize
271.3MB
MD5825d43e11b03225beb9c9b0c86d350af
SHA108eda13ae88f4240dae7bfb57979e55c184a694b
SHA2560212d16e49e9512b433fb6998b56a05e2fc3c3d269eb80b53de9471bac88fa7c
SHA5120ef51fa1d1b43a99c93afa4b948af02fe4b173792b2f5bc1a52e46e50ccbae2b000701395f99abbd4d8a5c6006809b0b3a47fbd5dbd5069fcaef16d626f289ad
-
Filesize
261.1MB
MD52ad4b7aa25475a2bb36c1a39d34e8d48
SHA128954dbbf47c439965e60d7b2182d9e0e0950ee5
SHA256a7e822d618b46a1a6c8826ae652ce536a47bd1474245498f93603c2c76f2ab7f
SHA512f8204d9b1d2cbd34e5ab9c5b71cf6a34a63de623c78e33d911134603328864de395cf46ad621d9ffcdca8d98be215e68eb06fcac96dfb13a8aad0d4652438c89
-
Filesize
278.3MB
MD54a6cd3b3257886cc729841d0f060753c
SHA11f3017782f873bea088d80d9077411cc334e34a9
SHA2567abd76032e6d9990fc75639a73cf83336044274b24e4c828e75529e8ac43f4bd
SHA51212415cfa32aca369463dd8ae4e2e925e65e934dcd9463999f9911fc5fd04b945e9a4cb7047552449ad159f6a75f9dafde3231195c6f6c727124818ef7cd9fd62