Overview
overview
10Static
static
INV_Scan_Jan.lnk
windows7-x64
10INV_Scan_Jan.lnk
windows10-2004-x64
10Requirements.lnk
windows7-x64
3Requirements.lnk
windows10-2004-x64
7hublamjogk...yU.cmd
windows7-x64
1hublamjogk...yU.cmd
windows10-2004-x64
1hublamjogk...ng.dll
windows7-x64
1hublamjogk...ng.dll
windows10-2004-x64
1projectt.py
windows7-x64
3projectt.py
windows10-2004-x64
3python.exe
windows7-x64
1python.exe
windows10-2004-x64
1pythonw.exe
windows7-x64
1pythonw.exe
windows10-2004-x64
1Analysis
-
max time kernel
28s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-01-2023 16:51
Static task
static1
Behavioral task
behavioral1
Sample
INV_Scan_Jan.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
INV_Scan_Jan.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Requirements.lnk
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
Requirements.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
hublamjogk/bowsaptoyU.cmd
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
hublamjogk/bowsaptoyU.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
hublamjogk/skysurfing.dll
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
hublamjogk/skysurfing.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
projectt.py
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
projectt.py
Resource
win10v2004-20221111-en
Behavioral task
behavioral11
Sample
python.exe
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
python.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
pythonw.exe
Resource
win7-20221111-en
Behavioral task
behavioral14
Sample
pythonw.exe
Resource
win10v2004-20221111-en
General
-
Target
Requirements.lnk
-
Size
1KB
-
MD5
2157d05171e0a32c30a8c8350d25335a
-
SHA1
3af6b7bcd388b88d71ae09789b18a7a01e23b14b
-
SHA256
6e37e051433faa97a381fc8d8a51e8d0a5384d2fc7abc3dcf727d036bc196a74
-
SHA512
80585b023390d8adbb199e054cc1bfbf82b59c68965b1549f95ae45f33eb1b7f22fa448ff9ed134d6fb04d965216f4a884ed63a6bdbe743c7f5e5233e3b46e5d
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2012 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2012 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1648 wrote to memory of 684 1648 cmd.exe cmd.exe PID 1648 wrote to memory of 684 1648 cmd.exe cmd.exe PID 1648 wrote to memory of 684 1648 cmd.exe cmd.exe PID 684 wrote to memory of 2012 684 cmd.exe taskkill.exe PID 684 wrote to memory of 2012 684 cmd.exe taskkill.exe PID 684 wrote to memory of 2012 684 cmd.exe taskkill.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Requirements.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cd project && pythonw.exe projectt.py & taskkill /F /IM cmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM cmd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken