b03d831a555a8366ac262fa9d13fde89b675803d41c57d36f07090a0cedab154

Analysis

max time kernel
32s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-01-2023 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA.exe
Size

671KB
MD5

774dc51d4da8bbc4e682008bf4d61aa2
SHA1

0a12ab2bed3ce4e701e534df5c24bfef8dcc653b
SHA256

b03d831a555a8366ac262fa9d13fde89b675803d41c57d36f07090a0cedab154
SHA512

38bfce718ca25bba53e5ceb3de3c6b7c643bfdd358094ab8d0ec288415391146e029d778a43afe3edb86e4bf8d7fde2a65e3f553ee2467437f6b3de1eb3b2306
SSDEEP

12288:UF3gflcMVpRY6HxOVU9z+EHE1tKuSoNvXOTwYM0:z6MVpcUptU9A

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

652 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

SOA.exe

pid process

2000 SOA.exe
2000 SOA.exe
2000 SOA.exe
2000 SOA.exe
2000 SOA.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SOA.exe

description pid process

Token: SeDebugPrivilege 2000 SOA.exe

pid	process
652	schtasks.exe

pid	process
2000	SOA.exe
2000	SOA.exe
2000	SOA.exe
2000	SOA.exe
2000	SOA.exe

description	pid	process
Token: SeDebugPrivilege	2000	SOA.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

SOA.exe

description	pid	process	target process
PID 2000 wrote to memory of 652	2000	SOA.exe	schtasks.exe
PID 2000 wrote to memory of 652	2000	SOA.exe	schtasks.exe
PID 2000 wrote to memory of 652	2000	SOA.exe	schtasks.exe
PID 2000 wrote to memory of 652	2000	SOA.exe	schtasks.exe
PID 2000 wrote to memory of 568	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 568	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 568	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 568	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 1856	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 1856	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 1856	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 1856	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 772	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 772	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 772	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 772	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 1168	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 1168	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 1168	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 1168	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 1304	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 1304	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 1304	2000	SOA.exe	SOA.exe
PID 2000 wrote to memory of 1304	2000	SOA.exe	SOA.exe

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BWhappphtUdy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7678.tmp"
2⤵
- Creates scheduled task(s)
PID:652

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"{path}"
2⤵
PID:568

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"{path}"
2⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"{path}"
2⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"{path}"
2⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"{path}"
2⤵
PID:1304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7678.tmp

Filesize
1KB

MD5
ceb10c7b07a45aa14abb778dc5a9a86b

SHA1
8a9a0a47e22b48411fcb97d5c62bba8436254ad0

SHA256
e961b768dc4cf857377b0f216e65466fb31ad4215d9e0b35d2687f478e8dd247

SHA512
effe05eaaa35a32b378a29222ec910a234668dda5eb73b9571e3b3f4d4b812c13945b0a7dd53b9480502ae8a6d0c04f99bd4cd4a5fff969f2025fd46557d1001

Download Submit
memory/652-60-0x0000000000000000-mapping.dmp

Download
memory/2000-54-0x00000000012D0000-0x000000000137E000-memory.dmp

Filesize
696KB

Download
memory/2000-55-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/2000-56-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/2000-57-0x0000000004860000-0x00000000048C8000-memory.dmp

Filesize
416KB

Download
memory/2000-58-0x0000000005280000-0x00000000052EA000-memory.dmp

Filesize
424KB

Download
memory/2000-59-0x0000000000700000-0x0000000000714000-memory.dmp

Filesize
80KB

Download