Overview

overview

8

Static

static

8

400.184/mats

ubuntu-18.04-amd64

1

400.184/mods

ubuntu-18.04-amd64

5

mats.img

windows7-x64

3

mats.img

windows10-2004-x64

3

rufus-3.13.exe

windows7-x64

8

rufus-3.13.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    131s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2023 10:38

Sharing

Copy URL
Twitter E-mail

General

  • Target

    mats.img

  • Size

    66MB

  • MD5

    707db4d641a2bb3e14bb91327b75ee87

  • SHA1

    acf77d5cffa8ebce597f80ca4c9b01b351352c3b

  • SHA256

    eac96ab9a056461c4560066936c8af173d17d18ac8af68e373fc07d73244e8dc

  • SHA512

    b27648968a389059af9cb3749c56dbd9a0c5234b44621d063cfde948eeaf9550cd9e89c4b7aa971427d6508efb8aecb3e8e6f7b5cc8a16b008d6c8e83382b9f5

  • SSDEEP

    1572864:3YmMX2KKYtxefLs1FZ9bE4P8+2t8qL70SmO:IRX2KttHX4

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam ⋅ 1 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\mats.img
    Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\System32\isoburn.exe
      "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\mats.img"
      Suspicious behavior: GetForegroundWindowSpam
      PID:268

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Replay Monitor

                        00:00 00:00

                        Downloads

                        • memory/268-76-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2000-54-0x000007FEFB771000-0x000007FEFB773000-memory.dmp
                          Download