Analysis
-
max time kernel
243s -
max time network
332s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
10-02-2023 04:23
Static task
static1
Behavioral task
behavioral1
Sample
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
Resource
win10v2004-20220812-en
General
-
Target
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
-
Size
245KB
-
MD5
e538f67d529d672c55304f3c9ad05392
-
SHA1
f7ff40a1901d51dd6222b420bbece575b46b2cd2
-
SHA256
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
-
SHA512
22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
-
SSDEEP
3072:eTIu4ZQ8M2A1vA7m5+C6ZoEHBAnpK37nXz8o1008Q75wPsoB74tyJhvSK/KkMc/X:LHA1vweOR8CTwPnLKkM/u
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1580 powershell.exe 536 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exevssvc.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1488 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe Token: SeBackupPrivilege 1620 vssvc.exe Token: SeRestorePrivilege 1620 vssvc.exe Token: SeAuditPrivilege 1620 vssvc.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 536 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exedescription pid process target process PID 1488 wrote to memory of 1580 1488 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe powershell.exe PID 1488 wrote to memory of 1580 1488 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe powershell.exe PID 1488 wrote to memory of 1580 1488 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe powershell.exe PID 1488 wrote to memory of 536 1488 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe powershell.exe PID 1488 wrote to memory of 536 1488 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe powershell.exe PID 1488 wrote to memory of 536 1488 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe"C:\Users\Admin\AppData\Local\Temp\124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\taskshostw.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskshostw.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a300432f80ed22d0d618b9b87919ec22
SHA15e86c5a11d7d38b2cd7884ee5d38ef3279c85dcd
SHA256f6ec2c8f1b497c35922009c92e4c4bae8af40c9c6b9fdaaa5ff5bd2ec898bf37
SHA512130aab5d7fe1ead62496b8935270b66f2c678d1e156934d540756d7f4e38a563c920493c79170ce31688d29bcf78d79dc2f5f1b7a058a2deff2115e1db24ff83