Analysis
-
max time kernel
29s -
platform
windows7_x64 -
resource
win7-20220812-es -
resource tags
arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows -
submitted
14-02-2023 14:02
Static task
static1
Behavioral task
behavioral1
Sample
ReduceMemory.exe
Resource
win7-20220812-es
windows7-x64
Behavioral task
behavioral2
Sample
ReduceMemory.exe
Resource
win10v2004-20220812-es
windows10-2004-x64
General
-
Target
ReduceMemory.exe
-
Size
776KB
-
MD5
0d626331715cc35aa377a8503f85c92a
-
SHA1
26aad89595f00068151d3676297ceec394e718af
-
SHA256
3e541100c869dba06ee62252a9661e5a06c2e685a7ddd5288ea1358703412385
-
SHA512
6dcdc39672dd00873c55753ba02ad05dc61ef028a4de385d5af38f30c4959342ac25f0ae936a19fb29100a49ab379f16f5288578434e1aea83b03e596d999996
-
SSDEEP
12288:UaWzgMg7v3qnCiHErQohh0F4aCJ8lny7QSpJJ9vZ+dAy2s:LaHMv6C7rjCny7QQx+Is
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1516 ReduceMemory.exe 1516 ReduceMemory.exe 1516 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1516 ReduceMemory.exe Token: SeAssignPrimaryTokenPrivilege 1516 ReduceMemory.exe Token: SeIncreaseQuotaPrivilege 1516 ReduceMemory.exe Token: 0 1516 ReduceMemory.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
pid Process 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe 644 ReduceMemory.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe"C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exeC:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:644
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD576ac7cc616db3e690539e649a3e8aac9
SHA11d47d410231c2a85c651828918343e5ce9e5f1ee
SHA25641f1a56b41920aba83a7593dc1a47ab2b76732901d7e259520a144ec0128b6cc
SHA5128cfe0e47bce4547405910da1a4287ccbbe1b094d821452ddeb1e0472baf626c64782393b172a1c36987f1f64154644a24f38801500e8c2a34b16784b551ac6f9