Analysis
-
max time kernel
28s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15/03/2023, 02:16
Static task
static1
Behavioral task
behavioral1
Sample
service.exe
Resource
win7-20230220-en
General
-
Target
service.exe
-
Size
283KB
-
MD5
cc9cbbfa9ccc9cefe75253c65ad22405
-
SHA1
f126e2c4431a9eacab858316eaf031fb5e7bc9f1
-
SHA256
4d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
-
SHA512
bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17
-
SSDEEP
6144:7gZiAEAO0sByNsAal3gVAWgS7/OhwjKfqZK:7gZXEAO/BUdG3gVdt7KnfqZK
Malware Config
Extracted
https://pastebin.com/raw/vNcCt60A
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 584 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 584 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1692 wrote to memory of 1028 1692 service.exe 28 PID 1692 wrote to memory of 1028 1692 service.exe 28 PID 1692 wrote to memory of 1028 1692 service.exe 28 PID 1692 wrote to memory of 1028 1692 service.exe 28 PID 1028 wrote to memory of 584 1028 WScript.exe 29 PID 1028 wrote to memory of 584 1028 WScript.exe 29 PID 1028 wrote to memory of 584 1028 WScript.exe 29 PID 1028 wrote to memory of 584 1028 WScript.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD5e04e55d2e6cc3d920631fdc5d6dcc1ce
SHA12c4dbcff71f8678623a7c197440ec281804dc5a5
SHA256f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb
SHA5129511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998
-
Filesize
797B
MD5eb9c76ab230c2b8527d504429d7aca20
SHA1ca4fc2fcb5023fa8398fc5a0c15e7ad23a61e8cb
SHA256f985277690d6c85a064bc5d494d20d0774fb5017eaf7874685378c538bd49dbf
SHA512f791797d8301242f2334767153ae7133193cee75538ce38b9d5fa5b60388428a8808c22eb08dd070f6f7e3ce556cf1f04883285eaa44ddf8aba1bd67886429c2