Analysis
-
max time kernel
27s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17/03/2023, 06:22
Static task
static1
Behavioral task
behavioral1
Sample
service.exe
Resource
win7-20230220-en
General
-
Target
service.exe
-
Size
237KB
-
MD5
ab439c03eb89bc15757588b7b030bea6
-
SHA1
50411b04ba6c51aab0f706e3a54fc548b5f8df0f
-
SHA256
be067c2c7c5a474442339d8adc999a0a288d56890d9781e88f536b6183cd398c
-
SHA512
7784fb618db8f2951bd8032154da86c9f139d51a4e541c9924cfccab99862efbcf92b8cbd582714e5f243d2cd5ee1b9fa2bb076f7d9b683e4b57e7b9e347c9a7
-
SSDEEP
3072:r4tWK9YMDbz6fV/NpbnyAGJwhOnQdT1MgvAOdj8MXoiTYfSHw69pJZXAqacHy1ly:m9j76xnImFZ1MmF8QTU/urSiLfTP8U
Malware Config
Extracted
https://pastebin.com/raw/vNcCt60A
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 376 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 376 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1716 wrote to memory of 1276 1716 service.exe 28 PID 1716 wrote to memory of 1276 1716 service.exe 28 PID 1716 wrote to memory of 1276 1716 service.exe 28 PID 1716 wrote to memory of 1276 1716 service.exe 28 PID 1276 wrote to memory of 376 1276 WScript.exe 29 PID 1276 wrote to memory of 376 1276 WScript.exe 29 PID 1276 wrote to memory of 376 1276 WScript.exe 29 PID 1276 wrote to memory of 376 1276 WScript.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD5e04e55d2e6cc3d920631fdc5d6dcc1ce
SHA12c4dbcff71f8678623a7c197440ec281804dc5a5
SHA256f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb
SHA5129511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998
-
Filesize
949B
MD58a97b217587bf21df5b6be29428a1251
SHA133bc1ad54acc40f29d1b09767811c4a9f779f9a5
SHA256ac975c8129b58f138e0f9880d5d63e6ca9e350c875e09a6dd5c16b40eaa9ea0d
SHA512944c4fbbb3e92afad4cb4fc9f675cbe0b12ff3ef371fa1a5acdffb8489d7c7dde6e2cb8c2a1e194db9eba8e7c74db82b91ceaa40bc3f189924adaeae01cc2409