Overview

overview

10

Static

static

1

YWjESQ2siMOeTGY.exe

windows7-x64

3

YWjESQ2siMOeTGY.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    28-03-2023 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    YWjESQ2siMOeTGY.exe

  • Size

    1.2MB

  • MD5

    2c9847c76f51b2c6a2fe2abe4a9c91f3

  • SHA1

    e3d0facab5b7671ccdac2476a699ab2f817b4479

  • SHA256

    a8953f2dca5171e14663eefb973c1793decce1dcd6c7baa63081a3d681dbc1c1

  • SHA512

    a85c40c7033a7262cf063f38e845d223701b86d155ed29d12e353487384660dbe06d379de6741e778a939ef47ad8370b809f060108b42967394f8aaa7cd45b73

  • SSDEEP

    24576:9A5IeDQd/XJwtr4Xqfbd3TFZNoDoAyfiF1geG68Nq9H9Z2839Y2YXC8bx7wwI3n2:25/QR5wtr4XEbvA+iF1geG68Nq9Hr286

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe
    "C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:972
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KAmVjfLsWgBU.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:864
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KAmVjfLsWgBU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF74B.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:852
    • C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe
      "C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe"
      2⤵
        PID:1080
      • C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe
        "C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe"
        2⤵
          PID:280
        • C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe
          "C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe"
          2⤵
            PID:1764
          • C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe
            "C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe"
            2⤵
              PID:676
            • C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe
              "C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe"
              2⤵
                PID:360

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpF74B.tmp
              Filesize

              1KB

              MD5

              4d210643ea291b72932d9246d8f10c12

              SHA1

              4f649fcfd0ff341a87956a0f9d05ae6bb382d8a0

              SHA256

              cbddb57f5e55047f758c155753f7678775765362846db2b5f3c5bbb4442a3500

              SHA512

              f62596c313bc2b6cb956d0c99388c7fa23c24e1346e27e7fcab757f972a70db087cde563914510e19b39a4758216050dbd470b620257960d28d4c332dec2a927

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PG3QFUY476NAP1EIUKEG.temp
              Filesize

              7KB

              MD5

              1e7fd45acfbec07c237d18a5db973be9

              SHA1

              1f3cf32a40f856643ab07154a2943845a11c6633

              SHA256

              bf7d2824118004fa68d9dfa504de49be189cd9cc34c177d32f25267f968756a4

              SHA512

              808a9c4871617a6168fab623f86c2d1fb96f0ab57080b48fc5f31d8eeacb12f9f927319ff8a95f002d42aa0cd822e29bf3f85517be3548c66a2b39ae5e202615

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Filesize

              7KB

              MD5

              1e7fd45acfbec07c237d18a5db973be9

              SHA1

              1f3cf32a40f856643ab07154a2943845a11c6633

              SHA256

              bf7d2824118004fa68d9dfa504de49be189cd9cc34c177d32f25267f968756a4

              SHA512

              808a9c4871617a6168fab623f86c2d1fb96f0ab57080b48fc5f31d8eeacb12f9f927319ff8a95f002d42aa0cd822e29bf3f85517be3548c66a2b39ae5e202615

              Download Submit
            • memory/864-74-0x0000000002740000-0x0000000002780000-memory.dmp
              Filesize

              256KB

              Download
            • memory/972-75-0x0000000000520000-0x0000000000560000-memory.dmp
              Filesize

              256KB

              Download
            • memory/972-73-0x0000000000520000-0x0000000000560000-memory.dmp
              Filesize

              256KB

              Download
            • memory/1520-57-0x0000000004E10000-0x0000000004E50000-memory.dmp
              Filesize

              256KB

              Download
            • memory/1520-59-0x0000000005660000-0x0000000005714000-memory.dmp
              Filesize

              720KB

              Download
            • memory/1520-58-0x0000000001F20000-0x0000000001F2C000-memory.dmp
              Filesize

              48KB

              Download
            • memory/1520-72-0x0000000004F50000-0x0000000004F8C000-memory.dmp
              Filesize

              240KB

              Download
            • memory/1520-54-0x0000000000330000-0x000000000046E000-memory.dmp
              Filesize

              1.2MB

              Download
            • memory/1520-56-0x0000000000720000-0x0000000000740000-memory.dmp
              Filesize

              128KB

              Download
            • memory/1520-55-0x0000000004E10000-0x0000000004E50000-memory.dmp
              Filesize

              256KB

              Download