Overview

overview

10

Static

static

1

New PO #23546738.exe

windows7-x64

3

New PO #23546738.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    32s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    30-03-2023 13:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New PO #23546738.exe

  • Size

    707KB

  • MD5

    80c0b9e8a00242d0fb960584d89d745e

  • SHA1

    fb6bb9c955f030eb906e532813f7c7c6102ec55e

  • SHA256

    0a8368bab522deb622eca5805bc7bc6da0d4a6a63fae959c41c22c7d0b5ffa63

  • SHA512

    539017fd581d853b9e369eea90447001b08eb816948b3ab45fc9b082cfaaf65f1bb4b3af6cefb22bb1aae3190917ef47d41ce4c1794d546c2e023b628c6d3a71

  • SSDEEP

    12288:l3B2nTxM9+/nT92EiggkPIYP1QF7MKqv27bYyywV37Zb:lSbT92E8kPT1QFJ22GwVrF

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New PO #23546738.exe
    "C:\Users\Admin\AppData\Local\Temp\New PO #23546738.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YJmfGxcN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp75FB.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1868
    • C:\Users\Admin\AppData\Local\Temp\New PO #23546738.exe
      "{path}"
      2⤵
        PID:668
      • C:\Users\Admin\AppData\Local\Temp\New PO #23546738.exe
        "{path}"
        2⤵
          PID:1420
        • C:\Users\Admin\AppData\Local\Temp\New PO #23546738.exe
          "{path}"
          2⤵
            PID:568
          • C:\Users\Admin\AppData\Local\Temp\New PO #23546738.exe
            "{path}"
            2⤵
              PID:1316
            • C:\Users\Admin\AppData\Local\Temp\New PO #23546738.exe
              "{path}"
              2⤵
                PID:1544

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp75FB.tmp
              Filesize

              1KB

              MD5

              a3671ec5d8bc5f26db86cbacfacd0927

              SHA1

              220dc91658c9940e142ec93262c25deb062647a9

              SHA256

              a07d545e3e48cc0573188f695bf2199dfefd4907faac611b176fbd49b7ac228d

              SHA512

              eb4ea67c988b88fca87c38124a1d91530008c0b845b0f1f2af98d79cd2b740357d9b5a7394ddf4d8ced85ab2c5f3674989c3e8a5ce5a4c8073cdbd5253906a69

              Download Submit
            • memory/1704-54-0x0000000000360000-0x0000000000416000-memory.dmp
              Filesize

              728KB

              Download
            • memory/1704-55-0x0000000004D30000-0x0000000004D70000-memory.dmp
              Filesize

              256KB

              Download
            • memory/1704-56-0x0000000000340000-0x000000000034C000-memory.dmp
              Filesize

              48KB

              Download
            • memory/1704-57-0x0000000004D30000-0x0000000004D70000-memory.dmp
              Filesize

              256KB

              Download
            • memory/1704-58-0x00000000052E0000-0x000000000535C000-memory.dmp
              Filesize

              496KB

              Download
            • memory/1704-59-0x0000000000830000-0x0000000000860000-memory.dmp
              Filesize

              192KB

              Download