Overview

overview

6

Static

static

3

ff14b2d7f3...07.exe

windows7-x64

6

ff14b2d7f3...07.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    05-10-2024 10:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff14b2d7f31d498622cf90ef4070fb39fe8bc5c589318b9cf1036b0c900d1107.exe

  • Size

    130KB

  • MD5

    add93a7f33da50a703ed53d7ebf43213

  • SHA1

    9b5c13df967be938825186fa2ae7be70df066f03

  • SHA256

    ff14b2d7f31d498622cf90ef4070fb39fe8bc5c589318b9cf1036b0c900d1107

  • SHA512

    a75ac726aee50b70b70f2af1f80b416574835f053fe817f9416b2dc367420c6bf30871a56da3d45d9ae5edefce662a4d21bc8b7a8b763e5d1afae20566c9ca35

  • SSDEEP

    3072:lO55k/y5dAj+BMTYlgEQnB+Y+pek7+3OrFZeUqe6oh:lO5n5d56TYZQnB+Dpekyyqm

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff14b2d7f31d498622cf90ef4070fb39fe8bc5c589318b9cf1036b0c900d1107.exe
    "C:\Users\Admin\AppData\Local\Temp\ff14b2d7f31d498622cf90ef4070fb39fe8bc5c589318b9cf1036b0c900d1107.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:1280

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1280-0-0x0000000002020000-0x0000000002067000-memory.dmp

    Filesize

    284KB

    Download

  • memory/1280-2-0x0000000002340000-0x000000000238E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1280-1-0x0000000002340000-0x000000000238E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1280-3-0x0000000002340000-0x000000000238E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1280-6-0x0000000002340000-0x000000000238E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1280-7-0x0000000002340000-0x000000000238E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1280-8-0x0000000002340000-0x000000000238E000-memory.dmp

    Filesize

    312KB

    Download