Analysis
-
max time kernel
151s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:28
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7v20201028
General
-
Target
file.exe
-
Size
253KB
-
MD5
94d715c76354182482dcc8fb446a1be7
-
SHA1
3d6497669c371e33c2e4055f9eb8c00dc5104387
-
SHA256
a2f4d3da25e52d88eafb7a7da242e9bb507fe4626af58ca3b8c1a13e391c2000
-
SHA512
e85e1ae231318c403a3aea0af312f587abbf55392fb8677543e363d9245054a939ad635a0094c0884b01f2e0171eb2919b43c556b472724bb103637cee206965
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp\\Taskmgrk.exe" file.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
Taskmgrk.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Taskmgrk.exe -
Executes dropped EXE 1 IoCs
Processes:
Taskmgrk.exepid process 832 Taskmgrk.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Temp\Taskmgrk.exe upx \Users\Admin\AppData\Local\Temp\Temp\Taskmgrk.exe upx C:\Users\Admin\AppData\Local\Temp\Temp\Taskmgrk.exe upx -
Loads dropped DLL 2 IoCs
Processes:
file.exepid process 1688 file.exe 1688 file.exe -
Processes:
Taskmgrk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Taskmgrk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Taskmgrk.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
file.exeTaskmgrk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskmgrk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp\\Taskmgrk.exe" file.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskmgrk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp\\Taskmgrk.exe" Taskmgrk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
file.exeTaskmgrk.exedescription pid process Token: SeIncreaseQuotaPrivilege 1688 file.exe Token: SeSecurityPrivilege 1688 file.exe Token: SeTakeOwnershipPrivilege 1688 file.exe Token: SeLoadDriverPrivilege 1688 file.exe Token: SeSystemProfilePrivilege 1688 file.exe Token: SeSystemtimePrivilege 1688 file.exe Token: SeProfSingleProcessPrivilege 1688 file.exe Token: SeIncBasePriorityPrivilege 1688 file.exe Token: SeCreatePagefilePrivilege 1688 file.exe Token: SeBackupPrivilege 1688 file.exe Token: SeRestorePrivilege 1688 file.exe Token: SeShutdownPrivilege 1688 file.exe Token: SeDebugPrivilege 1688 file.exe Token: SeSystemEnvironmentPrivilege 1688 file.exe Token: SeChangeNotifyPrivilege 1688 file.exe Token: SeRemoteShutdownPrivilege 1688 file.exe Token: SeUndockPrivilege 1688 file.exe Token: SeManageVolumePrivilege 1688 file.exe Token: SeImpersonatePrivilege 1688 file.exe Token: SeCreateGlobalPrivilege 1688 file.exe Token: 33 1688 file.exe Token: 34 1688 file.exe Token: 35 1688 file.exe Token: SeIncreaseQuotaPrivilege 832 Taskmgrk.exe Token: SeSecurityPrivilege 832 Taskmgrk.exe Token: SeTakeOwnershipPrivilege 832 Taskmgrk.exe Token: SeLoadDriverPrivilege 832 Taskmgrk.exe Token: SeSystemProfilePrivilege 832 Taskmgrk.exe Token: SeSystemtimePrivilege 832 Taskmgrk.exe Token: SeProfSingleProcessPrivilege 832 Taskmgrk.exe Token: SeIncBasePriorityPrivilege 832 Taskmgrk.exe Token: SeCreatePagefilePrivilege 832 Taskmgrk.exe Token: SeBackupPrivilege 832 Taskmgrk.exe Token: SeRestorePrivilege 832 Taskmgrk.exe Token: SeShutdownPrivilege 832 Taskmgrk.exe Token: SeDebugPrivilege 832 Taskmgrk.exe Token: SeSystemEnvironmentPrivilege 832 Taskmgrk.exe Token: SeChangeNotifyPrivilege 832 Taskmgrk.exe Token: SeRemoteShutdownPrivilege 832 Taskmgrk.exe Token: SeUndockPrivilege 832 Taskmgrk.exe Token: SeManageVolumePrivilege 832 Taskmgrk.exe Token: SeImpersonatePrivilege 832 Taskmgrk.exe Token: SeCreateGlobalPrivilege 832 Taskmgrk.exe Token: 33 832 Taskmgrk.exe Token: 34 832 Taskmgrk.exe Token: 35 832 Taskmgrk.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Taskmgrk.exepid process 832 Taskmgrk.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
file.exedescription pid process target process PID 1688 wrote to memory of 832 1688 file.exe Taskmgrk.exe PID 1688 wrote to memory of 832 1688 file.exe Taskmgrk.exe PID 1688 wrote to memory of 832 1688 file.exe Taskmgrk.exe PID 1688 wrote to memory of 832 1688 file.exe Taskmgrk.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Taskmgrk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern Taskmgrk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" Taskmgrk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion Taskmgrk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Temp\Taskmgrk.exe"C:\Users\Admin\AppData\Local\Temp\Temp\Taskmgrk.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Temp\Taskmgrk.exeMD5
94d715c76354182482dcc8fb446a1be7
SHA13d6497669c371e33c2e4055f9eb8c00dc5104387
SHA256a2f4d3da25e52d88eafb7a7da242e9bb507fe4626af58ca3b8c1a13e391c2000
SHA512e85e1ae231318c403a3aea0af312f587abbf55392fb8677543e363d9245054a939ad635a0094c0884b01f2e0171eb2919b43c556b472724bb103637cee206965
-
\Users\Admin\AppData\Local\Temp\Temp\Taskmgrk.exeMD5
94d715c76354182482dcc8fb446a1be7
SHA13d6497669c371e33c2e4055f9eb8c00dc5104387
SHA256a2f4d3da25e52d88eafb7a7da242e9bb507fe4626af58ca3b8c1a13e391c2000
SHA512e85e1ae231318c403a3aea0af312f587abbf55392fb8677543e363d9245054a939ad635a0094c0884b01f2e0171eb2919b43c556b472724bb103637cee206965
-
\Users\Admin\AppData\Local\Temp\Temp\Taskmgrk.exeMD5
94d715c76354182482dcc8fb446a1be7
SHA13d6497669c371e33c2e4055f9eb8c00dc5104387
SHA256a2f4d3da25e52d88eafb7a7da242e9bb507fe4626af58ca3b8c1a13e391c2000
SHA512e85e1ae231318c403a3aea0af312f587abbf55392fb8677543e363d9245054a939ad635a0094c0884b01f2e0171eb2919b43c556b472724bb103637cee206965
-
memory/832-2-0x0000000000000000-mapping.dmp