Analysis
-
max time kernel
52s -
max time network
127s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:54
Static task
static1
Behavioral task
behavioral1
Sample
Mist.Buld_1.exe
Resource
win7v20201028
General
-
Target
Mist.Buld_1.exe
-
Size
388KB
-
MD5
5c5bfde7bc82aa30b6377b63422b52ca
-
SHA1
61bcc321594759d282c7aaf84cb7a4a4d116c778
-
SHA256
2dcabb7757046fa4178695fdfa481b1bb309f0264ee5bc4be4326476e33ec082
-
SHA512
9b44285cae5ad5445002068b6e07cf4a301796ad81ffb487c3185afee142f3e6fef884ee9331b09bc952026e214b7221074633ff26006a88785124c9f7e7788d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
systems32.exepid process 1660 systems32.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 9 api.ipify.org 10 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Mist.Buld_1.exesystems32.exedescription pid process Token: SeDebugPrivilege 1764 Mist.Buld_1.exe Token: SeDebugPrivilege 1660 systems32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Mist.Buld_1.exetaskeng.exesystems32.exedescription pid process target process PID 1764 wrote to memory of 548 1764 Mist.Buld_1.exe schtasks.exe PID 1764 wrote to memory of 548 1764 Mist.Buld_1.exe schtasks.exe PID 1764 wrote to memory of 548 1764 Mist.Buld_1.exe schtasks.exe PID 1752 wrote to memory of 1660 1752 taskeng.exe systems32.exe PID 1752 wrote to memory of 1660 1752 taskeng.exe systems32.exe PID 1752 wrote to memory of 1660 1752 taskeng.exe systems32.exe PID 1660 wrote to memory of 1356 1660 systems32.exe schtasks.exe PID 1660 wrote to memory of 1356 1660 systems32.exe schtasks.exe PID 1660 wrote to memory of 1356 1660 systems32.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mist.Buld_1.exe"C:\Users\Admin\AppData\Local\Temp\Mist.Buld_1.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "C:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exe" /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {E85EBA51-2B0B-4745-AE9D-E3AFD0FBFF9C} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exeC:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "C:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exe" /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
cf3114090cfea0cba4903c82d8dc10d6
SHA14e9b14382fc03db860376cd60230e5880d905ff1
SHA2564663086e4b9ebb2cef9057066d2e5d31ed8007febd58b5513f3f5098e67ce61c
SHA5127731e1b22b179106afc0bbcc557f2bf9dae4d2ce13fcdf708b35f7c2d2a1e00293b5cf0ec1f7d594943b848a4bc9cc6df16da5610f11160d58f60acb60bfc8d9
-
C:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exeMD5
5c5bfde7bc82aa30b6377b63422b52ca
SHA161bcc321594759d282c7aaf84cb7a4a4d116c778
SHA2562dcabb7757046fa4178695fdfa481b1bb309f0264ee5bc4be4326476e33ec082
SHA5129b44285cae5ad5445002068b6e07cf4a301796ad81ffb487c3185afee142f3e6fef884ee9331b09bc952026e214b7221074633ff26006a88785124c9f7e7788d
-
C:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exeMD5
5c5bfde7bc82aa30b6377b63422b52ca
SHA161bcc321594759d282c7aaf84cb7a4a4d116c778
SHA2562dcabb7757046fa4178695fdfa481b1bb309f0264ee5bc4be4326476e33ec082
SHA5129b44285cae5ad5445002068b6e07cf4a301796ad81ffb487c3185afee142f3e6fef884ee9331b09bc952026e214b7221074633ff26006a88785124c9f7e7788d
-
memory/548-4-0x0000000000000000-mapping.dmp
-
memory/1356-13-0x0000000000000000-mapping.dmp
-
memory/1660-5-0x0000000000000000-mapping.dmp
-
memory/1660-8-0x000007FEF6280000-0x000007FEF6C6C000-memory.dmpFilesize
9.9MB
-
memory/1660-9-0x00000000011F0000-0x00000000011F1000-memory.dmpFilesize
4KB
-
memory/1764-0-0x000007FEF6280000-0x000007FEF6C6C000-memory.dmpFilesize
9.9MB
-
memory/1764-1-0x0000000000D10000-0x0000000000D11000-memory.dmpFilesize
4KB
-
memory/1764-3-0x000000001AD10000-0x000000001ADA5000-memory.dmpFilesize
596KB