Analysis
-
max time kernel
151s -
max time network
140s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-11-2020 15:32
Static task
static1
Behavioral task
behavioral1
Sample
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Resource
win7v20201028
General
-
Target
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
-
Size
251KB
-
MD5
530119807d27adea9b69bcbf9aad4f0b
-
SHA1
37c487c8363d9f4e730772ceb135e1a3d330b121
-
SHA256
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357
-
SHA512
295342c759e0da72e18e2c2967d9df4173f05d81d8dbc3472ec6e29a6cc1729008e26830e412c995ed19b94008b77cd8c61e49af26ed41006ff351afbdb867be
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Temp\\Microsoft.NET.exe" 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
Microsoft.NET.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Microsoft.NET.exe -
Executes dropped EXE 1 IoCs
Processes:
Microsoft.NET.exepid process 1752 Microsoft.NET.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe upx C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe upx \Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe upx C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe upx -
Loads dropped DLL 2 IoCs
Processes:
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exepid process 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe -
Processes:
Microsoft.NET.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Microsoft.NET.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Microsoft.NET.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft.NET = "C:\\Users\\Admin\\AppData\\Roaming\\Temp\\Microsoft.NET.exe" 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Microsoft.NET.exepid process 1752 Microsoft.NET.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exeMicrosoft.NET.exedescription pid process Token: SeIncreaseQuotaPrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeSecurityPrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeTakeOwnershipPrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeLoadDriverPrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeSystemProfilePrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeSystemtimePrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeProfSingleProcessPrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeIncBasePriorityPrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeCreatePagefilePrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeBackupPrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeRestorePrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeShutdownPrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeDebugPrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeSystemEnvironmentPrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeChangeNotifyPrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeRemoteShutdownPrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeUndockPrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeManageVolumePrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeImpersonatePrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeCreateGlobalPrivilege 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: 33 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: 34 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: 35 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeIncreaseQuotaPrivilege 1752 Microsoft.NET.exe Token: SeSecurityPrivilege 1752 Microsoft.NET.exe Token: SeTakeOwnershipPrivilege 1752 Microsoft.NET.exe Token: SeLoadDriverPrivilege 1752 Microsoft.NET.exe Token: SeSystemProfilePrivilege 1752 Microsoft.NET.exe Token: SeSystemtimePrivilege 1752 Microsoft.NET.exe Token: SeProfSingleProcessPrivilege 1752 Microsoft.NET.exe Token: SeIncBasePriorityPrivilege 1752 Microsoft.NET.exe Token: SeCreatePagefilePrivilege 1752 Microsoft.NET.exe Token: SeBackupPrivilege 1752 Microsoft.NET.exe Token: SeRestorePrivilege 1752 Microsoft.NET.exe Token: SeShutdownPrivilege 1752 Microsoft.NET.exe Token: SeDebugPrivilege 1752 Microsoft.NET.exe Token: SeSystemEnvironmentPrivilege 1752 Microsoft.NET.exe Token: SeChangeNotifyPrivilege 1752 Microsoft.NET.exe Token: SeRemoteShutdownPrivilege 1752 Microsoft.NET.exe Token: SeUndockPrivilege 1752 Microsoft.NET.exe Token: SeManageVolumePrivilege 1752 Microsoft.NET.exe Token: SeImpersonatePrivilege 1752 Microsoft.NET.exe Token: SeCreateGlobalPrivilege 1752 Microsoft.NET.exe Token: 33 1752 Microsoft.NET.exe Token: 34 1752 Microsoft.NET.exe Token: 35 1752 Microsoft.NET.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Microsoft.NET.exepid process 1752 Microsoft.NET.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.execmd.execmd.exeMicrosoft.NET.exedescription pid process target process PID 240 wrote to memory of 1180 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe cmd.exe PID 240 wrote to memory of 1180 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe cmd.exe PID 240 wrote to memory of 1180 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe cmd.exe PID 240 wrote to memory of 1180 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe cmd.exe PID 240 wrote to memory of 1972 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe cmd.exe PID 240 wrote to memory of 1972 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe cmd.exe PID 240 wrote to memory of 1972 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe cmd.exe PID 240 wrote to memory of 1972 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe cmd.exe PID 1180 wrote to memory of 2040 1180 cmd.exe attrib.exe PID 1180 wrote to memory of 2040 1180 cmd.exe attrib.exe PID 1180 wrote to memory of 2040 1180 cmd.exe attrib.exe PID 1180 wrote to memory of 2040 1180 cmd.exe attrib.exe PID 1972 wrote to memory of 1736 1972 cmd.exe attrib.exe PID 1972 wrote to memory of 1736 1972 cmd.exe attrib.exe PID 1972 wrote to memory of 1736 1972 cmd.exe attrib.exe PID 1972 wrote to memory of 1736 1972 cmd.exe attrib.exe PID 240 wrote to memory of 1752 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Microsoft.NET.exe PID 240 wrote to memory of 1752 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Microsoft.NET.exe PID 240 wrote to memory of 1752 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Microsoft.NET.exe PID 240 wrote to memory of 1752 240 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Microsoft.NET.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe PID 1752 wrote to memory of 1332 1752 Microsoft.NET.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2040 attrib.exe 1736 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe"C:\Users\Admin\AppData\Local\Temp\8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe"C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exeMD5
530119807d27adea9b69bcbf9aad4f0b
SHA137c487c8363d9f4e730772ceb135e1a3d330b121
SHA2568237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357
SHA512295342c759e0da72e18e2c2967d9df4173f05d81d8dbc3472ec6e29a6cc1729008e26830e412c995ed19b94008b77cd8c61e49af26ed41006ff351afbdb867be
-
C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exeMD5
530119807d27adea9b69bcbf9aad4f0b
SHA137c487c8363d9f4e730772ceb135e1a3d330b121
SHA2568237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357
SHA512295342c759e0da72e18e2c2967d9df4173f05d81d8dbc3472ec6e29a6cc1729008e26830e412c995ed19b94008b77cd8c61e49af26ed41006ff351afbdb867be
-
\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exeMD5
530119807d27adea9b69bcbf9aad4f0b
SHA137c487c8363d9f4e730772ceb135e1a3d330b121
SHA2568237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357
SHA512295342c759e0da72e18e2c2967d9df4173f05d81d8dbc3472ec6e29a6cc1729008e26830e412c995ed19b94008b77cd8c61e49af26ed41006ff351afbdb867be
-
\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exeMD5
530119807d27adea9b69bcbf9aad4f0b
SHA137c487c8363d9f4e730772ceb135e1a3d330b121
SHA2568237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357
SHA512295342c759e0da72e18e2c2967d9df4173f05d81d8dbc3472ec6e29a6cc1729008e26830e412c995ed19b94008b77cd8c61e49af26ed41006ff351afbdb867be
-
memory/1180-0-0x0000000000000000-mapping.dmp
-
memory/1332-9-0x0000000000000000-mapping.dmp
-
memory/1332-10-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1332-11-0x0000000000000000-mapping.dmp
-
memory/1736-3-0x0000000000000000-mapping.dmp
-
memory/1752-6-0x0000000000000000-mapping.dmp
-
memory/1972-1-0x0000000000000000-mapping.dmp
-
memory/2040-2-0x0000000000000000-mapping.dmp