Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-11-2020 15:32
Static task
static1
Behavioral task
behavioral1
Sample
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Resource
win7v20201028
General
-
Target
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
-
Size
251KB
-
MD5
530119807d27adea9b69bcbf9aad4f0b
-
SHA1
37c487c8363d9f4e730772ceb135e1a3d330b121
-
SHA256
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357
-
SHA512
295342c759e0da72e18e2c2967d9df4173f05d81d8dbc3472ec6e29a6cc1729008e26830e412c995ed19b94008b77cd8c61e49af26ed41006ff351afbdb867be
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Temp\\Microsoft.NET.exe" 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
Microsoft.NET.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Microsoft.NET.exe -
Executes dropped EXE 1 IoCs
Processes:
Microsoft.NET.exepid process 208 Microsoft.NET.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe upx C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe upx -
Processes:
Microsoft.NET.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Microsoft.NET.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Microsoft.NET.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft.NET = "C:\\Users\\Admin\\AppData\\Roaming\\Temp\\Microsoft.NET.exe" 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Microsoft.NET.exepid process 208 Microsoft.NET.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exeMicrosoft.NET.exedescription pid process Token: SeIncreaseQuotaPrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeSecurityPrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeTakeOwnershipPrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeLoadDriverPrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeSystemProfilePrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeSystemtimePrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeProfSingleProcessPrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeIncBasePriorityPrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeCreatePagefilePrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeBackupPrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeRestorePrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeShutdownPrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeDebugPrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeSystemEnvironmentPrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeChangeNotifyPrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeRemoteShutdownPrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeUndockPrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeManageVolumePrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeImpersonatePrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeCreateGlobalPrivilege 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: 33 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: 34 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: 35 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: 36 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Token: SeIncreaseQuotaPrivilege 208 Microsoft.NET.exe Token: SeSecurityPrivilege 208 Microsoft.NET.exe Token: SeTakeOwnershipPrivilege 208 Microsoft.NET.exe Token: SeLoadDriverPrivilege 208 Microsoft.NET.exe Token: SeSystemProfilePrivilege 208 Microsoft.NET.exe Token: SeSystemtimePrivilege 208 Microsoft.NET.exe Token: SeProfSingleProcessPrivilege 208 Microsoft.NET.exe Token: SeIncBasePriorityPrivilege 208 Microsoft.NET.exe Token: SeCreatePagefilePrivilege 208 Microsoft.NET.exe Token: SeBackupPrivilege 208 Microsoft.NET.exe Token: SeRestorePrivilege 208 Microsoft.NET.exe Token: SeShutdownPrivilege 208 Microsoft.NET.exe Token: SeDebugPrivilege 208 Microsoft.NET.exe Token: SeSystemEnvironmentPrivilege 208 Microsoft.NET.exe Token: SeChangeNotifyPrivilege 208 Microsoft.NET.exe Token: SeRemoteShutdownPrivilege 208 Microsoft.NET.exe Token: SeUndockPrivilege 208 Microsoft.NET.exe Token: SeManageVolumePrivilege 208 Microsoft.NET.exe Token: SeImpersonatePrivilege 208 Microsoft.NET.exe Token: SeCreateGlobalPrivilege 208 Microsoft.NET.exe Token: 33 208 Microsoft.NET.exe Token: 34 208 Microsoft.NET.exe Token: 35 208 Microsoft.NET.exe Token: 36 208 Microsoft.NET.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Microsoft.NET.exepid process 208 Microsoft.NET.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.execmd.execmd.exeMicrosoft.NET.exedescription pid process target process PID 1056 wrote to memory of 400 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe cmd.exe PID 1056 wrote to memory of 400 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe cmd.exe PID 1056 wrote to memory of 400 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe cmd.exe PID 1056 wrote to memory of 2928 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe cmd.exe PID 1056 wrote to memory of 2928 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe cmd.exe PID 1056 wrote to memory of 2928 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe cmd.exe PID 1056 wrote to memory of 208 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Microsoft.NET.exe PID 1056 wrote to memory of 208 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Microsoft.NET.exe PID 1056 wrote to memory of 208 1056 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe Microsoft.NET.exe PID 400 wrote to memory of 3820 400 cmd.exe attrib.exe PID 400 wrote to memory of 3820 400 cmd.exe attrib.exe PID 400 wrote to memory of 3820 400 cmd.exe attrib.exe PID 2928 wrote to memory of 2888 2928 cmd.exe attrib.exe PID 2928 wrote to memory of 2888 2928 cmd.exe attrib.exe PID 2928 wrote to memory of 2888 2928 cmd.exe attrib.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe PID 208 wrote to memory of 1372 208 Microsoft.NET.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3820 attrib.exe 2888 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe"C:\Users\Admin\AppData\Local\Temp\8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe"C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exeMD5
530119807d27adea9b69bcbf9aad4f0b
SHA137c487c8363d9f4e730772ceb135e1a3d330b121
SHA2568237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357
SHA512295342c759e0da72e18e2c2967d9df4173f05d81d8dbc3472ec6e29a6cc1729008e26830e412c995ed19b94008b77cd8c61e49af26ed41006ff351afbdb867be
-
C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exeMD5
530119807d27adea9b69bcbf9aad4f0b
SHA137c487c8363d9f4e730772ceb135e1a3d330b121
SHA2568237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357
SHA512295342c759e0da72e18e2c2967d9df4173f05d81d8dbc3472ec6e29a6cc1729008e26830e412c995ed19b94008b77cd8c61e49af26ed41006ff351afbdb867be
-
memory/208-2-0x0000000000000000-mapping.dmp
-
memory/400-0-0x0000000000000000-mapping.dmp
-
memory/1372-8-0x00000000031B0000-0x00000000031B1000-memory.dmpFilesize
4KB
-
memory/1372-7-0x0000000000000000-mapping.dmp
-
memory/1372-9-0x0000000000000000-mapping.dmp
-
memory/2888-6-0x0000000000000000-mapping.dmp
-
memory/2928-1-0x0000000000000000-mapping.dmp
-
memory/3820-5-0x0000000000000000-mapping.dmp