Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 16:34
Static task
static1
Behavioral task
behavioral1
Sample
cae982c8d468fbdcafdf10c4c0ea157b.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
cae982c8d468fbdcafdf10c4c0ea157b.exe
Resource
win10v20201028
General
-
Target
cae982c8d468fbdcafdf10c4c0ea157b.exe
-
Size
1.7MB
-
MD5
cae982c8d468fbdcafdf10c4c0ea157b
-
SHA1
9c55cc086ac29516a17b473dd8b23c8713dfb6fc
-
SHA256
8c69c1f98bd10df34fa03d0272da010d57169ea547646a7901dc598fa83cdaca
-
SHA512
7542c061ecd4cae53c1e22bb065d6e3e62f29d75747d677dcf8ff09e5e9f664cde7362c758ee30cede9e115e64a5fb2c90194180c93e0bb0126d4290f51ae493
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
~__UNINST.EXEZombie's Retreat - Beta 0.13.exeCrypter.exepid process 2012 ~__UNINST.EXE 1776 Zombie's Retreat - Beta 0.13.exe 1792 Crypter.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Crypter.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\742d9dbf218700f0b3c42d70c7e02cb9.exe Crypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\742d9dbf218700f0b3c42d70c7e02cb9.exe Crypter.exe -
Loads dropped DLL 8 IoCs
Processes:
cae982c8d468fbdcafdf10c4c0ea157b.exe~__UNINST.EXECrypter.exepid process 836 cae982c8d468fbdcafdf10c4c0ea157b.exe 2012 ~__UNINST.EXE 2012 ~__UNINST.EXE 2012 ~__UNINST.EXE 2012 ~__UNINST.EXE 2012 ~__UNINST.EXE 1792 Crypter.exe 1792 Crypter.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Crypter.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\742d9dbf218700f0b3c42d70c7e02cb9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Crypter.exe\" .." Crypter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\742d9dbf218700f0b3c42d70c7e02cb9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Crypter.exe\" .." Crypter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Crypter.exedescription pid process Token: SeDebugPrivilege 1792 Crypter.exe Token: 33 1792 Crypter.exe Token: SeIncBasePriorityPrivilege 1792 Crypter.exe Token: 33 1792 Crypter.exe Token: SeIncBasePriorityPrivilege 1792 Crypter.exe Token: 33 1792 Crypter.exe Token: SeIncBasePriorityPrivilege 1792 Crypter.exe Token: 33 1792 Crypter.exe Token: SeIncBasePriorityPrivilege 1792 Crypter.exe Token: 33 1792 Crypter.exe Token: SeIncBasePriorityPrivilege 1792 Crypter.exe Token: 33 1792 Crypter.exe Token: SeIncBasePriorityPrivilege 1792 Crypter.exe Token: 33 1792 Crypter.exe Token: SeIncBasePriorityPrivilege 1792 Crypter.exe Token: 33 1792 Crypter.exe Token: SeIncBasePriorityPrivilege 1792 Crypter.exe Token: 33 1792 Crypter.exe Token: SeIncBasePriorityPrivilege 1792 Crypter.exe Token: 33 1792 Crypter.exe Token: SeIncBasePriorityPrivilege 1792 Crypter.exe Token: 33 1792 Crypter.exe Token: SeIncBasePriorityPrivilege 1792 Crypter.exe Token: 33 1792 Crypter.exe Token: SeIncBasePriorityPrivilege 1792 Crypter.exe Token: 33 1792 Crypter.exe Token: SeIncBasePriorityPrivilege 1792 Crypter.exe Token: 33 1792 Crypter.exe Token: SeIncBasePriorityPrivilege 1792 Crypter.exe Token: 33 1792 Crypter.exe Token: SeIncBasePriorityPrivilege 1792 Crypter.exe Token: 33 1792 Crypter.exe Token: SeIncBasePriorityPrivilege 1792 Crypter.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
cae982c8d468fbdcafdf10c4c0ea157b.exe~__UNINST.EXECrypter.exedescription pid process target process PID 836 wrote to memory of 2012 836 cae982c8d468fbdcafdf10c4c0ea157b.exe ~__UNINST.EXE PID 836 wrote to memory of 2012 836 cae982c8d468fbdcafdf10c4c0ea157b.exe ~__UNINST.EXE PID 836 wrote to memory of 2012 836 cae982c8d468fbdcafdf10c4c0ea157b.exe ~__UNINST.EXE PID 836 wrote to memory of 2012 836 cae982c8d468fbdcafdf10c4c0ea157b.exe ~__UNINST.EXE PID 836 wrote to memory of 2012 836 cae982c8d468fbdcafdf10c4c0ea157b.exe ~__UNINST.EXE PID 836 wrote to memory of 2012 836 cae982c8d468fbdcafdf10c4c0ea157b.exe ~__UNINST.EXE PID 836 wrote to memory of 2012 836 cae982c8d468fbdcafdf10c4c0ea157b.exe ~__UNINST.EXE PID 2012 wrote to memory of 1776 2012 ~__UNINST.EXE Zombie's Retreat - Beta 0.13.exe PID 2012 wrote to memory of 1776 2012 ~__UNINST.EXE Zombie's Retreat - Beta 0.13.exe PID 2012 wrote to memory of 1776 2012 ~__UNINST.EXE Zombie's Retreat - Beta 0.13.exe PID 2012 wrote to memory of 1776 2012 ~__UNINST.EXE Zombie's Retreat - Beta 0.13.exe PID 2012 wrote to memory of 1776 2012 ~__UNINST.EXE Zombie's Retreat - Beta 0.13.exe PID 2012 wrote to memory of 1776 2012 ~__UNINST.EXE Zombie's Retreat - Beta 0.13.exe PID 2012 wrote to memory of 1776 2012 ~__UNINST.EXE Zombie's Retreat - Beta 0.13.exe PID 2012 wrote to memory of 1792 2012 ~__UNINST.EXE Crypter.exe PID 2012 wrote to memory of 1792 2012 ~__UNINST.EXE Crypter.exe PID 2012 wrote to memory of 1792 2012 ~__UNINST.EXE Crypter.exe PID 2012 wrote to memory of 1792 2012 ~__UNINST.EXE Crypter.exe PID 2012 wrote to memory of 1792 2012 ~__UNINST.EXE Crypter.exe PID 2012 wrote to memory of 1792 2012 ~__UNINST.EXE Crypter.exe PID 2012 wrote to memory of 1792 2012 ~__UNINST.EXE Crypter.exe PID 1792 wrote to memory of 616 1792 Crypter.exe netsh.exe PID 1792 wrote to memory of 616 1792 Crypter.exe netsh.exe PID 1792 wrote to memory of 616 1792 Crypter.exe netsh.exe PID 1792 wrote to memory of 616 1792 Crypter.exe netsh.exe PID 1792 wrote to memory of 616 1792 Crypter.exe netsh.exe PID 1792 wrote to memory of 616 1792 Crypter.exe netsh.exe PID 1792 wrote to memory of 616 1792 Crypter.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cae982c8d468fbdcafdf10c4c0ea157b.exe"C:\Users\Admin\AppData\Local\Temp\cae982c8d468fbdcafdf10c4c0ea157b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~__UNINST.EXE"C:\Users\Admin\AppData\Local\Temp\~__UNINST.EXE" C:\Users\Admin\AppData\Local\Temp\cae982c8d468fbdcafdf10c4c0ea157b.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Zombie's Retreat - Beta 0.13.exe"C:\Users\Admin\AppData\Local\Temp\Zombie's Retreat - Beta 0.13.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Crypter.exe"C:\Users\Admin\AppData\Local\Temp\Crypter.exe" ADN3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Crypter.exe" "Crypter.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Crypter.exeMD5
a272670a02da9e6744c2172c38d9b0bf
SHA155bb1b38ce5632f1cd31dcda7ece7391d2ec607b
SHA256a99b6d01ff63195834e87d1e6e279d2ecfd3e87c6bcb72ed4267908f0c6a65dc
SHA512edc4f83a7b4958f1def1d4181d95ec41bf4128238f40b91813c8dbefd4c6f44fd3e653b6c73f3bc8d53dc08741804bcf673abb72b3d7814cd1a159adf695b1a6
-
C:\Users\Admin\AppData\Local\Temp\Crypter.exeMD5
a272670a02da9e6744c2172c38d9b0bf
SHA155bb1b38ce5632f1cd31dcda7ece7391d2ec607b
SHA256a99b6d01ff63195834e87d1e6e279d2ecfd3e87c6bcb72ed4267908f0c6a65dc
SHA512edc4f83a7b4958f1def1d4181d95ec41bf4128238f40b91813c8dbefd4c6f44fd3e653b6c73f3bc8d53dc08741804bcf673abb72b3d7814cd1a159adf695b1a6
-
C:\Users\Admin\AppData\Local\Temp\Zombie's Retreat - Beta 0.13.exeMD5
9ebc7dd20fa66f5deabfd8873a4ed8c6
SHA1cf1b1da0e5215738a8e972077be5804cb326b8ed
SHA256487bd28f3d0b43ed9827ba519d6d113c4f31059bd62b4492da586c7bc82a9474
SHA5125d0a052edec070ee573bc43ed9eb7eb92c0460efe60a5abc31d1200e092937b91eafce5492cd945d46645f9029f0f80a37907fe6292639d37f15f58dae377271
-
C:\Users\Admin\AppData\Local\Temp\~__UNINST.EXEMD5
cae982c8d468fbdcafdf10c4c0ea157b
SHA19c55cc086ac29516a17b473dd8b23c8713dfb6fc
SHA2568c69c1f98bd10df34fa03d0272da010d57169ea547646a7901dc598fa83cdaca
SHA5127542c061ecd4cae53c1e22bb065d6e3e62f29d75747d677dcf8ff09e5e9f664cde7362c758ee30cede9e115e64a5fb2c90194180c93e0bb0126d4290f51ae493
-
C:\Users\Admin\AppData\Local\Temp\~__UNINST.EXEMD5
cae982c8d468fbdcafdf10c4c0ea157b
SHA19c55cc086ac29516a17b473dd8b23c8713dfb6fc
SHA2568c69c1f98bd10df34fa03d0272da010d57169ea547646a7901dc598fa83cdaca
SHA5127542c061ecd4cae53c1e22bb065d6e3e62f29d75747d677dcf8ff09e5e9f664cde7362c758ee30cede9e115e64a5fb2c90194180c93e0bb0126d4290f51ae493
-
\Users\Admin\AppData\Local\Temp\Crypter.exeMD5
a272670a02da9e6744c2172c38d9b0bf
SHA155bb1b38ce5632f1cd31dcda7ece7391d2ec607b
SHA256a99b6d01ff63195834e87d1e6e279d2ecfd3e87c6bcb72ed4267908f0c6a65dc
SHA512edc4f83a7b4958f1def1d4181d95ec41bf4128238f40b91813c8dbefd4c6f44fd3e653b6c73f3bc8d53dc08741804bcf673abb72b3d7814cd1a159adf695b1a6
-
\Users\Admin\AppData\Local\Temp\Crypter.exeMD5
a272670a02da9e6744c2172c38d9b0bf
SHA155bb1b38ce5632f1cd31dcda7ece7391d2ec607b
SHA256a99b6d01ff63195834e87d1e6e279d2ecfd3e87c6bcb72ed4267908f0c6a65dc
SHA512edc4f83a7b4958f1def1d4181d95ec41bf4128238f40b91813c8dbefd4c6f44fd3e653b6c73f3bc8d53dc08741804bcf673abb72b3d7814cd1a159adf695b1a6
-
\Users\Admin\AppData\Local\Temp\Crypter.exeMD5
a272670a02da9e6744c2172c38d9b0bf
SHA155bb1b38ce5632f1cd31dcda7ece7391d2ec607b
SHA256a99b6d01ff63195834e87d1e6e279d2ecfd3e87c6bcb72ed4267908f0c6a65dc
SHA512edc4f83a7b4958f1def1d4181d95ec41bf4128238f40b91813c8dbefd4c6f44fd3e653b6c73f3bc8d53dc08741804bcf673abb72b3d7814cd1a159adf695b1a6
-
\Users\Admin\AppData\Local\Temp\Zombie's Retreat - Beta 0.13.exeMD5
9ebc7dd20fa66f5deabfd8873a4ed8c6
SHA1cf1b1da0e5215738a8e972077be5804cb326b8ed
SHA256487bd28f3d0b43ed9827ba519d6d113c4f31059bd62b4492da586c7bc82a9474
SHA5125d0a052edec070ee573bc43ed9eb7eb92c0460efe60a5abc31d1200e092937b91eafce5492cd945d46645f9029f0f80a37907fe6292639d37f15f58dae377271
-
\Users\Admin\AppData\Local\Temp\~__UNINST.EXEMD5
cae982c8d468fbdcafdf10c4c0ea157b
SHA19c55cc086ac29516a17b473dd8b23c8713dfb6fc
SHA2568c69c1f98bd10df34fa03d0272da010d57169ea547646a7901dc598fa83cdaca
SHA5127542c061ecd4cae53c1e22bb065d6e3e62f29d75747d677dcf8ff09e5e9f664cde7362c758ee30cede9e115e64a5fb2c90194180c93e0bb0126d4290f51ae493
-
\Users\Admin\AppData\Local\Temp\~__UNINST.EXEMD5
cae982c8d468fbdcafdf10c4c0ea157b
SHA19c55cc086ac29516a17b473dd8b23c8713dfb6fc
SHA2568c69c1f98bd10df34fa03d0272da010d57169ea547646a7901dc598fa83cdaca
SHA5127542c061ecd4cae53c1e22bb065d6e3e62f29d75747d677dcf8ff09e5e9f664cde7362c758ee30cede9e115e64a5fb2c90194180c93e0bb0126d4290f51ae493
-
\Users\Admin\AppData\Local\Temp\~__UNINST.EXEMD5
cae982c8d468fbdcafdf10c4c0ea157b
SHA19c55cc086ac29516a17b473dd8b23c8713dfb6fc
SHA2568c69c1f98bd10df34fa03d0272da010d57169ea547646a7901dc598fa83cdaca
SHA5127542c061ecd4cae53c1e22bb065d6e3e62f29d75747d677dcf8ff09e5e9f664cde7362c758ee30cede9e115e64a5fb2c90194180c93e0bb0126d4290f51ae493
-
\Users\Admin\AppData\Local\Temp\~__UNINST.EXEMD5
cae982c8d468fbdcafdf10c4c0ea157b
SHA19c55cc086ac29516a17b473dd8b23c8713dfb6fc
SHA2568c69c1f98bd10df34fa03d0272da010d57169ea547646a7901dc598fa83cdaca
SHA5127542c061ecd4cae53c1e22bb065d6e3e62f29d75747d677dcf8ff09e5e9f664cde7362c758ee30cede9e115e64a5fb2c90194180c93e0bb0126d4290f51ae493
-
memory/616-27-0x0000000000000000-mapping.dmp
-
memory/1776-10-0x0000000000000000-mapping.dmp
-
memory/1792-19-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB
-
memory/1792-18-0x0000000074460000-0x0000000074B4E000-memory.dmpFilesize
6.9MB
-
memory/1792-21-0x0000000000640000-0x0000000000657000-memory.dmpFilesize
92KB
-
memory/1792-22-0x0000000000460000-0x0000000000461000-memory.dmpFilesize
4KB
-
memory/1792-23-0x0000000000480000-0x0000000000489000-memory.dmpFilesize
36KB
-
memory/1792-13-0x0000000000000000-mapping.dmp
-
memory/2012-3-0x0000000000000000-mapping.dmp