Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 12:47
Static task
static1
Behavioral task
behavioral1
Sample
af44aa313103ca0f0b8fc6062c761ec7.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
af44aa313103ca0f0b8fc6062c761ec7.exe
Resource
win10v20201028
General
-
Target
af44aa313103ca0f0b8fc6062c761ec7.exe
-
Size
233KB
-
MD5
af44aa313103ca0f0b8fc6062c761ec7
-
SHA1
bb8932b35fa03906660ea71675e7db445f1256c0
-
SHA256
72810f2bd35fd54d8fca2fba3b626dd86983d805df4e9e737b8b76cfc8e8c613
-
SHA512
da2d2f1e389c948980c5bfb34ba4cc2a840ad189d1f283c7de2a18bf3e8438430e20a38c9ae69e333e4fb48d72c74814fc92470bf8b2575bfa90e54b69746829
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
System32.exepid process 1328 System32.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
System32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcf0ad6aa5c5016fd4654ce9b75cef8b.exe System32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcf0ad6aa5c5016fd4654ce9b75cef8b.exe System32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcf0ad6aa5c5016fd4654ce9b75cef8b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .." System32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcf0ad6aa5c5016fd4654ce9b75cef8b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .." System32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
System32.exedescription pid process Token: SeDebugPrivilege 1328 System32.exe Token: 33 1328 System32.exe Token: SeIncBasePriorityPrivilege 1328 System32.exe Token: 33 1328 System32.exe Token: SeIncBasePriorityPrivilege 1328 System32.exe Token: 33 1328 System32.exe Token: SeIncBasePriorityPrivilege 1328 System32.exe Token: 33 1328 System32.exe Token: SeIncBasePriorityPrivilege 1328 System32.exe Token: 33 1328 System32.exe Token: SeIncBasePriorityPrivilege 1328 System32.exe Token: 33 1328 System32.exe Token: SeIncBasePriorityPrivilege 1328 System32.exe Token: 33 1328 System32.exe Token: SeIncBasePriorityPrivilege 1328 System32.exe Token: 33 1328 System32.exe Token: SeIncBasePriorityPrivilege 1328 System32.exe Token: 33 1328 System32.exe Token: SeIncBasePriorityPrivilege 1328 System32.exe Token: 33 1328 System32.exe Token: SeIncBasePriorityPrivilege 1328 System32.exe Token: 33 1328 System32.exe Token: SeIncBasePriorityPrivilege 1328 System32.exe Token: 33 1328 System32.exe Token: SeIncBasePriorityPrivilege 1328 System32.exe Token: 33 1328 System32.exe Token: SeIncBasePriorityPrivilege 1328 System32.exe Token: 33 1328 System32.exe Token: SeIncBasePriorityPrivilege 1328 System32.exe Token: 33 1328 System32.exe Token: SeIncBasePriorityPrivilege 1328 System32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
af44aa313103ca0f0b8fc6062c761ec7.exeSystem32.exedescription pid process target process PID 760 wrote to memory of 1328 760 af44aa313103ca0f0b8fc6062c761ec7.exe System32.exe PID 760 wrote to memory of 1328 760 af44aa313103ca0f0b8fc6062c761ec7.exe System32.exe PID 760 wrote to memory of 1328 760 af44aa313103ca0f0b8fc6062c761ec7.exe System32.exe PID 1328 wrote to memory of 848 1328 System32.exe netsh.exe PID 1328 wrote to memory of 848 1328 System32.exe netsh.exe PID 1328 wrote to memory of 848 1328 System32.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af44aa313103ca0f0b8fc6062c761ec7.exe"C:\Users\Admin\AppData\Local\Temp\af44aa313103ca0f0b8fc6062c761ec7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System32.exe"C:\Users\Admin\AppData\Local\Temp\System32.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System32.exe" "System32.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\System32.exeMD5
af44aa313103ca0f0b8fc6062c761ec7
SHA1bb8932b35fa03906660ea71675e7db445f1256c0
SHA25672810f2bd35fd54d8fca2fba3b626dd86983d805df4e9e737b8b76cfc8e8c613
SHA512da2d2f1e389c948980c5bfb34ba4cc2a840ad189d1f283c7de2a18bf3e8438430e20a38c9ae69e333e4fb48d72c74814fc92470bf8b2575bfa90e54b69746829
-
C:\Users\Admin\AppData\Local\Temp\System32.exeMD5
af44aa313103ca0f0b8fc6062c761ec7
SHA1bb8932b35fa03906660ea71675e7db445f1256c0
SHA25672810f2bd35fd54d8fca2fba3b626dd86983d805df4e9e737b8b76cfc8e8c613
SHA512da2d2f1e389c948980c5bfb34ba4cc2a840ad189d1f283c7de2a18bf3e8438430e20a38c9ae69e333e4fb48d72c74814fc92470bf8b2575bfa90e54b69746829
-
memory/760-2-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmpFilesize
9.9MB
-
memory/760-3-0x00000000011E0000-0x00000000011E1000-memory.dmpFilesize
4KB
-
memory/760-5-0x0000000000150000-0x0000000000158000-memory.dmpFilesize
32KB
-
memory/848-13-0x0000000000000000-mapping.dmp
-
memory/1328-6-0x0000000000000000-mapping.dmp
-
memory/1328-9-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmpFilesize
9.9MB
-
memory/1328-10-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB