Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 12:47
Static task
static1
Behavioral task
behavioral1
Sample
af44aa313103ca0f0b8fc6062c761ec7.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
af44aa313103ca0f0b8fc6062c761ec7.exe
Resource
win10v20201028
General
-
Target
af44aa313103ca0f0b8fc6062c761ec7.exe
-
Size
233KB
-
MD5
af44aa313103ca0f0b8fc6062c761ec7
-
SHA1
bb8932b35fa03906660ea71675e7db445f1256c0
-
SHA256
72810f2bd35fd54d8fca2fba3b626dd86983d805df4e9e737b8b76cfc8e8c613
-
SHA512
da2d2f1e389c948980c5bfb34ba4cc2a840ad189d1f283c7de2a18bf3e8438430e20a38c9ae69e333e4fb48d72c74814fc92470bf8b2575bfa90e54b69746829
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
System32.exepid process 984 System32.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
System32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcf0ad6aa5c5016fd4654ce9b75cef8b.exe System32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcf0ad6aa5c5016fd4654ce9b75cef8b.exe System32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcf0ad6aa5c5016fd4654ce9b75cef8b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .." System32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcf0ad6aa5c5016fd4654ce9b75cef8b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .." System32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
System32.exedescription pid process Token: SeDebugPrivilege 984 System32.exe Token: 33 984 System32.exe Token: SeIncBasePriorityPrivilege 984 System32.exe Token: 33 984 System32.exe Token: SeIncBasePriorityPrivilege 984 System32.exe Token: 33 984 System32.exe Token: SeIncBasePriorityPrivilege 984 System32.exe Token: 33 984 System32.exe Token: SeIncBasePriorityPrivilege 984 System32.exe Token: 33 984 System32.exe Token: SeIncBasePriorityPrivilege 984 System32.exe Token: 33 984 System32.exe Token: SeIncBasePriorityPrivilege 984 System32.exe Token: 33 984 System32.exe Token: SeIncBasePriorityPrivilege 984 System32.exe Token: 33 984 System32.exe Token: SeIncBasePriorityPrivilege 984 System32.exe Token: 33 984 System32.exe Token: SeIncBasePriorityPrivilege 984 System32.exe Token: 33 984 System32.exe Token: SeIncBasePriorityPrivilege 984 System32.exe Token: 33 984 System32.exe Token: SeIncBasePriorityPrivilege 984 System32.exe Token: 33 984 System32.exe Token: SeIncBasePriorityPrivilege 984 System32.exe Token: 33 984 System32.exe Token: SeIncBasePriorityPrivilege 984 System32.exe Token: 33 984 System32.exe Token: SeIncBasePriorityPrivilege 984 System32.exe Token: 33 984 System32.exe Token: SeIncBasePriorityPrivilege 984 System32.exe Token: 33 984 System32.exe Token: SeIncBasePriorityPrivilege 984 System32.exe Token: 33 984 System32.exe Token: SeIncBasePriorityPrivilege 984 System32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
af44aa313103ca0f0b8fc6062c761ec7.exeSystem32.exedescription pid process target process PID 1316 wrote to memory of 984 1316 af44aa313103ca0f0b8fc6062c761ec7.exe System32.exe PID 1316 wrote to memory of 984 1316 af44aa313103ca0f0b8fc6062c761ec7.exe System32.exe PID 984 wrote to memory of 1044 984 System32.exe netsh.exe PID 984 wrote to memory of 1044 984 System32.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af44aa313103ca0f0b8fc6062c761ec7.exe"C:\Users\Admin\AppData\Local\Temp\af44aa313103ca0f0b8fc6062c761ec7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System32.exe"C:\Users\Admin\AppData\Local\Temp\System32.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System32.exe" "System32.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\System32.exeMD5
af44aa313103ca0f0b8fc6062c761ec7
SHA1bb8932b35fa03906660ea71675e7db445f1256c0
SHA25672810f2bd35fd54d8fca2fba3b626dd86983d805df4e9e737b8b76cfc8e8c613
SHA512da2d2f1e389c948980c5bfb34ba4cc2a840ad189d1f283c7de2a18bf3e8438430e20a38c9ae69e333e4fb48d72c74814fc92470bf8b2575bfa90e54b69746829
-
C:\Users\Admin\AppData\Local\Temp\System32.exeMD5
af44aa313103ca0f0b8fc6062c761ec7
SHA1bb8932b35fa03906660ea71675e7db445f1256c0
SHA25672810f2bd35fd54d8fca2fba3b626dd86983d805df4e9e737b8b76cfc8e8c613
SHA512da2d2f1e389c948980c5bfb34ba4cc2a840ad189d1f283c7de2a18bf3e8438430e20a38c9ae69e333e4fb48d72c74814fc92470bf8b2575bfa90e54b69746829
-
memory/984-6-0x0000000000000000-mapping.dmp
-
memory/984-9-0x00007FF8DA440000-0x00007FF8DAE2C000-memory.dmpFilesize
9.9MB
-
memory/1044-13-0x0000000000000000-mapping.dmp
-
memory/1316-2-0x00007FF8DA440000-0x00007FF8DAE2C000-memory.dmpFilesize
9.9MB
-
memory/1316-3-0x0000000000D80000-0x0000000000D81000-memory.dmpFilesize
4KB
-
memory/1316-5-0x00000000014D0000-0x00000000014D8000-memory.dmpFilesize
32KB