Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-02-2021 07:24
Static task
static1
Behavioral task
behavioral1
Sample
d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a.exe
Resource
win7v20201028
General
-
Target
d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a.exe
-
Size
1.1MB
-
MD5
e8cb16902d3100e0833ef9c4367fe17b
-
SHA1
b639ffb519f85b4db9987daadfbe6e458e986c25
-
SHA256
d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a
-
SHA512
084f6f87a3d180cc3f37c5416a2744aefe3295da2ee5a88125468740e51cb6e93f518cb6143b5035c7fa515d0e01fdbcb9f12280857deb2d612c7c67850e7a9e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1772 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\960b0c14ade9b250558af4a4df5c1afaWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\960b0c14ade9b250558af4a4df5c1afaWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe -
Loads dropped DLL 2 IoCs
Processes:
d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a.exepid process 292 d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a.exe 292 d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 2 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File created C:\Windows\SysWOW64\Explower.exe server.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
Processes:
d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a.exeserver.exepid process 292 d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a.exe 1772 server.exe 1772 server.exe 1772 server.exe 1772 server.exe 1772 server.exe 1772 server.exe 1772 server.exe 1772 server.exe 1772 server.exe 1772 server.exe 1772 server.exe 1772 server.exe 1772 server.exe 1772 server.exe 1772 server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1772 server.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe Token: 33 1772 server.exe Token: SeIncBasePriorityPrivilege 1772 server.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a.exeserver.exepid process 292 d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a.exe 1772 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a.exeserver.exedescription pid process target process PID 292 wrote to memory of 1772 292 d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a.exe server.exe PID 292 wrote to memory of 1772 292 d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a.exe server.exe PID 292 wrote to memory of 1772 292 d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a.exe server.exe PID 292 wrote to memory of 1772 292 d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a.exe server.exe PID 1772 wrote to memory of 1476 1772 server.exe netsh.exe PID 1772 wrote to memory of 1476 1772 server.exe netsh.exe PID 1772 wrote to memory of 1476 1772 server.exe netsh.exe PID 1772 wrote to memory of 1476 1772 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a.exe"C:\Users\Admin\AppData\Local\Temp\d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
e8cb16902d3100e0833ef9c4367fe17b
SHA1b639ffb519f85b4db9987daadfbe6e458e986c25
SHA256d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a
SHA512084f6f87a3d180cc3f37c5416a2744aefe3295da2ee5a88125468740e51cb6e93f518cb6143b5035c7fa515d0e01fdbcb9f12280857deb2d612c7c67850e7a9e
-
C:\Users\Admin\AppData\Roaming\appMD5
7eb860abfe2281298575b5216ef42bc6
SHA1d4dfd7ac22dcd07da34306c40b4e5367a969cda5
SHA25683d46461bf45f00cb4fc5df9679b2bd82dbf54eeb022ca1711eefb4b2e7b7689
SHA512427bfc41f0514ee10d400eea38f22f6fac6f9d5ecd84ad7adb1161ff9355e47c04ff411e172fafcd23c137ad1528ed2f2cb95d247613ae5550c089633f18994d
-
\??\c:\users\admin\appdata\local\temp\server.exeMD5
e8cb16902d3100e0833ef9c4367fe17b
SHA1b639ffb519f85b4db9987daadfbe6e458e986c25
SHA256d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a
SHA512084f6f87a3d180cc3f37c5416a2744aefe3295da2ee5a88125468740e51cb6e93f518cb6143b5035c7fa515d0e01fdbcb9f12280857deb2d612c7c67850e7a9e
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
e8cb16902d3100e0833ef9c4367fe17b
SHA1b639ffb519f85b4db9987daadfbe6e458e986c25
SHA256d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a
SHA512084f6f87a3d180cc3f37c5416a2744aefe3295da2ee5a88125468740e51cb6e93f518cb6143b5035c7fa515d0e01fdbcb9f12280857deb2d612c7c67850e7a9e
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
e8cb16902d3100e0833ef9c4367fe17b
SHA1b639ffb519f85b4db9987daadfbe6e458e986c25
SHA256d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a
SHA512084f6f87a3d180cc3f37c5416a2744aefe3295da2ee5a88125468740e51cb6e93f518cb6143b5035c7fa515d0e01fdbcb9f12280857deb2d612c7c67850e7a9e
-
memory/292-5-0x0000000002A20000-0x0000000002A21000-memory.dmpFilesize
4KB
-
memory/292-2-0x0000000076861000-0x0000000076863000-memory.dmpFilesize
8KB
-
memory/292-4-0x0000000002BC0000-0x0000000002BD1000-memory.dmpFilesize
68KB
-
memory/292-3-0x0000000002960000-0x0000000002971000-memory.dmpFilesize
68KB
-
memory/1476-18-0x0000000000000000-mapping.dmp
-
memory/1772-10-0x0000000000000000-mapping.dmp
-
memory/1772-14-0x0000000002A50000-0x0000000002A61000-memory.dmpFilesize
68KB
-
memory/1772-15-0x0000000002CB0000-0x0000000002CC1000-memory.dmpFilesize
68KB
-
memory/1772-17-0x0000000003060000-0x0000000003061000-memory.dmpFilesize
4KB