6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9

Analysis

max time kernel
150s
max time network
15s
platform
windows7_x64
resource
win7v20201028
submitted
28-02-2021 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe
Size

5.0MB
MD5

25c689e345e4f8112008edeeb50e5b54
SHA1

bd714c54c874280963f49d9c9b0965afb676368b
SHA256

6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9
SHA512

acd526c5ba60d43672963dceac8ab151d1e74f3f46180b2f5fbb7be377b7a1aba0ce8116e3f4b93f7beab33d265bdf210335b407d4fd5f1c09c6141a4be621fc

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Server.sfx.exeServer.exeInject32.exe

pid process

2028 Server.sfx.exe
1052 Server.exe
1032 Inject32.exe

pid	process
2028	Server.sfx.exe
1052	Server.exe
1032	Inject32.exe

Drops startup file 2 IoCs

Processes:

Inject32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Inject32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Inject32.exe

Loads dropped DLL 5 IoCs

Processes:

6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exeServer.sfx.exeServer.exe

pid	process
1828	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe
2028	Server.sfx.exe
2028	Server.sfx.exe
2028	Server.sfx.exe
1052	Server.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe

pid process

1828 6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe

pid process

1828 6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Inject32.exe

pid process

1032 Inject32.exe

pid	process
1032	Inject32.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

Inject32.exe

description	pid	process
Token: SeDebugPrivilege	1032	Inject32.exe
Token: 33	1032	Inject32.exe
Token: SeIncBasePriorityPrivilege	1032	Inject32.exe
Token: 33	1032	Inject32.exe
Token: SeIncBasePriorityPrivilege	1032	Inject32.exe
Token: 33	1032	Inject32.exe
Token: SeIncBasePriorityPrivilege	1032	Inject32.exe
Token: 33	1032	Inject32.exe
Token: SeIncBasePriorityPrivilege	1032	Inject32.exe
Token: 33	1032	Inject32.exe
Token: SeIncBasePriorityPrivilege	1032	Inject32.exe
Token: 33	1032	Inject32.exe
Token: SeIncBasePriorityPrivilege	1032	Inject32.exe
Token: 33	1032	Inject32.exe
Token: SeIncBasePriorityPrivilege	1032	Inject32.exe
Token: 33	1032	Inject32.exe
Token: SeIncBasePriorityPrivilege	1032	Inject32.exe
Token: 33	1032	Inject32.exe
Token: SeIncBasePriorityPrivilege	1032	Inject32.exe
Token: 33	1032	Inject32.exe
Token: SeIncBasePriorityPrivilege	1032	Inject32.exe
Token: 33	1032	Inject32.exe
Token: SeIncBasePriorityPrivilege	1032	Inject32.exe
Token: 33	1032	Inject32.exe
Token: SeIncBasePriorityPrivilege	1032	Inject32.exe
Token: 33	1032	Inject32.exe
Token: SeIncBasePriorityPrivilege	1032	Inject32.exe
Token: 33	1032	Inject32.exe
Token: SeIncBasePriorityPrivilege	1032	Inject32.exe
Token: 33	1032	Inject32.exe
Token: SeIncBasePriorityPrivilege	1032	Inject32.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exeServer.sfx.exeServer.exe

description	pid	process	target process
PID 1828 wrote to memory of 2028	1828	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe	Server.sfx.exe
PID 1828 wrote to memory of 2028	1828	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe	Server.sfx.exe
PID 1828 wrote to memory of 2028	1828	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe	Server.sfx.exe
PID 1828 wrote to memory of 2028	1828	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe	Server.sfx.exe
PID 1828 wrote to memory of 1292	1828	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe	NOTEPAD.EXE
PID 1828 wrote to memory of 1292	1828	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe	NOTEPAD.EXE
PID 1828 wrote to memory of 1292	1828	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe	NOTEPAD.EXE
PID 1828 wrote to memory of 1292	1828	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe	NOTEPAD.EXE
PID 2028 wrote to memory of 1052	2028	Server.sfx.exe	Server.exe
PID 2028 wrote to memory of 1052	2028	Server.sfx.exe	Server.exe
PID 2028 wrote to memory of 1052	2028	Server.sfx.exe	Server.exe
PID 2028 wrote to memory of 1052	2028	Server.sfx.exe	Server.exe
PID 1052 wrote to memory of 1032	1052	Server.exe	Inject32.exe
PID 1052 wrote to memory of 1032	1052	Server.exe	Inject32.exe
PID 1052 wrote to memory of 1032	1052	Server.exe	Inject32.exe
PID 1052 wrote to memory of 1032	1052	Server.exe	Inject32.exe

C:\Users\Admin\AppData\Local\Temp\6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe
"C:\Users\Admin\AppData\Local\Temp\6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052

C:\Users\Admin\AppData\Local\Temp\Inject32.exe
"C:\Users\Admin\AppData\Local\Temp\Inject32.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\.txt
2⤵
PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inject32.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inject32.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe
MD5
ef2f61fbe6f5595ca042d395ec9a25fd

SHA1
99958a935817acaac882de0ef440533b6641cb77

SHA256
622903bac5905919baea79ae8143c166c297658b2696a0129aedee6a93e6d6a9

SHA512
b34f3f43bb9568e2cc2f54ba2e1bd54e295266c6679b236f1dff7a2beb7f76dff190d4d000e0062e186ad198932b2d13a01762833aaf23c7c01f2e2106587d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe
MD5
ef2f61fbe6f5595ca042d395ec9a25fd

SHA1
99958a935817acaac882de0ef440533b6641cb77

SHA256
622903bac5905919baea79ae8143c166c297658b2696a0129aedee6a93e6d6a9

SHA512
b34f3f43bb9568e2cc2f54ba2e1bd54e295266c6679b236f1dff7a2beb7f76dff190d4d000e0062e186ad198932b2d13a01762833aaf23c7c01f2e2106587d9e

Download Submit
\Users\Admin\AppData\Local\Temp\Inject32.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
\Users\Admin\AppData\Local\Temp\Server.sfx.exe
MD5
ef2f61fbe6f5595ca042d395ec9a25fd

SHA1
99958a935817acaac882de0ef440533b6641cb77

SHA256
622903bac5905919baea79ae8143c166c297658b2696a0129aedee6a93e6d6a9

SHA512
b34f3f43bb9568e2cc2f54ba2e1bd54e295266c6679b236f1dff7a2beb7f76dff190d4d000e0062e186ad198932b2d13a01762833aaf23c7c01f2e2106587d9e

Download Submit
memory/1032-22-0x0000000000000000-mapping.dmp

Download
memory/1032-26-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/1052-16-0x0000000000000000-mapping.dmp

Download
memory/1052-20-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/1292-8-0x0000000000000000-mapping.dmp

Download
memory/1828-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1828-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1828-3-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/2028-6-0x0000000000000000-mapping.dmp

Download