Analysis
-
max time kernel
148s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-02-2021 07:18
Static task
static1
Behavioral task
behavioral1
Sample
6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe
Resource
win10v20201028
General
-
Target
6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe
-
Size
5.0MB
-
MD5
25c689e345e4f8112008edeeb50e5b54
-
SHA1
bd714c54c874280963f49d9c9b0965afb676368b
-
SHA256
6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9
-
SHA512
acd526c5ba60d43672963dceac8ab151d1e74f3f46180b2f5fbb7be377b7a1aba0ce8116e3f4b93f7beab33d265bdf210335b407d4fd5f1c09c6141a4be621fc
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Server.sfx.exeServer.exeInject32.exepid process 3136 Server.sfx.exe 1656 Server.exe 3968 Inject32.exe -
Drops startup file 2 IoCs
Processes:
Inject32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Inject32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Inject32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exepid process 492 6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings 6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exepid process 492 6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe 492 6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Server.exeInject32.exepid process 1656 Server.exe 3968 Inject32.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Inject32.exedescription pid process Token: SeDebugPrivilege 3968 Inject32.exe Token: 33 3968 Inject32.exe Token: SeIncBasePriorityPrivilege 3968 Inject32.exe Token: 33 3968 Inject32.exe Token: SeIncBasePriorityPrivilege 3968 Inject32.exe Token: 33 3968 Inject32.exe Token: SeIncBasePriorityPrivilege 3968 Inject32.exe Token: 33 3968 Inject32.exe Token: SeIncBasePriorityPrivilege 3968 Inject32.exe Token: 33 3968 Inject32.exe Token: SeIncBasePriorityPrivilege 3968 Inject32.exe Token: 33 3968 Inject32.exe Token: SeIncBasePriorityPrivilege 3968 Inject32.exe Token: 33 3968 Inject32.exe Token: SeIncBasePriorityPrivilege 3968 Inject32.exe Token: 33 3968 Inject32.exe Token: SeIncBasePriorityPrivilege 3968 Inject32.exe Token: 33 3968 Inject32.exe Token: SeIncBasePriorityPrivilege 3968 Inject32.exe Token: 33 3968 Inject32.exe Token: SeIncBasePriorityPrivilege 3968 Inject32.exe Token: 33 3968 Inject32.exe Token: SeIncBasePriorityPrivilege 3968 Inject32.exe Token: 33 3968 Inject32.exe Token: SeIncBasePriorityPrivilege 3968 Inject32.exe Token: 33 3968 Inject32.exe Token: SeIncBasePriorityPrivilege 3968 Inject32.exe Token: 33 3968 Inject32.exe Token: SeIncBasePriorityPrivilege 3968 Inject32.exe Token: 33 3968 Inject32.exe Token: SeIncBasePriorityPrivilege 3968 Inject32.exe Token: 33 3968 Inject32.exe Token: SeIncBasePriorityPrivilege 3968 Inject32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exeServer.sfx.exeServer.exedescription pid process target process PID 492 wrote to memory of 3136 492 6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe Server.sfx.exe PID 492 wrote to memory of 3136 492 6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe Server.sfx.exe PID 492 wrote to memory of 3136 492 6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe Server.sfx.exe PID 492 wrote to memory of 3772 492 6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe NOTEPAD.EXE PID 492 wrote to memory of 3772 492 6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe NOTEPAD.EXE PID 492 wrote to memory of 3772 492 6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe NOTEPAD.EXE PID 3136 wrote to memory of 1656 3136 Server.sfx.exe Server.exe PID 3136 wrote to memory of 1656 3136 Server.sfx.exe Server.exe PID 3136 wrote to memory of 1656 3136 Server.sfx.exe Server.exe PID 1656 wrote to memory of 3968 1656 Server.exe Inject32.exe PID 1656 wrote to memory of 3968 1656 Server.exe Inject32.exe PID 1656 wrote to memory of 3968 1656 Server.exe Inject32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe"C:\Users\Admin\AppData\Local\Temp\6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe"C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Inject32.exe"C:\Users\Admin\AppData\Local\Temp\Inject32.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\.txt2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\.txtMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\Inject32.exeMD5
92fdab908d9711e7a36872207f0a6a67
SHA1b356e253edaf807059b1ea4a15d8b26e4a8e4c0e
SHA256252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c
SHA5124e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120
-
C:\Users\Admin\AppData\Local\Temp\Inject32.exeMD5
92fdab908d9711e7a36872207f0a6a67
SHA1b356e253edaf807059b1ea4a15d8b26e4a8e4c0e
SHA256252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c
SHA5124e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
92fdab908d9711e7a36872207f0a6a67
SHA1b356e253edaf807059b1ea4a15d8b26e4a8e4c0e
SHA256252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c
SHA5124e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
92fdab908d9711e7a36872207f0a6a67
SHA1b356e253edaf807059b1ea4a15d8b26e4a8e4c0e
SHA256252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c
SHA5124e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120
-
C:\Users\Admin\AppData\Local\Temp\Server.sfx.exeMD5
ef2f61fbe6f5595ca042d395ec9a25fd
SHA199958a935817acaac882de0ef440533b6641cb77
SHA256622903bac5905919baea79ae8143c166c297658b2696a0129aedee6a93e6d6a9
SHA512b34f3f43bb9568e2cc2f54ba2e1bd54e295266c6679b236f1dff7a2beb7f76dff190d4d000e0062e186ad198932b2d13a01762833aaf23c7c01f2e2106587d9e
-
C:\Users\Admin\AppData\Local\Temp\Server.sfx.exeMD5
ef2f61fbe6f5595ca042d395ec9a25fd
SHA199958a935817acaac882de0ef440533b6641cb77
SHA256622903bac5905919baea79ae8143c166c297658b2696a0129aedee6a93e6d6a9
SHA512b34f3f43bb9568e2cc2f54ba2e1bd54e295266c6679b236f1dff7a2beb7f76dff190d4d000e0062e186ad198932b2d13a01762833aaf23c7c01f2e2106587d9e
-
memory/492-7-0x0000000000C60000-0x0000000000C61000-memory.dmpFilesize
4KB
-
memory/492-2-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/1656-9-0x0000000000000000-mapping.dmp
-
memory/1656-12-0x0000000002790000-0x0000000002791000-memory.dmpFilesize
4KB
-
memory/3136-3-0x0000000000000000-mapping.dmp
-
memory/3772-5-0x0000000000000000-mapping.dmp
-
memory/3968-13-0x0000000000000000-mapping.dmp
-
memory/3968-16-0x0000000002F90000-0x0000000002F91000-memory.dmpFilesize
4KB