Analysis
-
max time kernel
152s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-02-2021 09:13
Static task
static1
Behavioral task
behavioral1
Sample
6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d.exe
Resource
win7v20201028
General
-
Target
6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d.exe
-
Size
1.1MB
-
MD5
5729a288911e360d25be9cd642356192
-
SHA1
1063e58f7d6165f041307b68477eeb41a04358d6
-
SHA256
6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d
-
SHA512
c42fe9f4e391e39ecd226057991c54247c63df8388af973e3088aa4ac516add3229626870e09303473a50120d4b13db8cf19c14e720e51bd443d164a1cb7da02
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1568 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\960b0c14ade9b250558af4a4df5c1afaWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\960b0c14ade9b250558af4a4df5c1afaWindows Update.exe server.exe -
Loads dropped DLL 2 IoCs
Processes:
6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d.exepid process 1340 6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d.exe 1340 6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
Processes:
6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d.exeserver.exepid process 1340 6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d.exe 1340 6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d.exe 1568 server.exe 1568 server.exe 1568 server.exe 1568 server.exe 1568 server.exe 1568 server.exe 1568 server.exe 1568 server.exe 1568 server.exe 1568 server.exe 1568 server.exe 1568 server.exe 1568 server.exe 1568 server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1568 server.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1568 server.exe Token: 33 1568 server.exe Token: SeIncBasePriorityPrivilege 1568 server.exe Token: 33 1568 server.exe Token: SeIncBasePriorityPrivilege 1568 server.exe Token: 33 1568 server.exe Token: SeIncBasePriorityPrivilege 1568 server.exe Token: 33 1568 server.exe Token: SeIncBasePriorityPrivilege 1568 server.exe Token: 33 1568 server.exe Token: SeIncBasePriorityPrivilege 1568 server.exe Token: 33 1568 server.exe Token: SeIncBasePriorityPrivilege 1568 server.exe Token: 33 1568 server.exe Token: SeIncBasePriorityPrivilege 1568 server.exe Token: 33 1568 server.exe Token: SeIncBasePriorityPrivilege 1568 server.exe Token: 33 1568 server.exe Token: SeIncBasePriorityPrivilege 1568 server.exe Token: 33 1568 server.exe Token: SeIncBasePriorityPrivilege 1568 server.exe Token: 33 1568 server.exe Token: SeIncBasePriorityPrivilege 1568 server.exe Token: 33 1568 server.exe Token: SeIncBasePriorityPrivilege 1568 server.exe Token: 33 1568 server.exe Token: SeIncBasePriorityPrivilege 1568 server.exe Token: 33 1568 server.exe Token: SeIncBasePriorityPrivilege 1568 server.exe Token: 33 1568 server.exe Token: SeIncBasePriorityPrivilege 1568 server.exe Token: 33 1568 server.exe Token: SeIncBasePriorityPrivilege 1568 server.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d.exeserver.exepid process 1340 6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d.exe 1568 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d.exeserver.exedescription pid process target process PID 1340 wrote to memory of 1568 1340 6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d.exe server.exe PID 1340 wrote to memory of 1568 1340 6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d.exe server.exe PID 1340 wrote to memory of 1568 1340 6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d.exe server.exe PID 1340 wrote to memory of 1568 1340 6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d.exe server.exe PID 1568 wrote to memory of 1488 1568 server.exe netsh.exe PID 1568 wrote to memory of 1488 1568 server.exe netsh.exe PID 1568 wrote to memory of 1488 1568 server.exe netsh.exe PID 1568 wrote to memory of 1488 1568 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d.exe"C:\Users\Admin\AppData\Local\Temp\6b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
5729a288911e360d25be9cd642356192
SHA11063e58f7d6165f041307b68477eeb41a04358d6
SHA2566b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d
SHA512c42fe9f4e391e39ecd226057991c54247c63df8388af973e3088aa4ac516add3229626870e09303473a50120d4b13db8cf19c14e720e51bd443d164a1cb7da02
-
C:\Users\Admin\AppData\Roaming\appMD5
7eb860abfe2281298575b5216ef42bc6
SHA1d4dfd7ac22dcd07da34306c40b4e5367a969cda5
SHA25683d46461bf45f00cb4fc5df9679b2bd82dbf54eeb022ca1711eefb4b2e7b7689
SHA512427bfc41f0514ee10d400eea38f22f6fac6f9d5ecd84ad7adb1161ff9355e47c04ff411e172fafcd23c137ad1528ed2f2cb95d247613ae5550c089633f18994d
-
\??\c:\users\admin\appdata\local\temp\server.exeMD5
5729a288911e360d25be9cd642356192
SHA11063e58f7d6165f041307b68477eeb41a04358d6
SHA2566b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d
SHA512c42fe9f4e391e39ecd226057991c54247c63df8388af973e3088aa4ac516add3229626870e09303473a50120d4b13db8cf19c14e720e51bd443d164a1cb7da02
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
5729a288911e360d25be9cd642356192
SHA11063e58f7d6165f041307b68477eeb41a04358d6
SHA2566b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d
SHA512c42fe9f4e391e39ecd226057991c54247c63df8388af973e3088aa4ac516add3229626870e09303473a50120d4b13db8cf19c14e720e51bd443d164a1cb7da02
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
5729a288911e360d25be9cd642356192
SHA11063e58f7d6165f041307b68477eeb41a04358d6
SHA2566b0e5c2c2ada15f3690393c85b80e58165a1e4f2d6736c8a76b3995c899c623d
SHA512c42fe9f4e391e39ecd226057991c54247c63df8388af973e3088aa4ac516add3229626870e09303473a50120d4b13db8cf19c14e720e51bd443d164a1cb7da02
-
memory/1340-5-0x00000000030E0000-0x00000000030E1000-memory.dmpFilesize
4KB
-
memory/1340-2-0x0000000076691000-0x0000000076693000-memory.dmpFilesize
8KB
-
memory/1340-4-0x0000000002CE0000-0x0000000002CF1000-memory.dmpFilesize
68KB
-
memory/1340-3-0x0000000002B30000-0x0000000002B41000-memory.dmpFilesize
68KB
-
memory/1488-16-0x0000000000000000-mapping.dmp
-
memory/1568-8-0x0000000000000000-mapping.dmp
-
memory/1568-12-0x0000000002C00000-0x0000000002C11000-memory.dmpFilesize
68KB
-
memory/1568-13-0x0000000002D10000-0x0000000002D21000-memory.dmpFilesize
68KB
-
memory/1568-15-0x0000000003070000-0x0000000003071000-memory.dmpFilesize
4KB