Analysis
-
max time kernel
6s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-03-2021 13:53
Static task
static1
Behavioral task
behavioral1
Sample
aabec071683f901b14319f1e4e5ba6c8.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
aabec071683f901b14319f1e4e5ba6c8.exe
Resource
win10v20201028
General
-
Target
aabec071683f901b14319f1e4e5ba6c8.exe
-
Size
112KB
-
MD5
aabec071683f901b14319f1e4e5ba6c8
-
SHA1
29dd74f3c7b908336a7482e34fbc46700fb51660
-
SHA256
3b15bfa331b523700de1c0fefe9cc4a84d1c2263087d5b4028209a8707db5436
-
SHA512
5152a8142eaadf821fbe1e5817ba60e3848ecf57ef710dc874e010d98eedecf3d17ebe0751acc761c4a56c12176be82de3ce0c82d8525eb5620cbacd207cc50a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
serivces.exepid process 1008 serivces.exe -
Sets DLL path for service in the registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1776 cmd.exe -
Loads dropped DLL 7 IoCs
Processes:
aabec071683f901b14319f1e4e5ba6c8.exesvchost.exeserivces.exepid process 1684 aabec071683f901b14319f1e4e5ba6c8.exe 1936 svchost.exe 1936 svchost.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\serivces.exe svchost.exe File opened for modification C:\Windows\SysWOW64\serivces.exe svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
aabec071683f901b14319f1e4e5ba6c8.exedescription ioc process File created C:\Windows\fonts\259261618.dll aabec071683f901b14319f1e4e5ba6c8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
serivces.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 serivces.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz serivces.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
serivces.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum serivces.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" serivces.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum serivces.exe Key created \REGISTRY\USER\.DEFAULT\Software serivces.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft serivces.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie serivces.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
aabec071683f901b14319f1e4e5ba6c8.exeserivces.exepid process 1684 aabec071683f901b14319f1e4e5ba6c8.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe 1008 serivces.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
aabec071683f901b14319f1e4e5ba6c8.exedescription pid process Token: SeIncBasePriorityPrivilege 1684 aabec071683f901b14319f1e4e5ba6c8.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aabec071683f901b14319f1e4e5ba6c8.exepid process 1684 aabec071683f901b14319f1e4e5ba6c8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
aabec071683f901b14319f1e4e5ba6c8.execmd.exesvchost.exedescription pid process target process PID 1684 wrote to memory of 1776 1684 aabec071683f901b14319f1e4e5ba6c8.exe cmd.exe PID 1684 wrote to memory of 1776 1684 aabec071683f901b14319f1e4e5ba6c8.exe cmd.exe PID 1684 wrote to memory of 1776 1684 aabec071683f901b14319f1e4e5ba6c8.exe cmd.exe PID 1684 wrote to memory of 1776 1684 aabec071683f901b14319f1e4e5ba6c8.exe cmd.exe PID 1776 wrote to memory of 1780 1776 cmd.exe PING.EXE PID 1776 wrote to memory of 1780 1776 cmd.exe PING.EXE PID 1776 wrote to memory of 1780 1776 cmd.exe PING.EXE PID 1776 wrote to memory of 1780 1776 cmd.exe PING.EXE PID 1936 wrote to memory of 1008 1936 svchost.exe serivces.exe PID 1936 wrote to memory of 1008 1936 svchost.exe serivces.exe PID 1936 wrote to memory of 1008 1936 svchost.exe serivces.exe PID 1936 wrote to memory of 1008 1936 svchost.exe serivces.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aabec071683f901b14319f1e4e5ba6c8.exe"C:\Users\Admin\AppData\Local\Temp\aabec071683f901b14319f1e4e5ba6c8.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\aabec071683f901b14319f1e4e5ba6c8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "serivces"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "serivces"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\serivces.exeC:\Windows\system32\serivces.exe "c:\windows\fonts\259261618.dll",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\serivces.exeMD5
51138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
C:\Windows\SysWOW64\serivces.exeMD5
51138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
\??\c:\windows\fonts\259261618.dllMD5
90697f593e5ec3978a8f82f35bbab2e0
SHA1c3f407596a0d279f4fef1760d387b38277ee17c7
SHA256132ce3518e74ada2a429b1164f5526d6ee2504b61233c0f35cbed605487d4def
SHA5120dff30ca6892c75d78415abee43f94297478a10e31ec2fefe0e5e3dbb107fe22a0cc130ba156c48e46258f63dee1e72a94f834f442049036b423362d88473b9d
-
\Windows\Fonts\259261618.dllMD5
90697f593e5ec3978a8f82f35bbab2e0
SHA1c3f407596a0d279f4fef1760d387b38277ee17c7
SHA256132ce3518e74ada2a429b1164f5526d6ee2504b61233c0f35cbed605487d4def
SHA5120dff30ca6892c75d78415abee43f94297478a10e31ec2fefe0e5e3dbb107fe22a0cc130ba156c48e46258f63dee1e72a94f834f442049036b423362d88473b9d
-
\Windows\Fonts\259261618.dllMD5
90697f593e5ec3978a8f82f35bbab2e0
SHA1c3f407596a0d279f4fef1760d387b38277ee17c7
SHA256132ce3518e74ada2a429b1164f5526d6ee2504b61233c0f35cbed605487d4def
SHA5120dff30ca6892c75d78415abee43f94297478a10e31ec2fefe0e5e3dbb107fe22a0cc130ba156c48e46258f63dee1e72a94f834f442049036b423362d88473b9d
-
\Windows\Fonts\259261618.dllMD5
90697f593e5ec3978a8f82f35bbab2e0
SHA1c3f407596a0d279f4fef1760d387b38277ee17c7
SHA256132ce3518e74ada2a429b1164f5526d6ee2504b61233c0f35cbed605487d4def
SHA5120dff30ca6892c75d78415abee43f94297478a10e31ec2fefe0e5e3dbb107fe22a0cc130ba156c48e46258f63dee1e72a94f834f442049036b423362d88473b9d
-
\Windows\Fonts\259261618.dllMD5
90697f593e5ec3978a8f82f35bbab2e0
SHA1c3f407596a0d279f4fef1760d387b38277ee17c7
SHA256132ce3518e74ada2a429b1164f5526d6ee2504b61233c0f35cbed605487d4def
SHA5120dff30ca6892c75d78415abee43f94297478a10e31ec2fefe0e5e3dbb107fe22a0cc130ba156c48e46258f63dee1e72a94f834f442049036b423362d88473b9d
-
\Windows\Fonts\259261618.dllMD5
90697f593e5ec3978a8f82f35bbab2e0
SHA1c3f407596a0d279f4fef1760d387b38277ee17c7
SHA256132ce3518e74ada2a429b1164f5526d6ee2504b61233c0f35cbed605487d4def
SHA5120dff30ca6892c75d78415abee43f94297478a10e31ec2fefe0e5e3dbb107fe22a0cc130ba156c48e46258f63dee1e72a94f834f442049036b423362d88473b9d
-
\Windows\Fonts\259261618.dllMD5
90697f593e5ec3978a8f82f35bbab2e0
SHA1c3f407596a0d279f4fef1760d387b38277ee17c7
SHA256132ce3518e74ada2a429b1164f5526d6ee2504b61233c0f35cbed605487d4def
SHA5120dff30ca6892c75d78415abee43f94297478a10e31ec2fefe0e5e3dbb107fe22a0cc130ba156c48e46258f63dee1e72a94f834f442049036b423362d88473b9d
-
\Windows\SysWOW64\serivces.exeMD5
51138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
memory/1008-9-0x0000000000000000-mapping.dmp
-
memory/1684-2-0x00000000756A1000-0x00000000756A3000-memory.dmpFilesize
8KB
-
memory/1776-6-0x0000000000000000-mapping.dmp
-
memory/1780-7-0x0000000000000000-mapping.dmp