Analysis
-
max time kernel
127s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-03-2021 13:53
Static task
static1
Behavioral task
behavioral1
Sample
aabec071683f901b14319f1e4e5ba6c8.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
aabec071683f901b14319f1e4e5ba6c8.exe
Resource
win10v20201028
General
-
Target
aabec071683f901b14319f1e4e5ba6c8.exe
-
Size
112KB
-
MD5
aabec071683f901b14319f1e4e5ba6c8
-
SHA1
29dd74f3c7b908336a7482e34fbc46700fb51660
-
SHA256
3b15bfa331b523700de1c0fefe9cc4a84d1c2263087d5b4028209a8707db5436
-
SHA512
5152a8142eaadf821fbe1e5817ba60e3848ecf57ef710dc874e010d98eedecf3d17ebe0751acc761c4a56c12176be82de3ce0c82d8525eb5620cbacd207cc50a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
serivces.exepid process 3220 serivces.exe -
Sets DLL path for service in the registry 2 TTPs
-
Loads dropped DLL 3 IoCs
Processes:
aabec071683f901b14319f1e4e5ba6c8.exesvchost.exeserivces.exepid process 4684 aabec071683f901b14319f1e4e5ba6c8.exe 4924 svchost.exe 3220 serivces.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\serivces.exe svchost.exe File opened for modification C:\Windows\SysWOW64\serivces.exe svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
aabec071683f901b14319f1e4e5ba6c8.exedescription ioc process File created C:\Windows\fonts\259271234.dll aabec071683f901b14319f1e4e5ba6c8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
serivces.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 serivces.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz serivces.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
serivces.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum serivces.exe Key created \REGISTRY\USER\.DEFAULT\Software serivces.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft serivces.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie serivces.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" serivces.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
aabec071683f901b14319f1e4e5ba6c8.exeserivces.exepid process 4684 aabec071683f901b14319f1e4e5ba6c8.exe 4684 aabec071683f901b14319f1e4e5ba6c8.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe 3220 serivces.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
aabec071683f901b14319f1e4e5ba6c8.exedescription pid process Token: SeIncBasePriorityPrivilege 4684 aabec071683f901b14319f1e4e5ba6c8.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aabec071683f901b14319f1e4e5ba6c8.exepid process 4684 aabec071683f901b14319f1e4e5ba6c8.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
aabec071683f901b14319f1e4e5ba6c8.execmd.exesvchost.exedescription pid process target process PID 4684 wrote to memory of 5108 4684 aabec071683f901b14319f1e4e5ba6c8.exe cmd.exe PID 4684 wrote to memory of 5108 4684 aabec071683f901b14319f1e4e5ba6c8.exe cmd.exe PID 4684 wrote to memory of 5108 4684 aabec071683f901b14319f1e4e5ba6c8.exe cmd.exe PID 5108 wrote to memory of 3480 5108 cmd.exe PING.EXE PID 5108 wrote to memory of 3480 5108 cmd.exe PING.EXE PID 5108 wrote to memory of 3480 5108 cmd.exe PING.EXE PID 4924 wrote to memory of 3220 4924 svchost.exe serivces.exe PID 4924 wrote to memory of 3220 4924 svchost.exe serivces.exe PID 4924 wrote to memory of 3220 4924 svchost.exe serivces.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aabec071683f901b14319f1e4e5ba6c8.exe"C:\Users\Admin\AppData\Local\Temp\aabec071683f901b14319f1e4e5ba6c8.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\aabec071683f901b14319f1e4e5ba6c8.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "serivces"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "serivces"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\serivces.exeC:\Windows\system32\serivces.exe "c:\windows\fonts\259271234.dll",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\serivces.exeMD5
f57886ace1ab4972b0308f69b1a0029c
SHA1519b2a981cb522ed2b0901f9871f9aa9781a6cd5
SHA2562be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852
SHA512c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8
-
C:\Windows\SysWOW64\serivces.exeMD5
f57886ace1ab4972b0308f69b1a0029c
SHA1519b2a981cb522ed2b0901f9871f9aa9781a6cd5
SHA2562be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852
SHA512c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8
-
\??\c:\windows\fonts\259271234.dllMD5
90697f593e5ec3978a8f82f35bbab2e0
SHA1c3f407596a0d279f4fef1760d387b38277ee17c7
SHA256132ce3518e74ada2a429b1164f5526d6ee2504b61233c0f35cbed605487d4def
SHA5120dff30ca6892c75d78415abee43f94297478a10e31ec2fefe0e5e3dbb107fe22a0cc130ba156c48e46258f63dee1e72a94f834f442049036b423362d88473b9d
-
\Windows\Fonts\259271234.dllMD5
90697f593e5ec3978a8f82f35bbab2e0
SHA1c3f407596a0d279f4fef1760d387b38277ee17c7
SHA256132ce3518e74ada2a429b1164f5526d6ee2504b61233c0f35cbed605487d4def
SHA5120dff30ca6892c75d78415abee43f94297478a10e31ec2fefe0e5e3dbb107fe22a0cc130ba156c48e46258f63dee1e72a94f834f442049036b423362d88473b9d
-
\Windows\Fonts\259271234.dllMD5
90697f593e5ec3978a8f82f35bbab2e0
SHA1c3f407596a0d279f4fef1760d387b38277ee17c7
SHA256132ce3518e74ada2a429b1164f5526d6ee2504b61233c0f35cbed605487d4def
SHA5120dff30ca6892c75d78415abee43f94297478a10e31ec2fefe0e5e3dbb107fe22a0cc130ba156c48e46258f63dee1e72a94f834f442049036b423362d88473b9d
-
\Windows\Fonts\259271234.dllMD5
90697f593e5ec3978a8f82f35bbab2e0
SHA1c3f407596a0d279f4fef1760d387b38277ee17c7
SHA256132ce3518e74ada2a429b1164f5526d6ee2504b61233c0f35cbed605487d4def
SHA5120dff30ca6892c75d78415abee43f94297478a10e31ec2fefe0e5e3dbb107fe22a0cc130ba156c48e46258f63dee1e72a94f834f442049036b423362d88473b9d
-
memory/3220-7-0x0000000000000000-mapping.dmp
-
memory/3480-6-0x0000000000000000-mapping.dmp
-
memory/5108-5-0x0000000000000000-mapping.dmp