Analysis
-
max time kernel
28s -
max time network
29s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-04-2021 06:26
Static task
static1
Behavioral task
behavioral1
Sample
697B7BFC9F44A4E89FB38857312C198B.exe
Resource
win7v20201028
General
-
Target
697B7BFC9F44A4E89FB38857312C198B.exe
-
Size
285KB
-
MD5
697b7bfc9f44a4e89fb38857312c198b
-
SHA1
2189356d911952211d15ccf1a21d587ff88e72b0
-
SHA256
f272777ee69921d167509fdf27ad55f4deb671a9063854d63bef679aaa31d1ba
-
SHA512
ae2ff5d11e8ecb9825c049a506cc9f5a28b0479cebda6bc466a49c56e913e453d5764a289ce686f92bb8faf84534c0c7fdd8db8759729237d4fb169023dec4f8
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/548-6-0x0000000000510000-0x000000000052E000-memory.dmp disable_win_def -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/548-6-0x0000000000510000-0x000000000052E000-memory.dmp rezer0 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
697B7BFC9F44A4E89FB38857312C198B.exedescription pid process target process PID 548 set thread context of 2032 548 697B7BFC9F44A4E89FB38857312C198B.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
697B7BFC9F44A4E89FB38857312C198B.exepid process 548 697B7BFC9F44A4E89FB38857312C198B.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
697B7BFC9F44A4E89FB38857312C198B.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 548 697B7BFC9F44A4E89FB38857312C198B.exe Token: SeImpersonatePrivilege 2032 MSBuild.exe Token: SeTcbPrivilege 2032 MSBuild.exe Token: SeChangeNotifyPrivilege 2032 MSBuild.exe Token: SeCreateTokenPrivilege 2032 MSBuild.exe Token: SeBackupPrivilege 2032 MSBuild.exe Token: SeRestorePrivilege 2032 MSBuild.exe Token: SeIncreaseQuotaPrivilege 2032 MSBuild.exe Token: SeAssignPrimaryTokenPrivilege 2032 MSBuild.exe Token: SeImpersonatePrivilege 2032 MSBuild.exe Token: SeTcbPrivilege 2032 MSBuild.exe Token: SeChangeNotifyPrivilege 2032 MSBuild.exe Token: SeCreateTokenPrivilege 2032 MSBuild.exe Token: SeBackupPrivilege 2032 MSBuild.exe Token: SeRestorePrivilege 2032 MSBuild.exe Token: SeIncreaseQuotaPrivilege 2032 MSBuild.exe Token: SeAssignPrimaryTokenPrivilege 2032 MSBuild.exe Token: SeImpersonatePrivilege 2032 MSBuild.exe Token: SeTcbPrivilege 2032 MSBuild.exe Token: SeChangeNotifyPrivilege 2032 MSBuild.exe Token: SeCreateTokenPrivilege 2032 MSBuild.exe Token: SeBackupPrivilege 2032 MSBuild.exe Token: SeRestorePrivilege 2032 MSBuild.exe Token: SeIncreaseQuotaPrivilege 2032 MSBuild.exe Token: SeAssignPrimaryTokenPrivilege 2032 MSBuild.exe Token: SeImpersonatePrivilege 2032 MSBuild.exe Token: SeTcbPrivilege 2032 MSBuild.exe Token: SeChangeNotifyPrivilege 2032 MSBuild.exe Token: SeCreateTokenPrivilege 2032 MSBuild.exe Token: SeBackupPrivilege 2032 MSBuild.exe Token: SeRestorePrivilege 2032 MSBuild.exe Token: SeIncreaseQuotaPrivilege 2032 MSBuild.exe Token: SeAssignPrimaryTokenPrivilege 2032 MSBuild.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
697B7BFC9F44A4E89FB38857312C198B.exeMSBuild.exedescription pid process target process PID 548 wrote to memory of 1908 548 697B7BFC9F44A4E89FB38857312C198B.exe schtasks.exe PID 548 wrote to memory of 1908 548 697B7BFC9F44A4E89FB38857312C198B.exe schtasks.exe PID 548 wrote to memory of 1908 548 697B7BFC9F44A4E89FB38857312C198B.exe schtasks.exe PID 548 wrote to memory of 1908 548 697B7BFC9F44A4E89FB38857312C198B.exe schtasks.exe PID 548 wrote to memory of 2032 548 697B7BFC9F44A4E89FB38857312C198B.exe MSBuild.exe PID 548 wrote to memory of 2032 548 697B7BFC9F44A4E89FB38857312C198B.exe MSBuild.exe PID 548 wrote to memory of 2032 548 697B7BFC9F44A4E89FB38857312C198B.exe MSBuild.exe PID 548 wrote to memory of 2032 548 697B7BFC9F44A4E89FB38857312C198B.exe MSBuild.exe PID 548 wrote to memory of 2032 548 697B7BFC9F44A4E89FB38857312C198B.exe MSBuild.exe PID 548 wrote to memory of 2032 548 697B7BFC9F44A4E89FB38857312C198B.exe MSBuild.exe PID 548 wrote to memory of 2032 548 697B7BFC9F44A4E89FB38857312C198B.exe MSBuild.exe PID 548 wrote to memory of 2032 548 697B7BFC9F44A4E89FB38857312C198B.exe MSBuild.exe PID 548 wrote to memory of 2032 548 697B7BFC9F44A4E89FB38857312C198B.exe MSBuild.exe PID 2032 wrote to memory of 1112 2032 MSBuild.exe cmd.exe PID 2032 wrote to memory of 1112 2032 MSBuild.exe cmd.exe PID 2032 wrote to memory of 1112 2032 MSBuild.exe cmd.exe PID 2032 wrote to memory of 1112 2032 MSBuild.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\697B7BFC9F44A4E89FB38857312C198B.exe"C:\Users\Admin\AppData\Local\Temp\697B7BFC9F44A4E89FB38857312C198B.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TYsahGzZfGPn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5744.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259301414.bat" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\259301414.batMD5
3880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\tmp5744.tmpMD5
5b7cc84fd152d6da2899388600ebb832
SHA10c8b3c1b46287056ca6abb64c9690de128e669f1
SHA2566a653efd04b6eb9f0659850a95806809680033c0a89ddcfd5fd1c0cecab275e3
SHA512a6d9d0cd6a5281dce9047e3848e27124aa514c5d9cb942b4a668096fe6f9c128723f508f73ad2dde78b1988782e4b5330c77c0659c192861be2c8edee2ca36bc
-
memory/548-3-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/548-5-0x0000000004780000-0x0000000004781000-memory.dmpFilesize
4KB
-
memory/548-6-0x0000000000510000-0x000000000052E000-memory.dmpFilesize
120KB
-
memory/548-2-0x0000000074B50000-0x000000007523E000-memory.dmpFilesize
6.9MB
-
memory/840-13-0x000007FEF8800000-0x000007FEF8A7A000-memory.dmpFilesize
2.5MB
-
memory/1112-14-0x0000000000000000-mapping.dmp
-
memory/1908-7-0x0000000000000000-mapping.dmp
-
memory/2032-9-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2032-12-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2032-11-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB
-
memory/2032-10-0x0000000000410621-mapping.dmp