Analysis
-
max time kernel
141s -
max time network
130s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15-04-2021 19:10
Static task
static1
Behavioral task
behavioral1
Sample
1234.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
1234.exe
Resource
win10v20210410
General
-
Target
1234.exe
-
Size
1.2MB
-
MD5
45de46aae024150078e249dec173a337
-
SHA1
bd1f8891836765f1c58777806cb82657b8c3bd7e
-
SHA256
554ac14fb25de9add3d66f0877a7da079bf6818a4957a21b2a618c6aac22b6c4
-
SHA512
2bb1d4d1908cc2534677f32861dd0185c2907508112d05434d731088a62f9f28071e8652111c2745dad28d4334c696471dc358ca9537b08e390157d5502def24
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
SystemSettings.exedescription pid process target process PID 2592 created 2680 2592 SystemSettings.exe Explorer.EXE -
Executes dropped EXE 1 IoCs
Processes:
SystemLanguageDriverver2.31.exepid process 2088 SystemLanguageDriverver2.31.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2860 2576 WerFault.exe 1234.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SystemSettings.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID SystemSettings.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3948 timeout.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
WerFault.exe1234.exepid process 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 1944 1234.exe 1944 1234.exe 1944 1234.exe 1944 1234.exe 1944 1234.exe 1944 1234.exe 1944 1234.exe 1944 1234.exe 1944 1234.exe 1944 1234.exe 1944 1234.exe 1944 1234.exe 1944 1234.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
WerFault.exeSystemSettings.exeSystemSettingsAdminFlows.exe1234.exesvchost.exedescription pid process Token: SeRestorePrivilege 2860 WerFault.exe Token: SeBackupPrivilege 2860 WerFault.exe Token: SeDebugPrivilege 2860 WerFault.exe Token: SeShutdownPrivilege 2592 SystemSettings.exe Token: SeCreatePagefilePrivilege 2592 SystemSettings.exe Token: SeShutdownPrivilege 2592 SystemSettings.exe Token: SeCreatePagefilePrivilege 2592 SystemSettings.exe Token: SeTakeOwnershipPrivilege 2592 SystemSettings.exe Token: SeRestorePrivilege 2592 SystemSettings.exe Token: SeSystemtimePrivilege 2632 SystemSettingsAdminFlows.exe Token: SeSystemtimePrivilege 2632 SystemSettingsAdminFlows.exe Token: SeDebugPrivilege 1944 1234.exe Token: SeSystemtimePrivilege 3560 svchost.exe Token: SeSystemtimePrivilege 3560 svchost.exe Token: SeIncBasePriorityPrivilege 3560 svchost.exe Token: SeSystemtimePrivilege 3560 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
SystemSettings.exeSystemSettingsAdminFlows.exepid process 2592 SystemSettings.exe 2632 SystemSettingsAdminFlows.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
SystemSettings.exe1234.execmd.execmd.exedescription pid process target process PID 2592 wrote to memory of 2632 2592 SystemSettings.exe SystemSettingsAdminFlows.exe PID 2592 wrote to memory of 2632 2592 SystemSettings.exe SystemSettingsAdminFlows.exe PID 2592 wrote to memory of 2632 2592 SystemSettings.exe SystemSettingsAdminFlows.exe PID 1944 wrote to memory of 3856 1944 1234.exe cmd.exe PID 1944 wrote to memory of 3856 1944 1234.exe cmd.exe PID 1944 wrote to memory of 3856 1944 1234.exe cmd.exe PID 3856 wrote to memory of 3084 3856 cmd.exe schtasks.exe PID 3856 wrote to memory of 3084 3856 cmd.exe schtasks.exe PID 3856 wrote to memory of 3084 3856 cmd.exe schtasks.exe PID 1944 wrote to memory of 2660 1944 1234.exe cmd.exe PID 1944 wrote to memory of 2660 1944 1234.exe cmd.exe PID 1944 wrote to memory of 2660 1944 1234.exe cmd.exe PID 2660 wrote to memory of 3948 2660 cmd.exe timeout.exe PID 2660 wrote to memory of 3948 2660 cmd.exe timeout.exe PID 2660 wrote to memory of 3948 2660 cmd.exe timeout.exe PID 2660 wrote to memory of 2088 2660 cmd.exe SystemLanguageDriverver2.31.exe PID 2660 wrote to memory of 2088 2660 cmd.exe SystemLanguageDriverver2.31.exe PID 2660 wrote to memory of 2088 2660 cmd.exe SystemLanguageDriverver2.31.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1234.exe"C:\Users\Admin\AppData\Local\Temp\1234.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 7643⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\1234.exe"C:\Users\Admin\AppData\Local\Temp\1234.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SystemLanguageDriverver2.31" /tr '"C:\Users\Admin\AppData\Local\Temp\System Language Driver ver 2.31\SystemLanguageDriverver2.31.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "SystemLanguageDriverver2.31" /tr '"C:\Users\Admin\AppData\Local\Temp\System Language Driver ver 2.31\SystemLanguageDriverver2.31.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC65E.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\System Language Driver ver 2.31\SystemLanguageDriverver2.31.exe"C:\Users\Admin\AppData\Local\Temp\System Language Driver ver 2.31\SystemLanguageDriverver2.31.exe"4⤵
- Executes dropped EXE
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\System Language Driver ver 2.31\SystemLanguageDriverver2.31.exeMD5
3bb7e35f9098351c3cf6cc8417e6cf3b
SHA1bfa3e29b35548c98465f374509c8fc5969b37b97
SHA256afd8d9375f6f76f954edea2ef7b26177eafe16b96d6e528d6ccafbb94a03247b
SHA5128546fbd24bb0541835304eb1c8876084daabff8677c0d8054463924e10ba74abd51dd0ab792cbae4e1e2b9d9025b6f6a94ec72faf74a9a7036dc0ae535aaef4b
-
C:\Users\Admin\AppData\Local\Temp\System Language Driver ver 2.31\SystemLanguageDriverver2.31.exeMD5
80f956a6de8142c867c8d1f9feb35bb5
SHA17a34bb6fcc9d710b193f994749a31bb9f69d48e5
SHA25664447228b8a066a79ab4dac4a46feef17c9f6e36d4e0f3787227fddaa9e2146c
SHA512805f50373b128e19d6abc0146185b77623b498398e33a002db6e41a79e88a69fee2f693c47347f4cff2e22ebf2743b51deecf6f3c4d919af7d7796ac1615c5e2
-
C:\Users\Admin\AppData\Local\Temp\tmpC65E.tmp.batMD5
92e4c39d9b1e487223518ef06140aa40
SHA1266a930267adfa7d9d960c2842eacca1b8ddfbc7
SHA2565b0b72750590647bac6a3b9574a5a0e3615d49cbde292a7bd0c33999c9e240d3
SHA512ab4bfa8aa2ed3ad5505f624c86f3e04e75ecf4affc94befd53630512fb569e07a42843dd39794a596c2242acaa8c439d02cb995da61987a7817136220b9ad55a
-
memory/1944-119-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/1944-122-0x00000000364D0000-0x00000000364D1000-memory.dmpFilesize
4KB
-
memory/2088-126-0x0000000000000000-mapping.dmp
-
memory/2088-131-0x0000000001590000-0x0000000001591000-memory.dmpFilesize
4KB
-
memory/2576-114-0x0000000000FC0000-0x0000000000FC1000-memory.dmpFilesize
4KB
-
memory/2632-116-0x0000000000000000-mapping.dmp
-
memory/2660-123-0x0000000000000000-mapping.dmp
-
memory/3084-121-0x0000000000000000-mapping.dmp
-
memory/3856-120-0x0000000000000000-mapping.dmp
-
memory/3948-125-0x0000000000000000-mapping.dmp