Analysis
-
max time kernel
73s -
max time network
76s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
03-05-2021 12:06
Static task
static1
Behavioral task
behavioral1
Sample
25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a.exe
Resource
win7v20210410
General
-
Target
25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a.exe
-
Size
366KB
-
MD5
5c8480dbc65d4d622b75623ddc322ccb
-
SHA1
ad300ae93899b8e3fa13812f4bcee7a5063dc335
-
SHA256
25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a
-
SHA512
4ed24e1dc1754ef01016de201db279289cdb45935cf6f6ab057d2721ef47412b8beec2bfa186be3bf96c5f469b5f357673280ea2c7cd7a6f3ab42e82ed63c41f
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a.exepid process 1688 25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a.exedescription pid process target process PID 1688 set thread context of 1788 1688 25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a.exepid process 1688 25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
svchost.exedescription pid process Token: SeImpersonatePrivilege 1788 svchost.exe Token: SeTcbPrivilege 1788 svchost.exe Token: SeChangeNotifyPrivilege 1788 svchost.exe Token: SeCreateTokenPrivilege 1788 svchost.exe Token: SeBackupPrivilege 1788 svchost.exe Token: SeRestorePrivilege 1788 svchost.exe Token: SeIncreaseQuotaPrivilege 1788 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1788 svchost.exe Token: SeImpersonatePrivilege 1788 svchost.exe Token: SeTcbPrivilege 1788 svchost.exe Token: SeChangeNotifyPrivilege 1788 svchost.exe Token: SeCreateTokenPrivilege 1788 svchost.exe Token: SeBackupPrivilege 1788 svchost.exe Token: SeRestorePrivilege 1788 svchost.exe Token: SeIncreaseQuotaPrivilege 1788 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1788 svchost.exe Token: SeImpersonatePrivilege 1788 svchost.exe Token: SeTcbPrivilege 1788 svchost.exe Token: SeChangeNotifyPrivilege 1788 svchost.exe Token: SeCreateTokenPrivilege 1788 svchost.exe Token: SeBackupPrivilege 1788 svchost.exe Token: SeRestorePrivilege 1788 svchost.exe Token: SeIncreaseQuotaPrivilege 1788 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1788 svchost.exe Token: SeImpersonatePrivilege 1788 svchost.exe Token: SeTcbPrivilege 1788 svchost.exe Token: SeChangeNotifyPrivilege 1788 svchost.exe Token: SeCreateTokenPrivilege 1788 svchost.exe Token: SeBackupPrivilege 1788 svchost.exe Token: SeRestorePrivilege 1788 svchost.exe Token: SeIncreaseQuotaPrivilege 1788 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1788 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a.exesvchost.exedescription pid process target process PID 1688 wrote to memory of 1788 1688 25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a.exe svchost.exe PID 1688 wrote to memory of 1788 1688 25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a.exe svchost.exe PID 1688 wrote to memory of 1788 1688 25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a.exe svchost.exe PID 1688 wrote to memory of 1788 1688 25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a.exe svchost.exe PID 1688 wrote to memory of 1788 1688 25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a.exe svchost.exe PID 1788 wrote to memory of 412 1788 svchost.exe cmd.exe PID 1788 wrote to memory of 412 1788 svchost.exe cmd.exe PID 1788 wrote to memory of 412 1788 svchost.exe cmd.exe PID 1788 wrote to memory of 412 1788 svchost.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a.exe"C:\Users\Admin\AppData\Local\Temp\25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259273084.bat" "C:\Windows\SysWOW64\svchost.exe" "3⤵PID:412
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
MD5
9ff080d2a22e9642e493d41ccf6af7a5
SHA1cba773ddde632d3cadf247abd4e3ea917c9c0d7f
SHA256ee3da2ce59b5b5858347926c928eed731d2fb11e3af1b0183f83f5c90d4a4761
SHA5122d17c134a6c750441b26e4d55d13d509f40bbe369b17a436ad449dd352cd74d2433e9d12bbdfd53ed1eb03291344790fd38e00a669022bc19fdff6be5bf8e4ef