Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
06-05-2021 19:37
Static task
static1
Behavioral task
behavioral1
Sample
23B164D8C48B45A03A7E80640E53A233.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
23B164D8C48B45A03A7E80640E53A233.exe
Resource
win10v20210410
General
-
Target
23B164D8C48B45A03A7E80640E53A233.exe
-
Size
312KB
-
MD5
23b164d8c48b45a03a7e80640e53a233
-
SHA1
0a2e835662940927e63d510e955839e4ffdf0b69
-
SHA256
70a9324fd74829cb87228210962e4b68747f6203b4de74e061d67fc4b7f5da51
-
SHA512
91bc27fb283068a358986c03be925404f2eac56016da52c99cf3df519dbadb08d52f83b5ea654cd39d6b56c8bc2e3cf1b6306e98167d7c4facd22fcc298ac7fb
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
23B164D8C48B45A03A7E80640E53A233.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\SVCHOST.exe" 23B164D8C48B45A03A7E80640E53A233.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 23B164D8C48B45A03A7E80640E53A233.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\SVCHOST.exe" 23B164D8C48B45A03A7E80640E53A233.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 23B164D8C48B45A03A7E80640E53A233.exe -
Executes dropped EXE 1 IoCs
Processes:
SVCHOST.exepid process 1588 SVCHOST.exe -
Modifies Installed Components in the registry 2 TTPs
-
Processes:
resource yara_rule \??\c:\dir\install\install\SVCHOST.exe upx behavioral1/memory/1784-103-0x0000000024080000-0x00000000240E2000-memory.dmp upx \dir\install\install\SVCHOST.exe upx \dir\install\install\SVCHOST.exe upx C:\dir\install\install\SVCHOST.exe upx -
Loads dropped DLL 2 IoCs
Processes:
23B164D8C48B45A03A7E80640E53A233.exepid process 1964 23B164D8C48B45A03A7E80640E53A233.exe 1964 23B164D8C48B45A03A7E80640E53A233.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
23B164D8C48B45A03A7E80640E53A233.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 23B164D8C48B45A03A7E80640E53A233.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\install\\SVCHOST.exe" 23B164D8C48B45A03A7E80640E53A233.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run 23B164D8C48B45A03A7E80640E53A233.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\install\\SVCHOST.exe" 23B164D8C48B45A03A7E80640E53A233.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
23B164D8C48B45A03A7E80640E53A233.exepid process 1964 23B164D8C48B45A03A7E80640E53A233.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
23B164D8C48B45A03A7E80640E53A233.exedescription pid process Token: SeDebugPrivilege 1964 23B164D8C48B45A03A7E80640E53A233.exe Token: SeDebugPrivilege 1964 23B164D8C48B45A03A7E80640E53A233.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
23B164D8C48B45A03A7E80640E53A233.exepid process 1096 23B164D8C48B45A03A7E80640E53A233.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
23B164D8C48B45A03A7E80640E53A233.exedescription pid process target process PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE PID 1096 wrote to memory of 1256 1096 23B164D8C48B45A03A7E80640E53A233.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\23B164D8C48B45A03A7E80640E53A233.exe"C:\Users\Admin\AppData\Local\Temp\23B164D8C48B45A03A7E80640E53A233.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\23B164D8C48B45A03A7E80640E53A233.exe"C:\Users\Admin\AppData\Local\Temp\23B164D8C48B45A03A7E80640E53A233.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\dir\install\install\SVCHOST.exe"C:\dir\install\install\SVCHOST.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtMD5
130e99a265bad9ae46a3c07f5f119b26
SHA1ce5907b4275bda3b33a2df9d76d731c79f88289a
SHA25679f36982d1a5015380674bb36e6d6655de966e8e9e51c643f0a97c4a60afca34
SHA51299ae064e03e55d1c940d864070edb9be595e22e5ebaae3f0916105eaa205abfdb54c4d5b527a7c4dca1dfcc3c33da5098627593a1cc306d87b2a64630d45e6f5
-
C:\dir\install\install\SVCHOST.exeMD5
23b164d8c48b45a03a7e80640e53a233
SHA10a2e835662940927e63d510e955839e4ffdf0b69
SHA25670a9324fd74829cb87228210962e4b68747f6203b4de74e061d67fc4b7f5da51
SHA51291bc27fb283068a358986c03be925404f2eac56016da52c99cf3df519dbadb08d52f83b5ea654cd39d6b56c8bc2e3cf1b6306e98167d7c4facd22fcc298ac7fb
-
\??\c:\dir\install\install\SVCHOST.exeMD5
23b164d8c48b45a03a7e80640e53a233
SHA10a2e835662940927e63d510e955839e4ffdf0b69
SHA25670a9324fd74829cb87228210962e4b68747f6203b4de74e061d67fc4b7f5da51
SHA51291bc27fb283068a358986c03be925404f2eac56016da52c99cf3df519dbadb08d52f83b5ea654cd39d6b56c8bc2e3cf1b6306e98167d7c4facd22fcc298ac7fb
-
\dir\install\install\SVCHOST.exeMD5
23b164d8c48b45a03a7e80640e53a233
SHA10a2e835662940927e63d510e955839e4ffdf0b69
SHA25670a9324fd74829cb87228210962e4b68747f6203b4de74e061d67fc4b7f5da51
SHA51291bc27fb283068a358986c03be925404f2eac56016da52c99cf3df519dbadb08d52f83b5ea654cd39d6b56c8bc2e3cf1b6306e98167d7c4facd22fcc298ac7fb
-
\dir\install\install\SVCHOST.exeMD5
23b164d8c48b45a03a7e80640e53a233
SHA10a2e835662940927e63d510e955839e4ffdf0b69
SHA25670a9324fd74829cb87228210962e4b68747f6203b4de74e061d67fc4b7f5da51
SHA51291bc27fb283068a358986c03be925404f2eac56016da52c99cf3df519dbadb08d52f83b5ea654cd39d6b56c8bc2e3cf1b6306e98167d7c4facd22fcc298ac7fb
-
memory/1096-60-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB
-
memory/1588-110-0x0000000000000000-mapping.dmp
-
memory/1784-65-0x0000000074C81000-0x0000000074C83000-memory.dmpFilesize
8KB
-
memory/1784-68-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1784-69-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/1784-103-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/1784-63-0x0000000000000000-mapping.dmp
-
memory/1964-106-0x0000000000000000-mapping.dmp