Analysis
-
max time kernel
142s -
max time network
179s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-05-2021 12:00
Static task
static1
Behavioral task
behavioral1
Sample
0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe
Resource
win10v20210408
General
-
Target
0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe
-
Size
1.6MB
-
MD5
ccbde79e9dcbb71a79820b1f5d0fe6f5
-
SHA1
d83fbc9fa5aa59aa093891b599659e6fb7bbcc7d
-
SHA256
0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca
-
SHA512
362fdc897419de502228b7673a9613eedec2baeed7dd10a2462840ab049819882ad29d75964df5c9da7a6f549ba9ff48a86f64515caa79ce8fe38ab3f7000751
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
winini.exeÞÙËäÙ.exewinhost.exepid process 1128 winini.exe 1308 ÞÙËäÙ.exe 1724 winhost.exe -
Loads dropped DLL 4 IoCs
Processes:
0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exewinini.exepid process 1652 0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe 1652 0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe 1652 0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe 1128 winini.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winini.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Live = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winini.exe" winini.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winini.exedescription pid process target process PID 1128 set thread context of 1724 1128 winini.exe winhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
winini.exewinhost.exedescription pid process Token: SeDebugPrivilege 1128 winini.exe Token: SeIncreaseQuotaPrivilege 1724 winhost.exe Token: SeSecurityPrivilege 1724 winhost.exe Token: SeTakeOwnershipPrivilege 1724 winhost.exe Token: SeLoadDriverPrivilege 1724 winhost.exe Token: SeSystemProfilePrivilege 1724 winhost.exe Token: SeSystemtimePrivilege 1724 winhost.exe Token: SeProfSingleProcessPrivilege 1724 winhost.exe Token: SeIncBasePriorityPrivilege 1724 winhost.exe Token: SeCreatePagefilePrivilege 1724 winhost.exe Token: SeBackupPrivilege 1724 winhost.exe Token: SeRestorePrivilege 1724 winhost.exe Token: SeShutdownPrivilege 1724 winhost.exe Token: SeDebugPrivilege 1724 winhost.exe Token: SeSystemEnvironmentPrivilege 1724 winhost.exe Token: SeChangeNotifyPrivilege 1724 winhost.exe Token: SeRemoteShutdownPrivilege 1724 winhost.exe Token: SeUndockPrivilege 1724 winhost.exe Token: SeManageVolumePrivilege 1724 winhost.exe Token: SeImpersonatePrivilege 1724 winhost.exe Token: SeCreateGlobalPrivilege 1724 winhost.exe Token: 33 1724 winhost.exe Token: 34 1724 winhost.exe Token: 35 1724 winhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winhost.exepid process 1724 winhost.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exewinini.exedescription pid process target process PID 1652 wrote to memory of 1128 1652 0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe winini.exe PID 1652 wrote to memory of 1128 1652 0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe winini.exe PID 1652 wrote to memory of 1128 1652 0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe winini.exe PID 1652 wrote to memory of 1128 1652 0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe winini.exe PID 1652 wrote to memory of 1308 1652 0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe ÞÙËäÙ.exe PID 1652 wrote to memory of 1308 1652 0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe ÞÙËäÙ.exe PID 1652 wrote to memory of 1308 1652 0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe ÞÙËäÙ.exe PID 1652 wrote to memory of 1308 1652 0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe ÞÙËäÙ.exe PID 1128 wrote to memory of 1724 1128 winini.exe winhost.exe PID 1128 wrote to memory of 1724 1128 winini.exe winhost.exe PID 1128 wrote to memory of 1724 1128 winini.exe winhost.exe PID 1128 wrote to memory of 1724 1128 winini.exe winhost.exe PID 1128 wrote to memory of 1724 1128 winini.exe winhost.exe PID 1128 wrote to memory of 1724 1128 winini.exe winhost.exe PID 1128 wrote to memory of 1724 1128 winini.exe winhost.exe PID 1128 wrote to memory of 1724 1128 winini.exe winhost.exe PID 1128 wrote to memory of 1724 1128 winini.exe winhost.exe PID 1128 wrote to memory of 1724 1128 winini.exe winhost.exe PID 1128 wrote to memory of 1724 1128 winini.exe winhost.exe PID 1128 wrote to memory of 1724 1128 winini.exe winhost.exe PID 1128 wrote to memory of 1724 1128 winini.exe winhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe"C:\Users\Admin\AppData\Local\Temp\0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\winini.exe"C:\Users\Admin\AppData\Local\Temp\winini.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\winhost.exeC:\Users\Admin\AppData\Local\Temp\winhost.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\ÞÙËäÙ.exe"C:\Users\Admin\AppData\Local\Temp\ÞÙËäÙ.exe"2⤵
- Executes dropped EXE
PID:1308
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\winhost.exeMD5
ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
C:\Users\Admin\AppData\Local\Temp\winini.exeMD5
a8590dc96290e160b7518cfbc2b60bba
SHA1e1f2ad4c512f33e5232d15f700d3850b947aa9ab
SHA2569869f7a1218218380c9f05f0d50b2c0fc7a2c153cf1a9a238651236767c2e252
SHA5122381a5cfa84b321a27832072cc514adcf1ee52864b105fe205a308afbde71c7606e80527e1f0ec8fb12c87f834ee4cfada7c2f731f7eeed92070df23aaed5aa0
-
C:\Users\Admin\AppData\Local\Temp\winini.exeMD5
a8590dc96290e160b7518cfbc2b60bba
SHA1e1f2ad4c512f33e5232d15f700d3850b947aa9ab
SHA2569869f7a1218218380c9f05f0d50b2c0fc7a2c153cf1a9a238651236767c2e252
SHA5122381a5cfa84b321a27832072cc514adcf1ee52864b105fe205a308afbde71c7606e80527e1f0ec8fb12c87f834ee4cfada7c2f731f7eeed92070df23aaed5aa0
-
C:\Users\Admin\AppData\Local\Temp\ÞÙËäÙ.exeMD5
32cbecf1c0b588ef3ab1c700f5bd7c8d
SHA11ef6254aa8fbfd0e0be522540937b673f292a339
SHA256d4aa281ba3424b4160c40a898e314d0ba4a7bd2532a10f5ba965f90b98f64294
SHA51265201ccfa400454d34916faba7238ae315e00b029a8a213a4990aa302c9512bdcd8982038f06435cd5f62d107c5f2e1de9149da14437d09686b7fd7a4b4ee882
-
C:\Users\Admin\AppData\Local\Temp\ÞÙËäÙ.exeMD5
32cbecf1c0b588ef3ab1c700f5bd7c8d
SHA11ef6254aa8fbfd0e0be522540937b673f292a339
SHA256d4aa281ba3424b4160c40a898e314d0ba4a7bd2532a10f5ba965f90b98f64294
SHA51265201ccfa400454d34916faba7238ae315e00b029a8a213a4990aa302c9512bdcd8982038f06435cd5f62d107c5f2e1de9149da14437d09686b7fd7a4b4ee882
-
\Users\Admin\AppData\Local\Temp\winhost.exeMD5
ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
\Users\Admin\AppData\Local\Temp\winini.exeMD5
a8590dc96290e160b7518cfbc2b60bba
SHA1e1f2ad4c512f33e5232d15f700d3850b947aa9ab
SHA2569869f7a1218218380c9f05f0d50b2c0fc7a2c153cf1a9a238651236767c2e252
SHA5122381a5cfa84b321a27832072cc514adcf1ee52864b105fe205a308afbde71c7606e80527e1f0ec8fb12c87f834ee4cfada7c2f731f7eeed92070df23aaed5aa0
-
\Users\Admin\AppData\Local\Temp\winini.exeMD5
a8590dc96290e160b7518cfbc2b60bba
SHA1e1f2ad4c512f33e5232d15f700d3850b947aa9ab
SHA2569869f7a1218218380c9f05f0d50b2c0fc7a2c153cf1a9a238651236767c2e252
SHA5122381a5cfa84b321a27832072cc514adcf1ee52864b105fe205a308afbde71c7606e80527e1f0ec8fb12c87f834ee4cfada7c2f731f7eeed92070df23aaed5aa0
-
\Users\Admin\AppData\Local\Temp\ÞÙËäÙ.exeMD5
32cbecf1c0b588ef3ab1c700f5bd7c8d
SHA11ef6254aa8fbfd0e0be522540937b673f292a339
SHA256d4aa281ba3424b4160c40a898e314d0ba4a7bd2532a10f5ba965f90b98f64294
SHA51265201ccfa400454d34916faba7238ae315e00b029a8a213a4990aa302c9512bdcd8982038f06435cd5f62d107c5f2e1de9149da14437d09686b7fd7a4b4ee882
-
memory/1128-64-0x0000000000000000-mapping.dmp
-
memory/1128-68-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/1308-70-0x0000000000000000-mapping.dmp
-
memory/1308-78-0x00000000002B0000-0x00000000002B2000-memory.dmpFilesize
8KB
-
memory/1308-83-0x00000000002D5000-0x00000000002D6000-memory.dmpFilesize
4KB
-
memory/1308-82-0x00000000002B6000-0x00000000002D5000-memory.dmpFilesize
124KB
-
memory/1308-81-0x000007FEF2EF0000-0x000007FEF3F86000-memory.dmpFilesize
16.6MB
-
memory/1652-60-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/1652-61-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB
-
memory/1724-80-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1724-79-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/1724-75-0x000000000049F92C-mapping.dmp
-
memory/1724-74-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB