Analysis
-
max time kernel
148s -
max time network
161s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-05-2021 12:00
Static task
static1
Behavioral task
behavioral1
Sample
0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe
Resource
win10v20210408
General
-
Target
0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe
-
Size
1.6MB
-
MD5
ccbde79e9dcbb71a79820b1f5d0fe6f5
-
SHA1
d83fbc9fa5aa59aa093891b599659e6fb7bbcc7d
-
SHA256
0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca
-
SHA512
362fdc897419de502228b7673a9613eedec2baeed7dd10a2462840ab049819882ad29d75964df5c9da7a6f549ba9ff48a86f64515caa79ce8fe38ab3f7000751
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
winini.exeòíàùí.exewinhost.exepid process 3500 winini.exe 1616 òíàùí.exe 3008 winhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winini.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Live = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winini.exe" winini.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winini.exedescription pid process target process PID 3500 set thread context of 3008 3500 winini.exe winhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
winini.exewinhost.exedescription pid process Token: SeDebugPrivilege 3500 winini.exe Token: SeIncreaseQuotaPrivilege 3008 winhost.exe Token: SeSecurityPrivilege 3008 winhost.exe Token: SeTakeOwnershipPrivilege 3008 winhost.exe Token: SeLoadDriverPrivilege 3008 winhost.exe Token: SeSystemProfilePrivilege 3008 winhost.exe Token: SeSystemtimePrivilege 3008 winhost.exe Token: SeProfSingleProcessPrivilege 3008 winhost.exe Token: SeIncBasePriorityPrivilege 3008 winhost.exe Token: SeCreatePagefilePrivilege 3008 winhost.exe Token: SeBackupPrivilege 3008 winhost.exe Token: SeRestorePrivilege 3008 winhost.exe Token: SeShutdownPrivilege 3008 winhost.exe Token: SeDebugPrivilege 3008 winhost.exe Token: SeSystemEnvironmentPrivilege 3008 winhost.exe Token: SeChangeNotifyPrivilege 3008 winhost.exe Token: SeRemoteShutdownPrivilege 3008 winhost.exe Token: SeUndockPrivilege 3008 winhost.exe Token: SeManageVolumePrivilege 3008 winhost.exe Token: SeImpersonatePrivilege 3008 winhost.exe Token: SeCreateGlobalPrivilege 3008 winhost.exe Token: 33 3008 winhost.exe Token: 34 3008 winhost.exe Token: 35 3008 winhost.exe Token: 36 3008 winhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winhost.exepid process 3008 winhost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exewinini.exedescription pid process target process PID 636 wrote to memory of 3500 636 0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe winini.exe PID 636 wrote to memory of 3500 636 0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe winini.exe PID 636 wrote to memory of 3500 636 0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe winini.exe PID 636 wrote to memory of 1616 636 0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe òíàùí.exe PID 636 wrote to memory of 1616 636 0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe òíàùí.exe PID 3500 wrote to memory of 3008 3500 winini.exe winhost.exe PID 3500 wrote to memory of 3008 3500 winini.exe winhost.exe PID 3500 wrote to memory of 3008 3500 winini.exe winhost.exe PID 3500 wrote to memory of 3008 3500 winini.exe winhost.exe PID 3500 wrote to memory of 3008 3500 winini.exe winhost.exe PID 3500 wrote to memory of 3008 3500 winini.exe winhost.exe PID 3500 wrote to memory of 3008 3500 winini.exe winhost.exe PID 3500 wrote to memory of 3008 3500 winini.exe winhost.exe PID 3500 wrote to memory of 3008 3500 winini.exe winhost.exe PID 3500 wrote to memory of 3008 3500 winini.exe winhost.exe PID 3500 wrote to memory of 3008 3500 winini.exe winhost.exe PID 3500 wrote to memory of 3008 3500 winini.exe winhost.exe PID 3500 wrote to memory of 3008 3500 winini.exe winhost.exe PID 3500 wrote to memory of 3008 3500 winini.exe winhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe"C:\Users\Admin\AppData\Local\Temp\0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Admin\AppData\Local\Temp\winini.exe"C:\Users\Admin\AppData\Local\Temp\winini.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\winhost.exeC:\Users\Admin\AppData\Local\Temp\winhost.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\òíàùí.exe"C:\Users\Admin\AppData\Local\Temp\òíàùí.exe"2⤵
- Executes dropped EXE
PID:1616
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\winhost.exeMD5
dd0ee56841e535a3a3ae7c20c32de9cd
SHA1fc1ea172fd3c67a00e37f930f7595784fc0d1f84
SHA2568649df38276968d1417ec064360339610ff644491c87eb8ac2b2e67e7cbe47c9
SHA512ee6a7982e194a5a24f5bd596d1ad6582defcababa19ea8011ba71ead2ee8945dce9f5af56e47b088c16ca00cb6c7225cc18b9b6f026e623283c0e02f9bed524e
-
C:\Users\Admin\AppData\Local\Temp\winhost.exeMD5
dd0ee56841e535a3a3ae7c20c32de9cd
SHA1fc1ea172fd3c67a00e37f930f7595784fc0d1f84
SHA2568649df38276968d1417ec064360339610ff644491c87eb8ac2b2e67e7cbe47c9
SHA512ee6a7982e194a5a24f5bd596d1ad6582defcababa19ea8011ba71ead2ee8945dce9f5af56e47b088c16ca00cb6c7225cc18b9b6f026e623283c0e02f9bed524e
-
C:\Users\Admin\AppData\Local\Temp\winini.exeMD5
a8590dc96290e160b7518cfbc2b60bba
SHA1e1f2ad4c512f33e5232d15f700d3850b947aa9ab
SHA2569869f7a1218218380c9f05f0d50b2c0fc7a2c153cf1a9a238651236767c2e252
SHA5122381a5cfa84b321a27832072cc514adcf1ee52864b105fe205a308afbde71c7606e80527e1f0ec8fb12c87f834ee4cfada7c2f731f7eeed92070df23aaed5aa0
-
C:\Users\Admin\AppData\Local\Temp\winini.exeMD5
a8590dc96290e160b7518cfbc2b60bba
SHA1e1f2ad4c512f33e5232d15f700d3850b947aa9ab
SHA2569869f7a1218218380c9f05f0d50b2c0fc7a2c153cf1a9a238651236767c2e252
SHA5122381a5cfa84b321a27832072cc514adcf1ee52864b105fe205a308afbde71c7606e80527e1f0ec8fb12c87f834ee4cfada7c2f731f7eeed92070df23aaed5aa0
-
C:\Users\Admin\AppData\Local\Temp\òíàùí.exeMD5
32cbecf1c0b588ef3ab1c700f5bd7c8d
SHA11ef6254aa8fbfd0e0be522540937b673f292a339
SHA256d4aa281ba3424b4160c40a898e314d0ba4a7bd2532a10f5ba965f90b98f64294
SHA51265201ccfa400454d34916faba7238ae315e00b029a8a213a4990aa302c9512bdcd8982038f06435cd5f62d107c5f2e1de9149da14437d09686b7fd7a4b4ee882
-
C:\Users\Admin\AppData\Local\Temp\òíàùí.exeMD5
32cbecf1c0b588ef3ab1c700f5bd7c8d
SHA11ef6254aa8fbfd0e0be522540937b673f292a339
SHA256d4aa281ba3424b4160c40a898e314d0ba4a7bd2532a10f5ba965f90b98f64294
SHA51265201ccfa400454d34916faba7238ae315e00b029a8a213a4990aa302c9512bdcd8982038f06435cd5f62d107c5f2e1de9149da14437d09686b7fd7a4b4ee882
-
memory/636-114-0x00000000014E0000-0x00000000014E1000-memory.dmpFilesize
4KB
-
memory/1616-130-0x0000000000884000-0x0000000000885000-memory.dmpFilesize
4KB
-
memory/1616-118-0x0000000000000000-mapping.dmp
-
memory/1616-129-0x0000000000882000-0x0000000000884000-memory.dmpFilesize
8KB
-
memory/1616-127-0x0000000000880000-0x0000000000882000-memory.dmpFilesize
8KB
-
memory/3008-122-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/3008-126-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/3008-123-0x000000000049F92C-mapping.dmp
-
memory/3008-128-0x0000000000550000-0x000000000069A000-memory.dmpFilesize
1.3MB
-
memory/3500-121-0x00000000029C0000-0x00000000029C1000-memory.dmpFilesize
4KB
-
memory/3500-115-0x0000000000000000-mapping.dmp