Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-05-2021 08:16
Static task
static1
Behavioral task
behavioral1
Sample
43bbe26ae8e84675abd49903be937783f94822a4e53608c57ed4201dd06a1c28.exe
Resource
win7v20210410
General
-
Target
43bbe26ae8e84675abd49903be937783f94822a4e53608c57ed4201dd06a1c28.exe
-
Size
1.3MB
-
MD5
64b79967a225599df24a4bc187dfa825
-
SHA1
aa8520f7e61df4cdf3d26ae4339b72fa67b4742b
-
SHA256
43bbe26ae8e84675abd49903be937783f94822a4e53608c57ed4201dd06a1c28
-
SHA512
d4ab3a6c1784c8fe2d1b048b400aaac580e2bce21d751a17e20bbcac602fbfa07d00d01e5d9d8c2caee781e47acbe4e64eea0391519bc03d4d369a5f5b2adb54
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Sysfiles/" Server.exe -
Executes dropped EXE 6 IoCs
Processes:
7za.exeServer.exe1.exe2.exe7za.exeServer.exepid process 3932 7za.exe 2104 Server.exe 1960 1.exe 2812 2.exe 1420 7za.exe 3048 Server.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\2.exe upx C:\Users\Admin\AppData\Local\Temp\2.exe upx -
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Server.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlog = "C:\\Windows\\system32\\Sysfiles/" Server.exe -
Drops file in System32 directory 3 IoCs
Processes:
Server.exedescription ioc process File created C:\Windows\SysWOW64\Sysfiles\ Server.exe File opened for modification C:\Windows\SysWOW64\Sysfiles\ Server.exe File opened for modification C:\Windows\SysWOW64\ Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Server.exepid process 3048 Server.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
Server.exedescription pid process Token: SeIncreaseQuotaPrivilege 3048 Server.exe Token: SeSecurityPrivilege 3048 Server.exe Token: SeTakeOwnershipPrivilege 3048 Server.exe Token: SeLoadDriverPrivilege 3048 Server.exe Token: SeSystemProfilePrivilege 3048 Server.exe Token: SeSystemtimePrivilege 3048 Server.exe Token: SeProfSingleProcessPrivilege 3048 Server.exe Token: SeIncBasePriorityPrivilege 3048 Server.exe Token: SeCreatePagefilePrivilege 3048 Server.exe Token: SeBackupPrivilege 3048 Server.exe Token: SeRestorePrivilege 3048 Server.exe Token: SeShutdownPrivilege 3048 Server.exe Token: SeDebugPrivilege 3048 Server.exe Token: SeSystemEnvironmentPrivilege 3048 Server.exe Token: SeChangeNotifyPrivilege 3048 Server.exe Token: SeRemoteShutdownPrivilege 3048 Server.exe Token: SeUndockPrivilege 3048 Server.exe Token: SeManageVolumePrivilege 3048 Server.exe Token: SeImpersonatePrivilege 3048 Server.exe Token: SeCreateGlobalPrivilege 3048 Server.exe Token: 33 3048 Server.exe Token: 34 3048 Server.exe Token: 35 3048 Server.exe Token: 36 3048 Server.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Server.exepid process 3048 Server.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
43bbe26ae8e84675abd49903be937783f94822a4e53608c57ed4201dd06a1c28.execmd.exeServer.exe2.execmd.exeServer.execmd.execmd.exedescription pid process target process PID 672 wrote to memory of 3960 672 43bbe26ae8e84675abd49903be937783f94822a4e53608c57ed4201dd06a1c28.exe cmd.exe PID 672 wrote to memory of 3960 672 43bbe26ae8e84675abd49903be937783f94822a4e53608c57ed4201dd06a1c28.exe cmd.exe PID 672 wrote to memory of 3960 672 43bbe26ae8e84675abd49903be937783f94822a4e53608c57ed4201dd06a1c28.exe cmd.exe PID 3960 wrote to memory of 3932 3960 cmd.exe 7za.exe PID 3960 wrote to memory of 3932 3960 cmd.exe 7za.exe PID 3960 wrote to memory of 3932 3960 cmd.exe 7za.exe PID 672 wrote to memory of 2104 672 43bbe26ae8e84675abd49903be937783f94822a4e53608c57ed4201dd06a1c28.exe Server.exe PID 672 wrote to memory of 2104 672 43bbe26ae8e84675abd49903be937783f94822a4e53608c57ed4201dd06a1c28.exe Server.exe PID 2104 wrote to memory of 1960 2104 Server.exe 1.exe PID 2104 wrote to memory of 1960 2104 Server.exe 1.exe PID 2104 wrote to memory of 2812 2104 Server.exe 2.exe PID 2104 wrote to memory of 2812 2104 Server.exe 2.exe PID 2104 wrote to memory of 2812 2104 Server.exe 2.exe PID 2812 wrote to memory of 748 2812 2.exe cmd.exe PID 2812 wrote to memory of 748 2812 2.exe cmd.exe PID 2812 wrote to memory of 748 2812 2.exe cmd.exe PID 748 wrote to memory of 1420 748 cmd.exe 7za.exe PID 748 wrote to memory of 1420 748 cmd.exe 7za.exe PID 748 wrote to memory of 1420 748 cmd.exe 7za.exe PID 2812 wrote to memory of 3048 2812 2.exe Server.exe PID 2812 wrote to memory of 3048 2812 2.exe Server.exe PID 2812 wrote to memory of 3048 2812 2.exe Server.exe PID 3048 wrote to memory of 3792 3048 Server.exe cmd.exe PID 3048 wrote to memory of 3792 3048 Server.exe cmd.exe PID 3048 wrote to memory of 3792 3048 Server.exe cmd.exe PID 3048 wrote to memory of 3980 3048 Server.exe cmd.exe PID 3048 wrote to memory of 3980 3048 Server.exe cmd.exe PID 3048 wrote to memory of 3980 3048 Server.exe cmd.exe PID 3792 wrote to memory of 3204 3792 cmd.exe attrib.exe PID 3792 wrote to memory of 3204 3792 cmd.exe attrib.exe PID 3792 wrote to memory of 3204 3792 cmd.exe attrib.exe PID 3980 wrote to memory of 4000 3980 cmd.exe attrib.exe PID 3980 wrote to memory of 4000 3980 cmd.exe attrib.exe PID 3980 wrote to memory of 4000 3980 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4000 attrib.exe 3204 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\43bbe26ae8e84675abd49903be937783f94822a4e53608c57ed4201dd06a1c28.exe"C:\Users\Admin\AppData\Local\Temp\43bbe26ae8e84675abd49903be937783f94822a4e53608c57ed4201dd06a1c28.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""2⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Users\Admin\AppData\Roaming\7za.exe"C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"3⤵
- Executes dropped EXE
PID:3932 -
C:\Users\Admin\AppData\Roaming\Server.exeC:\Users\Admin\AppData\Roaming\Server.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"3⤵
- Executes dropped EXE
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""4⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Users\Admin\AppData\Roaming\7za.exe"C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"5⤵
- Executes dropped EXE
PID:1420 -
C:\Users\Admin\AppData\Roaming\Server.exeC:\Users\Admin\AppData\Roaming\Server.exe4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Server.exe" +s +h5⤵
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Server.exe" +s +h6⤵
- Views/modifies file attributes
PID:3204 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h5⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming" +s +h6⤵
- Views/modifies file attributes
PID:4000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.exeMD5
7fe12174838117f5d005e89212ea4c2b
SHA18a1595ae7d46568feebfb7cd527cab9aa2f15054
SHA256c469b11a725f9f7e888f488a88ab1d1d2dd622de8212cdfc58e77224d52f5d13
SHA512c36ade83736c666fcb57520d0587ac1c56c073a9a61db056110c4c4555228f5e2179db67159b3847184d1117e8e3ccc14baf79d2e09bd8314ea2ea8b02594a2c
-
C:\Users\Admin\AppData\Local\Temp\1.exeMD5
7fe12174838117f5d005e89212ea4c2b
SHA18a1595ae7d46568feebfb7cd527cab9aa2f15054
SHA256c469b11a725f9f7e888f488a88ab1d1d2dd622de8212cdfc58e77224d52f5d13
SHA512c36ade83736c666fcb57520d0587ac1c56c073a9a61db056110c4c4555228f5e2179db67159b3847184d1117e8e3ccc14baf79d2e09bd8314ea2ea8b02594a2c
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
6473095bd2dd08c83d0c00c2797c18e9
SHA16134dfef47b7e77220c1d2bd93f741089bd36543
SHA256e3b0136f3e4ae1379516df2cd142f573e1a96635fd378f0569ca0aa92064ad6f
SHA5125debe141f5f95fdccf0bdf450d707d662988851c2295edc7b092e3100f2fa72dd518a2c8f97a9fe998283b46c6913331d3c743e9e0ea23a63942a4ac208bad06
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
6473095bd2dd08c83d0c00c2797c18e9
SHA16134dfef47b7e77220c1d2bd93f741089bd36543
SHA256e3b0136f3e4ae1379516df2cd142f573e1a96635fd378f0569ca0aa92064ad6f
SHA5125debe141f5f95fdccf0bdf450d707d662988851c2295edc7b092e3100f2fa72dd518a2c8f97a9fe998283b46c6913331d3c743e9e0ea23a63942a4ac208bad06
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
354b9d3773f9f2d7c259f9db24748e56
SHA11a09005a6fee7c59094b90b35f753664d001cfe0
SHA2563926887bb943104bffdc018d9324dff4a1be9730050f7552fe44ef8838c0a31f
SHA5127cb52ab25ce527b71dba729660abcbfccebf7d634a960c440f5ae4748d27fc820a500ab24ec3c4ac1dfa77921cc22126eeacc085d5797bbcdefbb03623cb7515
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
3f972991396ba33161eeedc5bf3ceb30
SHA1f2a0ddb29dfbaefc337e730894e6d94ee3eb8ba7
SHA256efc6956cb8bdc30b27a126a340e8c2571200d0756bd5e1fad909d4e6d9193c9a
SHA512c5623c5d572af7fff5c3b9c9cda7c6cf23ebca99ab3ac5e6585797b2708c7e16b00422d3c17d057cef7265a28c6fc86b748aa3a4ba0f8719a5140755cb5aed46
-
C:\Users\Admin\AppData\Roaming\7za.exeMD5
42badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
C:\Users\Admin\AppData\Roaming\7za.exeMD5
42badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
C:\Users\Admin\AppData\Roaming\7za.exeMD5
42badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
C:\Users\Admin\AppData\Roaming\7za.exeMD5
42badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
C:\Users\Admin\AppData\Roaming\Server.7zMD5
90860dfd93be99d4ec902a80902ab0a7
SHA18dd0a644201da189f4de7c91e82c8645f48704cb
SHA256f99cbf507206427127e2bc34d1c5f2809abc253cd3af12e73a89fc927ab45ae9
SHA512fed208841e1db6a9e74264d4ad2de02eaf29de492f73921183c43dff64338d10acdea62ec6275dee83a154f78b9e7915715bd6effcaf6ed144c5c17e2538619a
-
C:\Users\Admin\AppData\Roaming\Server.7zMD5
8671c40dd1af5ea83847cd470c950c71
SHA15bc2e0a63bc29168cdd06692c50c1f79410322be
SHA2569af8ea85d0b0a38251dac9d06eb3392376ad6aaa75448f34c1f0b90133496a47
SHA51276afe6d4805bddf5de0998e99ef3fdab9203fc3b7ac7efcb087fa070682c4168324ff969ab9d48a3c7cd5eeb4da757f5f6059651d248e267435fcaac219c33d0
-
C:\Users\Admin\AppData\Roaming\Server.exeMD5
354b9d3773f9f2d7c259f9db24748e56
SHA11a09005a6fee7c59094b90b35f753664d001cfe0
SHA2563926887bb943104bffdc018d9324dff4a1be9730050f7552fe44ef8838c0a31f
SHA5127cb52ab25ce527b71dba729660abcbfccebf7d634a960c440f5ae4748d27fc820a500ab24ec3c4ac1dfa77921cc22126eeacc085d5797bbcdefbb03623cb7515
-
C:\Users\Admin\AppData\Roaming\Server.exeMD5
3f972991396ba33161eeedc5bf3ceb30
SHA1f2a0ddb29dfbaefc337e730894e6d94ee3eb8ba7
SHA256efc6956cb8bdc30b27a126a340e8c2571200d0756bd5e1fad909d4e6d9193c9a
SHA512c5623c5d572af7fff5c3b9c9cda7c6cf23ebca99ab3ac5e6585797b2708c7e16b00422d3c17d057cef7265a28c6fc86b748aa3a4ba0f8719a5140755cb5aed46
-
memory/748-129-0x0000000000000000-mapping.dmp
-
memory/1420-130-0x0000000000000000-mapping.dmp
-
memory/1960-123-0x0000000000000000-mapping.dmp
-
memory/1960-140-0x0000000000FD5000-0x0000000000FD6000-memory.dmpFilesize
4KB
-
memory/1960-133-0x0000000000FD0000-0x0000000000FD2000-memory.dmpFilesize
8KB
-
memory/2104-122-0x0000000002BB0000-0x0000000002BB2000-memory.dmpFilesize
8KB
-
memory/2104-120-0x0000000000000000-mapping.dmp
-
memory/2812-126-0x0000000000000000-mapping.dmp
-
memory/3048-135-0x0000000000000000-mapping.dmp
-
memory/3048-137-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/3204-141-0x0000000000000000-mapping.dmp
-
memory/3792-138-0x0000000000000000-mapping.dmp
-
memory/3932-115-0x0000000000000000-mapping.dmp
-
memory/3960-114-0x0000000000000000-mapping.dmp
-
memory/3980-139-0x0000000000000000-mapping.dmp
-
memory/4000-142-0x0000000000000000-mapping.dmp