Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-05-2021 21:52
Static task
static1
Behavioral task
behavioral1
Sample
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe
Resource
win7v20210410
General
-
Target
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe
-
Size
3.5MB
-
MD5
0e767b6049616a694034d8158a1d0145
-
SHA1
e8139d5fe7161b71da47193646e5d583f4c4bc88
-
SHA256
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0
-
SHA512
31e79500ea24800c4d266aa0f1f1b0411ca2533e8e098b468a491b5d8769ae38601d45d9ec43074be689eace923ff37480dcd3691f248312eebb22e624ef9ded
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
sbn.exebrokerf.exebrokerf.exepid Process 208 sbn.exe 2228 brokerf.exe 2820 brokerf.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\39931771.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\39931771.exe" explorer.exe -
Processes:
brokerf.execmd.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA brokerf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
brokerf.exeexplorer.exepid Process 2820 brokerf.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
brokerf.exedescription pid Process procid_target PID 2228 set thread context of 2820 2228 brokerf.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exebrokerf.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 brokerf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString brokerf.exe -
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid Process 1192 timeout.exe 1828 timeout.exe 512 timeout.exe 192 timeout.exe 2872 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid Process 528 taskkill.exe 192 taskkill.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Modifies registry class 2 IoCs
Processes:
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.execmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings 15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
explorer.exepid Process 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
brokerf.exeexplorer.exepid Process 2820 brokerf.exe 2820 brokerf.exe 668 explorer.exe 668 explorer.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
taskkill.exebrokerf.exetaskkill.exeexplorer.exedescription pid Process Token: SeDebugPrivilege 528 taskkill.exe Token: SeDebugPrivilege 2820 brokerf.exe Token: SeRestorePrivilege 2820 brokerf.exe Token: SeBackupPrivilege 2820 brokerf.exe Token: SeLoadDriverPrivilege 2820 brokerf.exe Token: SeCreatePagefilePrivilege 2820 brokerf.exe Token: SeShutdownPrivilege 2820 brokerf.exe Token: SeTakeOwnershipPrivilege 2820 brokerf.exe Token: SeChangeNotifyPrivilege 2820 brokerf.exe Token: SeCreateTokenPrivilege 2820 brokerf.exe Token: SeMachineAccountPrivilege 2820 brokerf.exe Token: SeSecurityPrivilege 2820 brokerf.exe Token: SeAssignPrimaryTokenPrivilege 2820 brokerf.exe Token: SeCreateGlobalPrivilege 2820 brokerf.exe Token: 33 2820 brokerf.exe Token: SeDebugPrivilege 192 taskkill.exe Token: SeDebugPrivilege 668 explorer.exe Token: SeRestorePrivilege 668 explorer.exe Token: SeBackupPrivilege 668 explorer.exe Token: SeLoadDriverPrivilege 668 explorer.exe Token: SeCreatePagefilePrivilege 668 explorer.exe Token: SeShutdownPrivilege 668 explorer.exe Token: SeTakeOwnershipPrivilege 668 explorer.exe Token: SeChangeNotifyPrivilege 668 explorer.exe Token: SeCreateTokenPrivilege 668 explorer.exe Token: SeMachineAccountPrivilege 668 explorer.exe Token: SeSecurityPrivilege 668 explorer.exe Token: SeAssignPrimaryTokenPrivilege 668 explorer.exe Token: SeCreateGlobalPrivilege 668 explorer.exe Token: 33 668 explorer.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exeWScript.execmd.exeWScript.execmd.exebrokerf.exebrokerf.exeexplorer.exedescription pid Process procid_target PID 668 wrote to memory of 3808 668 15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe 75 PID 668 wrote to memory of 3808 668 15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe 75 PID 668 wrote to memory of 3808 668 15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe 75 PID 3808 wrote to memory of 560 3808 WScript.exe 76 PID 3808 wrote to memory of 560 3808 WScript.exe 76 PID 3808 wrote to memory of 560 3808 WScript.exe 76 PID 560 wrote to memory of 192 560 cmd.exe 78 PID 560 wrote to memory of 192 560 cmd.exe 78 PID 560 wrote to memory of 192 560 cmd.exe 78 PID 560 wrote to memory of 208 560 cmd.exe 79 PID 560 wrote to memory of 208 560 cmd.exe 79 PID 560 wrote to memory of 208 560 cmd.exe 79 PID 560 wrote to memory of 2872 560 cmd.exe 80 PID 560 wrote to memory of 2872 560 cmd.exe 80 PID 560 wrote to memory of 2872 560 cmd.exe 80 PID 560 wrote to memory of 1308 560 cmd.exe 83 PID 560 wrote to memory of 1308 560 cmd.exe 83 PID 560 wrote to memory of 1308 560 cmd.exe 83 PID 560 wrote to memory of 1192 560 cmd.exe 84 PID 560 wrote to memory of 1192 560 cmd.exe 84 PID 560 wrote to memory of 1192 560 cmd.exe 84 PID 1308 wrote to memory of 1724 1308 WScript.exe 85 PID 1308 wrote to memory of 1724 1308 WScript.exe 85 PID 1308 wrote to memory of 1724 1308 WScript.exe 85 PID 1724 wrote to memory of 1592 1724 cmd.exe 87 PID 1724 wrote to memory of 1592 1724 cmd.exe 87 PID 1724 wrote to memory of 1592 1724 cmd.exe 87 PID 1724 wrote to memory of 1828 1724 cmd.exe 88 PID 1724 wrote to memory of 1828 1724 cmd.exe 88 PID 1724 wrote to memory of 1828 1724 cmd.exe 88 PID 1724 wrote to memory of 2228 1724 cmd.exe 90 PID 1724 wrote to memory of 2228 1724 cmd.exe 90 PID 1724 wrote to memory of 2228 1724 cmd.exe 90 PID 2228 wrote to memory of 2820 2228 brokerf.exe 91 PID 2228 wrote to memory of 2820 2228 brokerf.exe 91 PID 2228 wrote to memory of 2820 2228 brokerf.exe 91 PID 2228 wrote to memory of 2820 2228 brokerf.exe 91 PID 2228 wrote to memory of 2820 2228 brokerf.exe 91 PID 1724 wrote to memory of 528 1724 cmd.exe 92 PID 1724 wrote to memory of 528 1724 cmd.exe 92 PID 1724 wrote to memory of 528 1724 cmd.exe 92 PID 1724 wrote to memory of 192 1724 cmd.exe 93 PID 1724 wrote to memory of 192 1724 cmd.exe 93 PID 1724 wrote to memory of 192 1724 cmd.exe 93 PID 1724 wrote to memory of 2840 1724 cmd.exe 94 PID 1724 wrote to memory of 2840 1724 cmd.exe 94 PID 1724 wrote to memory of 2840 1724 cmd.exe 94 PID 1724 wrote to memory of 512 1724 cmd.exe 95 PID 1724 wrote to memory of 512 1724 cmd.exe 95 PID 1724 wrote to memory of 512 1724 cmd.exe 95 PID 2820 wrote to memory of 668 2820 brokerf.exe 96 PID 2820 wrote to memory of 668 2820 brokerf.exe 96 PID 2820 wrote to memory of 668 2820 brokerf.exe 96 PID 668 wrote to memory of 1724 668 explorer.exe 85 PID 668 wrote to memory of 1724 668 explorer.exe 85 PID 668 wrote to memory of 512 668 explorer.exe 95 PID 668 wrote to memory of 512 668 explorer.exe 95 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 1592 attrib.exe 2840 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe"C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\log\cnvk\ftoris.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\log\cnvk\yioi.bat" "3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
PID:192
-
-
C:\log\cnvk\sbn.exe"sbn.exe" e -pyu7y8y87ds8yhsd89scd99 37419879283209asda0su9jho90asdf0s9.rar4⤵
- Executes dropped EXE
PID:208
-
-
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
PID:2872
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\log\cnvk\oll.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\log\cnvk\p541seed.bat" "5⤵
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\log\"6⤵
- Views/modifies file attributes
PID:1592
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
PID:1828
-
-
C:\log\cnvk\brokerf.exebrokerf.exe /start6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\log\cnvk\brokerf.exebrokerf.exe /start7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe8⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sbn.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sbn.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:192
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\log\cnvk\brokerf.exe"6⤵
- Views/modifies file attributes
PID:2840
-
-
C:\Windows\SysWOW64\timeout.exetimeout 66⤵
- Delays execution with timeout.exe
PID:512
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:1192
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1e7da6a53a16210ffaaf28feaa1a38ad
SHA1a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3
-
MD5
1e7da6a53a16210ffaaf28feaa1a38ad
SHA1a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3
-
MD5
1e7da6a53a16210ffaaf28feaa1a38ad
SHA1a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3
-
MD5
74938c40bb1e343a5f7fee8ce12636fd
SHA1102a9af450b63e4e29fcb8221b783a6f0e657fc7
SHA25648649028ecc8644c77faa53e2c7eb3c84811d4ff5d76965dfc123e7031bbde7f
SHA512953425cb722318119c033293a676aac4eec93d95dbdcda727366d3cbc011c3a4e81953e300340015bd7bdbba7cfabdcaf55adc5e68ff7c18f542bb42dd7ab370
-
MD5
0bd7eb0367eea35fa03b8baf753e3dbf
SHA15d99d076b6094be05ab24b292fab8b51a81926b5
SHA256b5b186b0c9d71d1dc7024cc0dedb17df1f052c93a33f6af0cd4651362245be7d
SHA5121f1452a1f1ac4d1687a50f6e405fda5517f53e46fc624675320b2e2d64de6bff7b4437a5e2e081d0cd81617cec50c0c6ef1d43bdc9387154af5616dcfc2a5cb6
-
MD5
aad7b3fbdc2b543dd2cc773d89d8bc17
SHA14b680e56de180c6674f86f0e228eaf7801ef182e
SHA256a0e42e327432a1fa0afb90ae4407671e9f6b6611a7db64c0f7c0cbb48c73be75
SHA5129eb3a9203198458a2d52ce66355446939d7bc5c6c656efe1d0e03485f1b181ce65a7ebbfceb434b2535543e61e018e83720de2f4d72303af19796f3b7c9bfdbb
-
MD5
fb6bc7bd7f1d2813765c0dd42d96d62d
SHA1c6d3306967de66dcbcd4340269a5c9ff62ede54f
SHA256ae0c4df3946ecbc710c852b300a4450197881d7077c62b7cf2b612eacf2bb6da
SHA512572fe41b1421e16ea5a99dcf5334924c0d1bf1cf7eaf3b3961c73c906c745e144feaffb813cb26d351c3b60f32c11a6d126a066f305d792ca1808d7cd9572e7d
-
MD5
7acbec84b096b08259d9bf7f358aab7e
SHA100b8e3575bb33447628a90826bdc4c6b2d7e7a19
SHA2566a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c
SHA5122fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23
-
MD5
7acbec84b096b08259d9bf7f358aab7e
SHA100b8e3575bb33447628a90826bdc4c6b2d7e7a19
SHA2566a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c
SHA5122fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23
-
MD5
b9c02e786af554bf4e548d218cb59406
SHA11afcdfc05077c6fe8367e005532af76dbe890c63
SHA2569d5adff2c0c256bdfe6537b1064cfaf9be420434d295b4c4b506949fe6d8eafd
SHA5126f89efa5c09ed4a44c291185b98e3c50c7bd81b2adb931daab8f526646cc59fa42b889fb870b8603f24e2ab0a46f0d6ad00bed2cc92e44827a6c854f58541243