Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-05-2021 22:03
Static task
static1
Behavioral task
behavioral1
Sample
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe
Resource
win7v20210410
General
-
Target
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe
-
Size
3.5MB
-
MD5
0e767b6049616a694034d8158a1d0145
-
SHA1
e8139d5fe7161b71da47193646e5d583f4c4bc88
-
SHA256
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0
-
SHA512
31e79500ea24800c4d266aa0f1f1b0411ca2533e8e098b468a491b5d8769ae38601d45d9ec43074be689eace923ff37480dcd3691f248312eebb22e624ef9ded
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
sbn.exebrokerf.exebrokerf.exepid Process 3832 sbn.exe 1688 brokerf.exe 1808 brokerf.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\9k3yk779591957.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\9k3yk779591957.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
brokerf.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA brokerf.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
brokerf.exeexplorer.exepid Process 1808 brokerf.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
brokerf.exedescription pid Process procid_target PID 1688 set thread context of 1808 1688 brokerf.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
brokerf.exeexplorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 brokerf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString brokerf.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid Process 3856 timeout.exe 3476 timeout.exe 648 timeout.exe 1380 timeout.exe 3056 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid Process 2012 taskkill.exe 2624 taskkill.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Modifies registry class 2 IoCs
Processes:
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.execmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings 15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
explorer.exepid Process 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
brokerf.exeexplorer.exepid Process 1808 brokerf.exe 1808 brokerf.exe 3004 explorer.exe 3004 explorer.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
brokerf.exetaskkill.exetaskkill.exeexplorer.exedescription pid Process Token: SeDebugPrivilege 1808 brokerf.exe Token: SeRestorePrivilege 1808 brokerf.exe Token: SeBackupPrivilege 1808 brokerf.exe Token: SeLoadDriverPrivilege 1808 brokerf.exe Token: SeCreatePagefilePrivilege 1808 brokerf.exe Token: SeShutdownPrivilege 1808 brokerf.exe Token: SeTakeOwnershipPrivilege 1808 brokerf.exe Token: SeChangeNotifyPrivilege 1808 brokerf.exe Token: SeCreateTokenPrivilege 1808 brokerf.exe Token: SeMachineAccountPrivilege 1808 brokerf.exe Token: SeSecurityPrivilege 1808 brokerf.exe Token: SeAssignPrimaryTokenPrivilege 1808 brokerf.exe Token: SeCreateGlobalPrivilege 1808 brokerf.exe Token: 33 1808 brokerf.exe Token: SeDebugPrivilege 2012 taskkill.exe Token: SeDebugPrivilege 2624 taskkill.exe Token: SeDebugPrivilege 3004 explorer.exe Token: SeRestorePrivilege 3004 explorer.exe Token: SeBackupPrivilege 3004 explorer.exe Token: SeLoadDriverPrivilege 3004 explorer.exe Token: SeCreatePagefilePrivilege 3004 explorer.exe Token: SeShutdownPrivilege 3004 explorer.exe Token: SeTakeOwnershipPrivilege 3004 explorer.exe Token: SeChangeNotifyPrivilege 3004 explorer.exe Token: SeCreateTokenPrivilege 3004 explorer.exe Token: SeMachineAccountPrivilege 3004 explorer.exe Token: SeSecurityPrivilege 3004 explorer.exe Token: SeAssignPrimaryTokenPrivilege 3004 explorer.exe Token: SeCreateGlobalPrivilege 3004 explorer.exe Token: 33 3004 explorer.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exeWScript.execmd.exeWScript.execmd.exebrokerf.exebrokerf.exeexplorer.exedescription pid Process procid_target PID 4660 wrote to memory of 756 4660 15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe 75 PID 4660 wrote to memory of 756 4660 15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe 75 PID 4660 wrote to memory of 756 4660 15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe 75 PID 756 wrote to memory of 3224 756 WScript.exe 76 PID 756 wrote to memory of 3224 756 WScript.exe 76 PID 756 wrote to memory of 3224 756 WScript.exe 76 PID 3224 wrote to memory of 3856 3224 cmd.exe 78 PID 3224 wrote to memory of 3856 3224 cmd.exe 78 PID 3224 wrote to memory of 3856 3224 cmd.exe 78 PID 3224 wrote to memory of 3832 3224 cmd.exe 79 PID 3224 wrote to memory of 3832 3224 cmd.exe 79 PID 3224 wrote to memory of 3832 3224 cmd.exe 79 PID 3224 wrote to memory of 3476 3224 cmd.exe 80 PID 3224 wrote to memory of 3476 3224 cmd.exe 80 PID 3224 wrote to memory of 3476 3224 cmd.exe 80 PID 3224 wrote to memory of 640 3224 cmd.exe 83 PID 3224 wrote to memory of 640 3224 cmd.exe 83 PID 3224 wrote to memory of 640 3224 cmd.exe 83 PID 3224 wrote to memory of 648 3224 cmd.exe 84 PID 3224 wrote to memory of 648 3224 cmd.exe 84 PID 3224 wrote to memory of 648 3224 cmd.exe 84 PID 640 wrote to memory of 488 640 WScript.exe 85 PID 640 wrote to memory of 488 640 WScript.exe 85 PID 640 wrote to memory of 488 640 WScript.exe 85 PID 488 wrote to memory of 1220 488 cmd.exe 87 PID 488 wrote to memory of 1220 488 cmd.exe 87 PID 488 wrote to memory of 1220 488 cmd.exe 87 PID 488 wrote to memory of 1380 488 cmd.exe 88 PID 488 wrote to memory of 1380 488 cmd.exe 88 PID 488 wrote to memory of 1380 488 cmd.exe 88 PID 488 wrote to memory of 1688 488 cmd.exe 90 PID 488 wrote to memory of 1688 488 cmd.exe 90 PID 488 wrote to memory of 1688 488 cmd.exe 90 PID 1688 wrote to memory of 1808 1688 brokerf.exe 91 PID 1688 wrote to memory of 1808 1688 brokerf.exe 91 PID 1688 wrote to memory of 1808 1688 brokerf.exe 91 PID 1688 wrote to memory of 1808 1688 brokerf.exe 91 PID 1688 wrote to memory of 1808 1688 brokerf.exe 91 PID 488 wrote to memory of 2012 488 cmd.exe 92 PID 488 wrote to memory of 2012 488 cmd.exe 92 PID 488 wrote to memory of 2012 488 cmd.exe 92 PID 488 wrote to memory of 2624 488 cmd.exe 94 PID 488 wrote to memory of 2624 488 cmd.exe 94 PID 488 wrote to memory of 2624 488 cmd.exe 94 PID 488 wrote to memory of 2812 488 cmd.exe 96 PID 488 wrote to memory of 2812 488 cmd.exe 96 PID 488 wrote to memory of 2812 488 cmd.exe 96 PID 1808 wrote to memory of 3004 1808 brokerf.exe 95 PID 1808 wrote to memory of 3004 1808 brokerf.exe 95 PID 1808 wrote to memory of 3004 1808 brokerf.exe 95 PID 488 wrote to memory of 3056 488 cmd.exe 97 PID 488 wrote to memory of 3056 488 cmd.exe 97 PID 488 wrote to memory of 3056 488 cmd.exe 97 PID 3004 wrote to memory of 488 3004 explorer.exe 85 PID 3004 wrote to memory of 488 3004 explorer.exe 85 PID 3004 wrote to memory of 3056 3004 explorer.exe 97 PID 3004 wrote to memory of 3056 3004 explorer.exe 97 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 1220 attrib.exe 2812 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe"C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\log\cnvk\ftoris.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\log\cnvk\yioi.bat" "3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
PID:3856
-
-
C:\log\cnvk\sbn.exe"sbn.exe" e -pyu7y8y87ds8yhsd89scd99 37419879283209asda0su9jho90asdf0s9.rar4⤵
- Executes dropped EXE
PID:3832
-
-
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
PID:3476
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\log\cnvk\oll.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\log\cnvk\p541seed.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\log\"6⤵
- Views/modifies file attributes
PID:1220
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
PID:1380
-
-
C:\log\cnvk\brokerf.exebrokerf.exe /start6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\log\cnvk\brokerf.exebrokerf.exe /start7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe8⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sbn.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sbn.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\log\cnvk\brokerf.exe"6⤵
- Views/modifies file attributes
PID:2812
-
-
C:\Windows\SysWOW64\timeout.exetimeout 66⤵
- Delays execution with timeout.exe
PID:3056
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:648
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1e7da6a53a16210ffaaf28feaa1a38ad
SHA1a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3
-
MD5
1e7da6a53a16210ffaaf28feaa1a38ad
SHA1a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3
-
MD5
1e7da6a53a16210ffaaf28feaa1a38ad
SHA1a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3
-
MD5
74938c40bb1e343a5f7fee8ce12636fd
SHA1102a9af450b63e4e29fcb8221b783a6f0e657fc7
SHA25648649028ecc8644c77faa53e2c7eb3c84811d4ff5d76965dfc123e7031bbde7f
SHA512953425cb722318119c033293a676aac4eec93d95dbdcda727366d3cbc011c3a4e81953e300340015bd7bdbba7cfabdcaf55adc5e68ff7c18f542bb42dd7ab370
-
MD5
0bd7eb0367eea35fa03b8baf753e3dbf
SHA15d99d076b6094be05ab24b292fab8b51a81926b5
SHA256b5b186b0c9d71d1dc7024cc0dedb17df1f052c93a33f6af0cd4651362245be7d
SHA5121f1452a1f1ac4d1687a50f6e405fda5517f53e46fc624675320b2e2d64de6bff7b4437a5e2e081d0cd81617cec50c0c6ef1d43bdc9387154af5616dcfc2a5cb6
-
MD5
aad7b3fbdc2b543dd2cc773d89d8bc17
SHA14b680e56de180c6674f86f0e228eaf7801ef182e
SHA256a0e42e327432a1fa0afb90ae4407671e9f6b6611a7db64c0f7c0cbb48c73be75
SHA5129eb3a9203198458a2d52ce66355446939d7bc5c6c656efe1d0e03485f1b181ce65a7ebbfceb434b2535543e61e018e83720de2f4d72303af19796f3b7c9bfdbb
-
MD5
fb6bc7bd7f1d2813765c0dd42d96d62d
SHA1c6d3306967de66dcbcd4340269a5c9ff62ede54f
SHA256ae0c4df3946ecbc710c852b300a4450197881d7077c62b7cf2b612eacf2bb6da
SHA512572fe41b1421e16ea5a99dcf5334924c0d1bf1cf7eaf3b3961c73c906c745e144feaffb813cb26d351c3b60f32c11a6d126a066f305d792ca1808d7cd9572e7d
-
MD5
7acbec84b096b08259d9bf7f358aab7e
SHA100b8e3575bb33447628a90826bdc4c6b2d7e7a19
SHA2566a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c
SHA5122fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23
-
MD5
7acbec84b096b08259d9bf7f358aab7e
SHA100b8e3575bb33447628a90826bdc4c6b2d7e7a19
SHA2566a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c
SHA5122fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23
-
MD5
b9c02e786af554bf4e548d218cb59406
SHA11afcdfc05077c6fe8367e005532af76dbe890c63
SHA2569d5adff2c0c256bdfe6537b1064cfaf9be420434d295b4c4b506949fe6d8eafd
SHA5126f89efa5c09ed4a44c291185b98e3c50c7bd81b2adb931daab8f526646cc59fa42b889fb870b8603f24e2ab0a46f0d6ad00bed2cc92e44827a6c854f58541243