Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-06-2021 03:06
Static task
static1
Behavioral task
behavioral1
Sample
4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Resource
win10v20210410
General
-
Target
4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
-
Size
660KB
-
MD5
4df9b2c6531cde226bf1b0ae86d41162
-
SHA1
9a42c49714905ea1e5f042a683fd80ecff10fc87
-
SHA256
4714d68dbb9f9ac36425f2ec73ed434cf57407f36063c391e0bfbb9d0b96bbf9
-
SHA512
292edf0d733d05b3b725ea00414299c6ccec8d50da9e0ce3d50cafbf4144e87d3e62dcdadb11a2b139e39f8a72cb5e394bd108e6d4413517cca459079df6ba8d
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
fullview.exefullview.exepid process 584 fullview.exe 624 fullview.exe -
Drops startup file 2 IoCs
Processes:
fullview.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe fullview.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe fullview.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fullview.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\fullview = "C:\\Users\\Admin\\Music\\fullview.exe -boot" fullview.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fullview.exedescription pid process target process PID 584 set thread context of 624 584 fullview.exe fullview.exe -
Drops file in Windows directory 4 IoCs
Processes:
4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exefullview.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new fullview.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new fullview.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exefullview.exefullview.exedescription pid process Token: SeDebugPrivilege 1676 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Token: SeDebugPrivilege 584 fullview.exe Token: SeDebugPrivilege 624 fullview.exe Token: 33 624 fullview.exe Token: SeIncBasePriorityPrivilege 624 fullview.exe Token: 33 624 fullview.exe Token: SeIncBasePriorityPrivilege 624 fullview.exe Token: 33 624 fullview.exe Token: SeIncBasePriorityPrivilege 624 fullview.exe Token: 33 624 fullview.exe Token: SeIncBasePriorityPrivilege 624 fullview.exe Token: 33 624 fullview.exe Token: SeIncBasePriorityPrivilege 624 fullview.exe Token: 33 624 fullview.exe Token: SeIncBasePriorityPrivilege 624 fullview.exe Token: 33 624 fullview.exe Token: SeIncBasePriorityPrivilege 624 fullview.exe Token: 33 624 fullview.exe Token: SeIncBasePriorityPrivilege 624 fullview.exe Token: 33 624 fullview.exe Token: SeIncBasePriorityPrivilege 624 fullview.exe Token: 33 624 fullview.exe Token: SeIncBasePriorityPrivilege 624 fullview.exe Token: 33 624 fullview.exe Token: SeIncBasePriorityPrivilege 624 fullview.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exeexplorer.exefullview.exedescription pid process target process PID 1676 wrote to memory of 1312 1676 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe explorer.exe PID 1676 wrote to memory of 1312 1676 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe explorer.exe PID 1676 wrote to memory of 1312 1676 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe explorer.exe PID 1676 wrote to memory of 1312 1676 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe explorer.exe PID 1616 wrote to memory of 584 1616 explorer.exe fullview.exe PID 1616 wrote to memory of 584 1616 explorer.exe fullview.exe PID 1616 wrote to memory of 584 1616 explorer.exe fullview.exe PID 1616 wrote to memory of 584 1616 explorer.exe fullview.exe PID 584 wrote to memory of 624 584 fullview.exe fullview.exe PID 584 wrote to memory of 624 584 fullview.exe fullview.exe PID 584 wrote to memory of 624 584 fullview.exe fullview.exe PID 584 wrote to memory of 624 584 fullview.exe fullview.exe PID 584 wrote to memory of 624 584 fullview.exe fullview.exe PID 584 wrote to memory of 624 584 fullview.exe fullview.exe PID 584 wrote to memory of 624 584 fullview.exe fullview.exe PID 584 wrote to memory of 624 584 fullview.exe fullview.exe PID 584 wrote to memory of 624 584 fullview.exe fullview.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe"C:\Users\Admin\AppData\Local\Temp\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\Music\fullview.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Music\fullview.exe"C:\Users\Admin\Music\fullview.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Music\fullview.exe"C:\Users\Admin\Music\fullview.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Music\fullview.exeMD5
4df9b2c6531cde226bf1b0ae86d41162
SHA19a42c49714905ea1e5f042a683fd80ecff10fc87
SHA2564714d68dbb9f9ac36425f2ec73ed434cf57407f36063c391e0bfbb9d0b96bbf9
SHA512292edf0d733d05b3b725ea00414299c6ccec8d50da9e0ce3d50cafbf4144e87d3e62dcdadb11a2b139e39f8a72cb5e394bd108e6d4413517cca459079df6ba8d
-
C:\Users\Admin\Music\fullview.exeMD5
4df9b2c6531cde226bf1b0ae86d41162
SHA19a42c49714905ea1e5f042a683fd80ecff10fc87
SHA2564714d68dbb9f9ac36425f2ec73ed434cf57407f36063c391e0bfbb9d0b96bbf9
SHA512292edf0d733d05b3b725ea00414299c6ccec8d50da9e0ce3d50cafbf4144e87d3e62dcdadb11a2b139e39f8a72cb5e394bd108e6d4413517cca459079df6ba8d
-
C:\Users\Admin\Music\fullview.exeMD5
4df9b2c6531cde226bf1b0ae86d41162
SHA19a42c49714905ea1e5f042a683fd80ecff10fc87
SHA2564714d68dbb9f9ac36425f2ec73ed434cf57407f36063c391e0bfbb9d0b96bbf9
SHA512292edf0d733d05b3b725ea00414299c6ccec8d50da9e0ce3d50cafbf4144e87d3e62dcdadb11a2b139e39f8a72cb5e394bd108e6d4413517cca459079df6ba8d
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cchMD5
8ccb76deb0db9cb27f3512008c14660c
SHA1e2c19ce54b44da5e174403209c261cd4c74c29d7
SHA2569fa843fdcd88f85ae3276f9c67455aaf87f6e954b7d9278958f2b36de9ca1d34
SHA512fee8a2162a6afe30016a38f72647f407135ab29b7f2affaaef24d777116993043a5da9a236cb5443ba0630555163cc9e4e25713d467f23ea5454d099c7f35a49
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cchMD5
8ccb76deb0db9cb27f3512008c14660c
SHA1e2c19ce54b44da5e174403209c261cd4c74c29d7
SHA2569fa843fdcd88f85ae3276f9c67455aaf87f6e954b7d9278958f2b36de9ca1d34
SHA512fee8a2162a6afe30016a38f72647f407135ab29b7f2affaaef24d777116993043a5da9a236cb5443ba0630555163cc9e4e25713d467f23ea5454d099c7f35a49
-
memory/584-67-0x0000000000000000-mapping.dmp
-
memory/584-71-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/584-72-0x0000000000231000-0x0000000000232000-memory.dmpFilesize
4KB
-
memory/624-77-0x0000000000080000-0x000000000009A000-memory.dmpFilesize
104KB
-
memory/624-80-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/624-74-0x0000000000080000-0x000000000009A000-memory.dmpFilesize
104KB
-
memory/1312-64-0x0000000071031000-0x0000000071033000-memory.dmpFilesize
8KB
-
memory/1312-62-0x0000000000000000-mapping.dmp
-
memory/1616-65-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmpFilesize
8KB
-
memory/1676-61-0x00000000002B1000-0x00000000002B2000-memory.dmpFilesize
4KB
-
memory/1676-59-0x0000000075971000-0x0000000075973000-memory.dmpFilesize
8KB
-
memory/1676-60-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB