Analysis

  • max time kernel
    147s
  • max time network
    161s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    11-06-2021 03:06

General

  • Target

    4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

  • Size

    660KB

  • MD5

    4df9b2c6531cde226bf1b0ae86d41162

  • SHA1

    9a42c49714905ea1e5f042a683fd80ecff10fc87

  • SHA256

    4714d68dbb9f9ac36425f2ec73ed434cf57407f36063c391e0bfbb9d0b96bbf9

  • SHA512

    292edf0d733d05b3b725ea00414299c6ccec8d50da9e0ce3d50cafbf4144e87d3e62dcdadb11a2b139e39f8a72cb5e394bd108e6d4413517cca459079df6ba8d

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
    "C:\Users\Admin\AppData\Local\Temp\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3892
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\Music\fullview.exe
      2⤵
        PID:3696
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Users\Admin\Music\fullview.exe
        "C:\Users\Admin\Music\fullview.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3704
        • C:\Users\Admin\Music\fullview.exe
          "C:\Users\Admin\Music\fullview.exe"
          3⤵
          • Executes dropped EXE
          • Drops startup file
          • Suspicious use of AdjustPrivilegeToken
          PID:2056

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Music\fullview.exe
      MD5

      4df9b2c6531cde226bf1b0ae86d41162

      SHA1

      9a42c49714905ea1e5f042a683fd80ecff10fc87

      SHA256

      4714d68dbb9f9ac36425f2ec73ed434cf57407f36063c391e0bfbb9d0b96bbf9

      SHA512

      292edf0d733d05b3b725ea00414299c6ccec8d50da9e0ce3d50cafbf4144e87d3e62dcdadb11a2b139e39f8a72cb5e394bd108e6d4413517cca459079df6ba8d

    • C:\Users\Admin\Music\fullview.exe
      MD5

      4df9b2c6531cde226bf1b0ae86d41162

      SHA1

      9a42c49714905ea1e5f042a683fd80ecff10fc87

      SHA256

      4714d68dbb9f9ac36425f2ec73ed434cf57407f36063c391e0bfbb9d0b96bbf9

      SHA512

      292edf0d733d05b3b725ea00414299c6ccec8d50da9e0ce3d50cafbf4144e87d3e62dcdadb11a2b139e39f8a72cb5e394bd108e6d4413517cca459079df6ba8d

    • C:\Users\Admin\Music\fullview.exe
      MD5

      4df9b2c6531cde226bf1b0ae86d41162

      SHA1

      9a42c49714905ea1e5f042a683fd80ecff10fc87

      SHA256

      4714d68dbb9f9ac36425f2ec73ed434cf57407f36063c391e0bfbb9d0b96bbf9

      SHA512

      292edf0d733d05b3b725ea00414299c6ccec8d50da9e0ce3d50cafbf4144e87d3e62dcdadb11a2b139e39f8a72cb5e394bd108e6d4413517cca459079df6ba8d

    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
      MD5

      75799560ebae2d2b536941c3870f3cca

      SHA1

      a9afcfe0c3ddd235aaaf5218d567d78ca3fc6962

      SHA256

      0fe508e1ca3ff53dc51e4292b358285097fcf6ba8e892f3ee7e67dd944e4c431

      SHA512

      05840cf96f3bcbaa5048a8e49e7dac4ddb0b65d6e891b4ade8cd9f26ac638d9f91a6cbbc8e3a3d8d765489c60d469354c035884f0181f6fa8dab484f9b05f8e6

    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
      MD5

      75799560ebae2d2b536941c3870f3cca

      SHA1

      a9afcfe0c3ddd235aaaf5218d567d78ca3fc6962

      SHA256

      0fe508e1ca3ff53dc51e4292b358285097fcf6ba8e892f3ee7e67dd944e4c431

      SHA512

      05840cf96f3bcbaa5048a8e49e7dac4ddb0b65d6e891b4ade8cd9f26ac638d9f91a6cbbc8e3a3d8d765489c60d469354c035884f0181f6fa8dab484f9b05f8e6

    • memory/2056-125-0x0000000000910000-0x0000000000911000-memory.dmp
      Filesize

      4KB

    • memory/3696-116-0x0000000000000000-mapping.dmp
    • memory/3704-118-0x0000000000000000-mapping.dmp
    • memory/3704-122-0x0000000000FD0000-0x0000000000FD1000-memory.dmp
      Filesize

      4KB

    • memory/3704-123-0x0000000000FD1000-0x0000000000FD2000-memory.dmp
      Filesize

      4KB

    • memory/3892-114-0x00000000032C0000-0x00000000032C1000-memory.dmp
      Filesize

      4KB

    • memory/3892-115-0x00000000032C1000-0x00000000032C2000-memory.dmp
      Filesize

      4KB