Analysis
-
max time kernel
147s -
max time network
161s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:06
Static task
static1
Behavioral task
behavioral1
Sample
4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Resource
win10v20210410
General
-
Target
4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
-
Size
660KB
-
MD5
4df9b2c6531cde226bf1b0ae86d41162
-
SHA1
9a42c49714905ea1e5f042a683fd80ecff10fc87
-
SHA256
4714d68dbb9f9ac36425f2ec73ed434cf57407f36063c391e0bfbb9d0b96bbf9
-
SHA512
292edf0d733d05b3b725ea00414299c6ccec8d50da9e0ce3d50cafbf4144e87d3e62dcdadb11a2b139e39f8a72cb5e394bd108e6d4413517cca459079df6ba8d
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
fullview.exefullview.exepid process 3704 fullview.exe 2056 fullview.exe -
Drops startup file 2 IoCs
Processes:
fullview.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe fullview.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe fullview.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fullview.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\fullview = "C:\\Users\\Admin\\Music\\fullview.exe -boot" fullview.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fullview.exedescription pid process target process PID 3704 set thread context of 2056 3704 fullview.exe fullview.exe -
Drops file in Windows directory 4 IoCs
Processes:
4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exefullview.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new fullview.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new fullview.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exefullview.exefullview.exedescription pid process Token: SeDebugPrivilege 3892 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Token: SeDebugPrivilege 3704 fullview.exe Token: SeDebugPrivilege 2056 fullview.exe Token: 33 2056 fullview.exe Token: SeIncBasePriorityPrivilege 2056 fullview.exe Token: 33 2056 fullview.exe Token: SeIncBasePriorityPrivilege 2056 fullview.exe Token: 33 2056 fullview.exe Token: SeIncBasePriorityPrivilege 2056 fullview.exe Token: 33 2056 fullview.exe Token: SeIncBasePriorityPrivilege 2056 fullview.exe Token: 33 2056 fullview.exe Token: SeIncBasePriorityPrivilege 2056 fullview.exe Token: 33 2056 fullview.exe Token: SeIncBasePriorityPrivilege 2056 fullview.exe Token: 33 2056 fullview.exe Token: SeIncBasePriorityPrivilege 2056 fullview.exe Token: 33 2056 fullview.exe Token: SeIncBasePriorityPrivilege 2056 fullview.exe Token: 33 2056 fullview.exe Token: SeIncBasePriorityPrivilege 2056 fullview.exe Token: 33 2056 fullview.exe Token: SeIncBasePriorityPrivilege 2056 fullview.exe Token: 33 2056 fullview.exe Token: SeIncBasePriorityPrivilege 2056 fullview.exe Token: 33 2056 fullview.exe Token: SeIncBasePriorityPrivilege 2056 fullview.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exeexplorer.exefullview.exedescription pid process target process PID 3892 wrote to memory of 3696 3892 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe explorer.exe PID 3892 wrote to memory of 3696 3892 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe explorer.exe PID 3892 wrote to memory of 3696 3892 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe explorer.exe PID 2668 wrote to memory of 3704 2668 explorer.exe fullview.exe PID 2668 wrote to memory of 3704 2668 explorer.exe fullview.exe PID 2668 wrote to memory of 3704 2668 explorer.exe fullview.exe PID 3704 wrote to memory of 2056 3704 fullview.exe fullview.exe PID 3704 wrote to memory of 2056 3704 fullview.exe fullview.exe PID 3704 wrote to memory of 2056 3704 fullview.exe fullview.exe PID 3704 wrote to memory of 2056 3704 fullview.exe fullview.exe PID 3704 wrote to memory of 2056 3704 fullview.exe fullview.exe PID 3704 wrote to memory of 2056 3704 fullview.exe fullview.exe PID 3704 wrote to memory of 2056 3704 fullview.exe fullview.exe PID 3704 wrote to memory of 2056 3704 fullview.exe fullview.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe"C:\Users\Admin\AppData\Local\Temp\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\Music\fullview.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Music\fullview.exe"C:\Users\Admin\Music\fullview.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Music\fullview.exe"C:\Users\Admin\Music\fullview.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Music\fullview.exeMD5
4df9b2c6531cde226bf1b0ae86d41162
SHA19a42c49714905ea1e5f042a683fd80ecff10fc87
SHA2564714d68dbb9f9ac36425f2ec73ed434cf57407f36063c391e0bfbb9d0b96bbf9
SHA512292edf0d733d05b3b725ea00414299c6ccec8d50da9e0ce3d50cafbf4144e87d3e62dcdadb11a2b139e39f8a72cb5e394bd108e6d4413517cca459079df6ba8d
-
C:\Users\Admin\Music\fullview.exeMD5
4df9b2c6531cde226bf1b0ae86d41162
SHA19a42c49714905ea1e5f042a683fd80ecff10fc87
SHA2564714d68dbb9f9ac36425f2ec73ed434cf57407f36063c391e0bfbb9d0b96bbf9
SHA512292edf0d733d05b3b725ea00414299c6ccec8d50da9e0ce3d50cafbf4144e87d3e62dcdadb11a2b139e39f8a72cb5e394bd108e6d4413517cca459079df6ba8d
-
C:\Users\Admin\Music\fullview.exeMD5
4df9b2c6531cde226bf1b0ae86d41162
SHA19a42c49714905ea1e5f042a683fd80ecff10fc87
SHA2564714d68dbb9f9ac36425f2ec73ed434cf57407f36063c391e0bfbb9d0b96bbf9
SHA512292edf0d733d05b3b725ea00414299c6ccec8d50da9e0ce3d50cafbf4144e87d3e62dcdadb11a2b139e39f8a72cb5e394bd108e6d4413517cca459079df6ba8d
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cchMD5
75799560ebae2d2b536941c3870f3cca
SHA1a9afcfe0c3ddd235aaaf5218d567d78ca3fc6962
SHA2560fe508e1ca3ff53dc51e4292b358285097fcf6ba8e892f3ee7e67dd944e4c431
SHA51205840cf96f3bcbaa5048a8e49e7dac4ddb0b65d6e891b4ade8cd9f26ac638d9f91a6cbbc8e3a3d8d765489c60d469354c035884f0181f6fa8dab484f9b05f8e6
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cchMD5
75799560ebae2d2b536941c3870f3cca
SHA1a9afcfe0c3ddd235aaaf5218d567d78ca3fc6962
SHA2560fe508e1ca3ff53dc51e4292b358285097fcf6ba8e892f3ee7e67dd944e4c431
SHA51205840cf96f3bcbaa5048a8e49e7dac4ddb0b65d6e891b4ade8cd9f26ac638d9f91a6cbbc8e3a3d8d765489c60d469354c035884f0181f6fa8dab484f9b05f8e6
-
memory/2056-125-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB
-
memory/3696-116-0x0000000000000000-mapping.dmp
-
memory/3704-118-0x0000000000000000-mapping.dmp
-
memory/3704-122-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/3704-123-0x0000000000FD1000-0x0000000000FD2000-memory.dmpFilesize
4KB
-
memory/3892-114-0x00000000032C0000-0x00000000032C1000-memory.dmpFilesize
4KB
-
memory/3892-115-0x00000000032C1000-0x00000000032C2000-memory.dmpFilesize
4KB