Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
11-06-2021 03:37
Static task
static1
Behavioral task
behavioral1
Sample
595C00BF9CA4BAA42B4490F2782CF2D3.exe
Resource
win7v20210408
General
-
Target
595C00BF9CA4BAA42B4490F2782CF2D3.exe
-
Size
1.1MB
-
MD5
595c00bf9ca4baa42b4490f2782cf2d3
-
SHA1
d1441cc336655f36efc3db070f84701a1f68e51a
-
SHA256
6884ac9f82a44a7702c4807deec1640b66eb71f6c750dd0ca1d5d78632e626b5
-
SHA512
aaa673adb4511d7e4ba5836f6874b047e8c2b31f86e005d46094a47626d23f97d72874307538c451541dbb44905503df2227902e9f4ccffa4d9836981abcd2e6
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1740 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 6 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Windows\SysWOW64\Google.exe server.exe File opened for modification C:\Windows\SysWOW64\Google.exe server.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
Processes:
595C00BF9CA4BAA42B4490F2782CF2D3.exeserver.exepid process 1788 595C00BF9CA4BAA42B4490F2782CF2D3.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe -
Drops file in Program Files directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Program Files (x86)\Google.exe server.exe File opened for modification C:\Program Files (x86)\Google.exe server.exe -
Drops file in Windows directory 2 IoCs
Processes:
595C00BF9CA4BAA42B4490F2782CF2D3.exeserver.exedescription ioc process File created C:\Windows\server.exe 595C00BF9CA4BAA42B4490F2782CF2D3.exe File opened for modification C:\Windows\server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe 1740 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1740 server.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1740 server.exe Token: 33 1740 server.exe Token: SeIncBasePriorityPrivilege 1740 server.exe Token: 33 1740 server.exe Token: SeIncBasePriorityPrivilege 1740 server.exe Token: 33 1740 server.exe Token: SeIncBasePriorityPrivilege 1740 server.exe Token: 33 1740 server.exe Token: SeIncBasePriorityPrivilege 1740 server.exe Token: 33 1740 server.exe Token: SeIncBasePriorityPrivilege 1740 server.exe Token: 33 1740 server.exe Token: SeIncBasePriorityPrivilege 1740 server.exe Token: 33 1740 server.exe Token: SeIncBasePriorityPrivilege 1740 server.exe Token: 33 1740 server.exe Token: SeIncBasePriorityPrivilege 1740 server.exe Token: 33 1740 server.exe Token: SeIncBasePriorityPrivilege 1740 server.exe Token: 33 1740 server.exe Token: SeIncBasePriorityPrivilege 1740 server.exe Token: 33 1740 server.exe Token: SeIncBasePriorityPrivilege 1740 server.exe Token: 33 1740 server.exe Token: SeIncBasePriorityPrivilege 1740 server.exe Token: 33 1740 server.exe Token: SeIncBasePriorityPrivilege 1740 server.exe Token: 33 1740 server.exe Token: SeIncBasePriorityPrivilege 1740 server.exe Token: 33 1740 server.exe Token: SeIncBasePriorityPrivilege 1740 server.exe Token: 33 1740 server.exe Token: SeIncBasePriorityPrivilege 1740 server.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
595C00BF9CA4BAA42B4490F2782CF2D3.exeserver.exepid process 1788 595C00BF9CA4BAA42B4490F2782CF2D3.exe 1740 server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
595C00BF9CA4BAA42B4490F2782CF2D3.exeserver.exedescription pid process target process PID 1788 wrote to memory of 1740 1788 595C00BF9CA4BAA42B4490F2782CF2D3.exe server.exe PID 1788 wrote to memory of 1740 1788 595C00BF9CA4BAA42B4490F2782CF2D3.exe server.exe PID 1788 wrote to memory of 1740 1788 595C00BF9CA4BAA42B4490F2782CF2D3.exe server.exe PID 1788 wrote to memory of 1740 1788 595C00BF9CA4BAA42B4490F2782CF2D3.exe server.exe PID 1740 wrote to memory of 1604 1740 server.exe netsh.exe PID 1740 wrote to memory of 1604 1740 server.exe netsh.exe PID 1740 wrote to memory of 1604 1740 server.exe netsh.exe PID 1740 wrote to memory of 1604 1740 server.exe netsh.exe PID 1740 wrote to memory of 812 1740 server.exe netsh.exe PID 1740 wrote to memory of 812 1740 server.exe netsh.exe PID 1740 wrote to memory of 812 1740 server.exe netsh.exe PID 1740 wrote to memory of 812 1740 server.exe netsh.exe PID 1740 wrote to memory of 912 1740 server.exe netsh.exe PID 1740 wrote to memory of 912 1740 server.exe netsh.exe PID 1740 wrote to memory of 912 1740 server.exe netsh.exe PID 1740 wrote to memory of 912 1740 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\595C00BF9CA4BAA42B4490F2782CF2D3.exe"C:\Users\Admin\AppData\Local\Temp\595C00BF9CA4BAA42B4490F2782CF2D3.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\server.exe"C:\Windows\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Windows\server.exe"3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appMD5
24e9e7d7eea4de90c8fc67ae1145abf2
SHA1dd9bb46ccc6340ca892cf17ebe32b9bdbadee2d1
SHA256bd6c1d15579254e8879ada07376f93cb2e959f45670374892fde2efaf4194f6c
SHA5125572afd61c7ba666515a987f23ad0a05ab753bdc28cfa492adb30200207427a4a38699d3b7981e0750414775a4ce72a209511951d38a8673c709b08774fca01f
-
C:\Windows\server.exeMD5
595c00bf9ca4baa42b4490f2782cf2d3
SHA1d1441cc336655f36efc3db070f84701a1f68e51a
SHA2566884ac9f82a44a7702c4807deec1640b66eb71f6c750dd0ca1d5d78632e626b5
SHA512aaa673adb4511d7e4ba5836f6874b047e8c2b31f86e005d46094a47626d23f97d72874307538c451541dbb44905503df2227902e9f4ccffa4d9836981abcd2e6
-
\??\c:\windows\server.exeMD5
595c00bf9ca4baa42b4490f2782cf2d3
SHA1d1441cc336655f36efc3db070f84701a1f68e51a
SHA2566884ac9f82a44a7702c4807deec1640b66eb71f6c750dd0ca1d5d78632e626b5
SHA512aaa673adb4511d7e4ba5836f6874b047e8c2b31f86e005d46094a47626d23f97d72874307538c451541dbb44905503df2227902e9f4ccffa4d9836981abcd2e6
-
memory/812-69-0x0000000000000000-mapping.dmp
-
memory/912-70-0x0000000000000000-mapping.dmp
-
memory/1604-67-0x0000000000000000-mapping.dmp
-
memory/1740-61-0x0000000000000000-mapping.dmp
-
memory/1740-66-0x0000000002AA0000-0x0000000002AA1000-memory.dmpFilesize
4KB
-
memory/1788-59-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1788-60-0x0000000002FA0000-0x0000000002FA1000-memory.dmpFilesize
4KB