Analysis
-
max time kernel
149s -
max time network
192s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 15:00
General
-
Target
ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c.exe
-
Size
40KB
-
MD5
c58ecc617fb2cbf40f4703cfd4b70104
-
SHA1
4d7e1750af1060a9a6a5f7aa7fcc986d0a3549e6
-
SHA256
ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c
-
SHA512
ba85396ef07f695a1361eedfc3d179689187d6799109aefe727deac88bf2eac35d0cbac11ecf7e279964022b71938af39449e6cd21e65bc488c35335326c3f8b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c.exe"C:\Users\Admin\AppData\Local\Temp\ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\server.exe"C:\Windows\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\server.exeMD5
c58ecc617fb2cbf40f4703cfd4b70104
SHA14d7e1750af1060a9a6a5f7aa7fcc986d0a3549e6
SHA256ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c
SHA512ba85396ef07f695a1361eedfc3d179689187d6799109aefe727deac88bf2eac35d0cbac11ecf7e279964022b71938af39449e6cd21e65bc488c35335326c3f8b
-
C:\Windows\server.exeMD5
c58ecc617fb2cbf40f4703cfd4b70104
SHA14d7e1750af1060a9a6a5f7aa7fcc986d0a3549e6
SHA256ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c
SHA512ba85396ef07f695a1361eedfc3d179689187d6799109aefe727deac88bf2eac35d0cbac11ecf7e279964022b71938af39449e6cd21e65bc488c35335326c3f8b
-
memory/628-59-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/628-60-0x0000000001EA0000-0x0000000001EA1000-memory.dmpFilesize
4KB
-
memory/872-66-0x0000000000000000-mapping.dmp
-
memory/1628-61-0x0000000000000000-mapping.dmp
-
memory/1628-65-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB