Analysis
-
max time kernel
149s -
max time network
192s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 15:00
Static task
static1
Behavioral task
behavioral1
Sample
ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c.exe
Resource
win10v20210410
General
-
Target
ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c.exe
-
Size
40KB
-
MD5
c58ecc617fb2cbf40f4703cfd4b70104
-
SHA1
4d7e1750af1060a9a6a5f7aa7fcc986d0a3549e6
-
SHA256
ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c
-
SHA512
ba85396ef07f695a1361eedfc3d179689187d6799109aefe727deac88bf2eac35d0cbac11ecf7e279964022b71938af39449e6cd21e65bc488c35335326c3f8b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1628 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cf9f0d34ec03f4856f787785380426f.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cf9f0d34ec03f4856f787785380426f.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cf9f0d34ec03f4856f787785380426f = "\"C:\\Windows\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cf9f0d34ec03f4856f787785380426f = "\"C:\\Windows\\server.exe\" .." server.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Windows directory 3 IoCs
Processes:
ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c.exeserver.exedescription ioc process File created C:\Windows\server.exe ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c.exe File opened for modification C:\Windows\server.exe ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c.exe File opened for modification C:\Windows\server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe 1628 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1628 server.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1628 server.exe Token: 33 1628 server.exe Token: SeIncBasePriorityPrivilege 1628 server.exe Token: 33 1628 server.exe Token: SeIncBasePriorityPrivilege 1628 server.exe Token: 33 1628 server.exe Token: SeIncBasePriorityPrivilege 1628 server.exe Token: 33 1628 server.exe Token: SeIncBasePriorityPrivilege 1628 server.exe Token: 33 1628 server.exe Token: SeIncBasePriorityPrivilege 1628 server.exe Token: 33 1628 server.exe Token: SeIncBasePriorityPrivilege 1628 server.exe Token: 33 1628 server.exe Token: SeIncBasePriorityPrivilege 1628 server.exe Token: 33 1628 server.exe Token: SeIncBasePriorityPrivilege 1628 server.exe Token: 33 1628 server.exe Token: SeIncBasePriorityPrivilege 1628 server.exe Token: 33 1628 server.exe Token: SeIncBasePriorityPrivilege 1628 server.exe Token: 33 1628 server.exe Token: SeIncBasePriorityPrivilege 1628 server.exe Token: 33 1628 server.exe Token: SeIncBasePriorityPrivilege 1628 server.exe Token: 33 1628 server.exe Token: SeIncBasePriorityPrivilege 1628 server.exe Token: 33 1628 server.exe Token: SeIncBasePriorityPrivilege 1628 server.exe Token: 33 1628 server.exe Token: SeIncBasePriorityPrivilege 1628 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c.exeserver.exedescription pid process target process PID 628 wrote to memory of 1628 628 ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c.exe server.exe PID 628 wrote to memory of 1628 628 ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c.exe server.exe PID 628 wrote to memory of 1628 628 ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c.exe server.exe PID 628 wrote to memory of 1628 628 ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c.exe server.exe PID 1628 wrote to memory of 872 1628 server.exe netsh.exe PID 1628 wrote to memory of 872 1628 server.exe netsh.exe PID 1628 wrote to memory of 872 1628 server.exe netsh.exe PID 1628 wrote to memory of 872 1628 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c.exe"C:\Users\Admin\AppData\Local\Temp\ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\server.exe"C:\Windows\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\server.exeMD5
c58ecc617fb2cbf40f4703cfd4b70104
SHA14d7e1750af1060a9a6a5f7aa7fcc986d0a3549e6
SHA256ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c
SHA512ba85396ef07f695a1361eedfc3d179689187d6799109aefe727deac88bf2eac35d0cbac11ecf7e279964022b71938af39449e6cd21e65bc488c35335326c3f8b
-
C:\Windows\server.exeMD5
c58ecc617fb2cbf40f4703cfd4b70104
SHA14d7e1750af1060a9a6a5f7aa7fcc986d0a3549e6
SHA256ff79682bb303ab3bdb0ea4dd42c27a987db53d1f6764fa7745cb4c34db8e4e5c
SHA512ba85396ef07f695a1361eedfc3d179689187d6799109aefe727deac88bf2eac35d0cbac11ecf7e279964022b71938af39449e6cd21e65bc488c35335326c3f8b
-
memory/628-59-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/628-60-0x0000000001EA0000-0x0000000001EA1000-memory.dmpFilesize
4KB
-
memory/872-66-0x0000000000000000-mapping.dmp
-
memory/1628-61-0x0000000000000000-mapping.dmp
-
memory/1628-65-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB