Analysis
-
max time kernel
153s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-09-2021 09:11
Behavioral task
behavioral1
Sample
43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe
Resource
win7-en
windows7_x64
0 signatures
0 seconds
General
-
Target
43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe
-
Size
658KB
-
MD5
bdc9fa03150b08bd14d06c994f5d291e
-
SHA1
e55517f4b36aacd990888c75158ed3fe319b12ff
-
SHA256
43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4
-
SHA512
391864de4bb581961b77b12d3e7247a37c0f11ebe120e41fc83f2513133459c2ea7543e566f84da35b6f86588ef891c96db9c671b9515571d3edc693b61f1a46
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Processes:
43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exepid process 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exedescription pid process Token: SeIncreaseQuotaPrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeSecurityPrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeTakeOwnershipPrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeLoadDriverPrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeSystemProfilePrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeSystemtimePrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeProfSingleProcessPrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeIncBasePriorityPrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeCreatePagefilePrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeBackupPrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeRestorePrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeShutdownPrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeDebugPrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeSystemEnvironmentPrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeChangeNotifyPrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeRemoteShutdownPrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeUndockPrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeManageVolumePrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeImpersonatePrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: SeCreateGlobalPrivilege 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: 33 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: 34 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: 35 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Token: 36 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exepid process 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.execmd.execmd.exedescription pid process target process PID 1040 wrote to memory of 1276 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe cmd.exe PID 1040 wrote to memory of 1276 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe cmd.exe PID 1040 wrote to memory of 1276 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe cmd.exe PID 1040 wrote to memory of 2828 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe cmd.exe PID 1040 wrote to memory of 2828 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe cmd.exe PID 1040 wrote to memory of 2828 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe cmd.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 1040 wrote to memory of 512 1040 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe notepad.exe PID 2828 wrote to memory of 1872 2828 cmd.exe attrib.exe PID 2828 wrote to memory of 1872 2828 cmd.exe attrib.exe PID 2828 wrote to memory of 1872 2828 cmd.exe attrib.exe PID 1276 wrote to memory of 808 1276 cmd.exe attrib.exe PID 1276 wrote to memory of 808 1276 cmd.exe attrib.exe PID 1276 wrote to memory of 808 1276 cmd.exe attrib.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" 43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1872 attrib.exe 808 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe"C:\Users\Admin\AppData\Local\Temp\43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe"1⤵
- Modifies firewall policy service
- Modifies security service
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/512-117-0x0000000000000000-mapping.dmp
-
memory/512-120-0x00000000036A0000-0x00000000036A1000-memory.dmpFilesize
4KB
-
memory/808-119-0x0000000000000000-mapping.dmp
-
memory/1040-114-0x0000000002370000-0x0000000002371000-memory.dmpFilesize
4KB
-
memory/1276-115-0x0000000000000000-mapping.dmp
-
memory/1872-118-0x0000000000000000-mapping.dmp
-
memory/2828-116-0x0000000000000000-mapping.dmp