Analysis
-
max time kernel
155s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en -
submitted
06-09-2021 06:47
Static task
static1
Behavioral task
behavioral1
Sample
06e96d6d733fcd8b3e86b6e8fe2fda415cb1769580739b60fcd857d967893037.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
06e96d6d733fcd8b3e86b6e8fe2fda415cb1769580739b60fcd857d967893037.exe
Resource
win10-en
General
-
Target
06e96d6d733fcd8b3e86b6e8fe2fda415cb1769580739b60fcd857d967893037.exe
-
Size
27KB
-
MD5
4ae81e1e7fac444f27c58c9de2f752d2
-
SHA1
6b3d1b53167cfe34ff89a4565b425db3150b9cd3
-
SHA256
06e96d6d733fcd8b3e86b6e8fe2fda415cb1769580739b60fcd857d967893037
-
SHA512
2ab675e5440684e746ad2776d360f092a8edebc2f95bf677bbe0a656f41a8a775daf20f89cc810c77fac1c531a39bf16e2ac9d4e385f0a125955f0cd755f63af
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 3668 system.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
system.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9d1cc64fe9a6a8e706d093702e0b1ae6.exe system.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9d1cc64fe9a6a8e706d093702e0b1ae6.exe system.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
system.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\9d1cc64fe9a6a8e706d093702e0b1ae6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9d1cc64fe9a6a8e706d093702e0b1ae6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
system.exedescription pid process Token: SeDebugPrivilege 3668 system.exe Token: 33 3668 system.exe Token: SeIncBasePriorityPrivilege 3668 system.exe Token: 33 3668 system.exe Token: SeIncBasePriorityPrivilege 3668 system.exe Token: 33 3668 system.exe Token: SeIncBasePriorityPrivilege 3668 system.exe Token: 33 3668 system.exe Token: SeIncBasePriorityPrivilege 3668 system.exe Token: 33 3668 system.exe Token: SeIncBasePriorityPrivilege 3668 system.exe Token: 33 3668 system.exe Token: SeIncBasePriorityPrivilege 3668 system.exe Token: 33 3668 system.exe Token: SeIncBasePriorityPrivilege 3668 system.exe Token: 33 3668 system.exe Token: SeIncBasePriorityPrivilege 3668 system.exe Token: 33 3668 system.exe Token: SeIncBasePriorityPrivilege 3668 system.exe Token: 33 3668 system.exe Token: SeIncBasePriorityPrivilege 3668 system.exe Token: 33 3668 system.exe Token: SeIncBasePriorityPrivilege 3668 system.exe Token: 33 3668 system.exe Token: SeIncBasePriorityPrivilege 3668 system.exe Token: 33 3668 system.exe Token: SeIncBasePriorityPrivilege 3668 system.exe Token: 33 3668 system.exe Token: SeIncBasePriorityPrivilege 3668 system.exe Token: 33 3668 system.exe Token: SeIncBasePriorityPrivilege 3668 system.exe Token: 33 3668 system.exe Token: SeIncBasePriorityPrivilege 3668 system.exe Token: 33 3668 system.exe Token: SeIncBasePriorityPrivilege 3668 system.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
06e96d6d733fcd8b3e86b6e8fe2fda415cb1769580739b60fcd857d967893037.exesystem.exedescription pid process target process PID 3996 wrote to memory of 3668 3996 06e96d6d733fcd8b3e86b6e8fe2fda415cb1769580739b60fcd857d967893037.exe system.exe PID 3996 wrote to memory of 3668 3996 06e96d6d733fcd8b3e86b6e8fe2fda415cb1769580739b60fcd857d967893037.exe system.exe PID 3996 wrote to memory of 3668 3996 06e96d6d733fcd8b3e86b6e8fe2fda415cb1769580739b60fcd857d967893037.exe system.exe PID 3668 wrote to memory of 1864 3668 system.exe netsh.exe PID 3668 wrote to memory of 1864 3668 system.exe netsh.exe PID 3668 wrote to memory of 1864 3668 system.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06e96d6d733fcd8b3e86b6e8fe2fda415cb1769580739b60fcd857d967893037.exe"C:\Users\Admin\AppData\Local\Temp\06e96d6d733fcd8b3e86b6e8fe2fda415cb1769580739b60fcd857d967893037.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\system.exe"C:\Users\Admin\AppData\Local\Temp\system.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\system.exe" "system.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\system.exeMD5
4ae81e1e7fac444f27c58c9de2f752d2
SHA16b3d1b53167cfe34ff89a4565b425db3150b9cd3
SHA25606e96d6d733fcd8b3e86b6e8fe2fda415cb1769580739b60fcd857d967893037
SHA5122ab675e5440684e746ad2776d360f092a8edebc2f95bf677bbe0a656f41a8a775daf20f89cc810c77fac1c531a39bf16e2ac9d4e385f0a125955f0cd755f63af
-
C:\Users\Admin\AppData\Local\Temp\system.exeMD5
4ae81e1e7fac444f27c58c9de2f752d2
SHA16b3d1b53167cfe34ff89a4565b425db3150b9cd3
SHA25606e96d6d733fcd8b3e86b6e8fe2fda415cb1769580739b60fcd857d967893037
SHA5122ab675e5440684e746ad2776d360f092a8edebc2f95bf677bbe0a656f41a8a775daf20f89cc810c77fac1c531a39bf16e2ac9d4e385f0a125955f0cd755f63af
-
memory/1864-120-0x0000000000000000-mapping.dmp
-
memory/3668-116-0x0000000000000000-mapping.dmp
-
memory/3668-119-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/3996-115-0x0000000002360000-0x0000000002361000-memory.dmpFilesize
4KB