Analysis
-
max time kernel
152s -
max time network
166s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-09-2021 06:10
Static task
static1
Behavioral task
behavioral1
Sample
5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Resource
win7-en
windows7_x64
0 signatures
0 seconds
General
-
Target
5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
-
Size
251KB
-
MD5
b547e8c99725f6703be9abd07e5224c7
-
SHA1
62983bc952692ddba6f4901c8dea12d27600897f
-
SHA256
5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83
-
SHA512
674651da4dde4df3593cdb798f4c70f404534540f445f775d069be112da658e2beb6c087e5fb8d3759f05a232459a5141cfb3db8d0bdae6046e9ec701c7db2a9
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exedescription pid process Token: SeIncreaseQuotaPrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeSecurityPrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeTakeOwnershipPrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeLoadDriverPrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeSystemProfilePrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeSystemtimePrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeProfSingleProcessPrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeIncBasePriorityPrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeCreatePagefilePrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeBackupPrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeRestorePrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeShutdownPrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeDebugPrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeSystemEnvironmentPrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeChangeNotifyPrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeRemoteShutdownPrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeUndockPrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeManageVolumePrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeImpersonatePrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: SeCreateGlobalPrivilege 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: 33 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: 34 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: 35 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe Token: 36 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exepid process 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.execmd.execmd.exedescription pid process target process PID 3008 wrote to memory of 2920 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe cmd.exe PID 3008 wrote to memory of 2920 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe cmd.exe PID 3008 wrote to memory of 2920 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe cmd.exe PID 3008 wrote to memory of 8 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe cmd.exe PID 3008 wrote to memory of 8 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe cmd.exe PID 3008 wrote to memory of 8 3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe cmd.exe PID 2920 wrote to memory of 3500 2920 cmd.exe attrib.exe PID 2920 wrote to memory of 3500 2920 cmd.exe attrib.exe PID 2920 wrote to memory of 3500 2920 cmd.exe attrib.exe PID 8 wrote to memory of 3064 8 cmd.exe attrib.exe PID 8 wrote to memory of 3064 8 cmd.exe attrib.exe PID 8 wrote to memory of 3064 8 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3500 attrib.exe 3064 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe"C:\Users\Admin\AppData\Local\Temp\5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe"1⤵
- Modifies firewall policy service
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/8-116-0x0000000000000000-mapping.dmp
-
memory/2920-115-0x0000000000000000-mapping.dmp
-
memory/3008-114-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/3064-118-0x0000000000000000-mapping.dmp
-
memory/3500-117-0x0000000000000000-mapping.dmp