Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en -
submitted
08-09-2021 05:02
Behavioral task
behavioral1
Sample
b5154bba_hs6p8854My.exe
Resource
win7-en
windows7_x64
0 signatures
0 seconds
General
-
Target
b5154bba_hs6p8854My.exe
-
Size
658KB
-
MD5
b5154bba3a9d3648b40164f2ec89e059
-
SHA1
e37b5718f3da44132e2170dc85e026b9a998f5d9
-
SHA256
d8b6d9bf469cf33b4effbfc8bcac272a66a01213184580a668a2517df93834a2
-
SHA512
c21c3e0ed025e97b6dbc0bc9b3f9b8e87306df8177e1638892ecbcb2bf199e828bc186e0fb872dd82c7cd4d3bedb5ff2910584057d34709535a498ca612f5553
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
b5154bba_hs6p8854My.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile b5154bba_hs6p8854My.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" b5154bba_hs6p8854My.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" b5154bba_hs6p8854My.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
b5154bba_hs6p8854My.exedescription pid process Token: SeIncreaseQuotaPrivilege 1632 b5154bba_hs6p8854My.exe Token: SeSecurityPrivilege 1632 b5154bba_hs6p8854My.exe Token: SeTakeOwnershipPrivilege 1632 b5154bba_hs6p8854My.exe Token: SeLoadDriverPrivilege 1632 b5154bba_hs6p8854My.exe Token: SeSystemProfilePrivilege 1632 b5154bba_hs6p8854My.exe Token: SeSystemtimePrivilege 1632 b5154bba_hs6p8854My.exe Token: SeProfSingleProcessPrivilege 1632 b5154bba_hs6p8854My.exe Token: SeIncBasePriorityPrivilege 1632 b5154bba_hs6p8854My.exe Token: SeCreatePagefilePrivilege 1632 b5154bba_hs6p8854My.exe Token: SeBackupPrivilege 1632 b5154bba_hs6p8854My.exe Token: SeRestorePrivilege 1632 b5154bba_hs6p8854My.exe Token: SeShutdownPrivilege 1632 b5154bba_hs6p8854My.exe Token: SeDebugPrivilege 1632 b5154bba_hs6p8854My.exe Token: SeSystemEnvironmentPrivilege 1632 b5154bba_hs6p8854My.exe Token: SeChangeNotifyPrivilege 1632 b5154bba_hs6p8854My.exe Token: SeRemoteShutdownPrivilege 1632 b5154bba_hs6p8854My.exe Token: SeUndockPrivilege 1632 b5154bba_hs6p8854My.exe Token: SeManageVolumePrivilege 1632 b5154bba_hs6p8854My.exe Token: SeImpersonatePrivilege 1632 b5154bba_hs6p8854My.exe Token: SeCreateGlobalPrivilege 1632 b5154bba_hs6p8854My.exe Token: 33 1632 b5154bba_hs6p8854My.exe Token: 34 1632 b5154bba_hs6p8854My.exe Token: 35 1632 b5154bba_hs6p8854My.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b5154bba_hs6p8854My.exepid process 1632 b5154bba_hs6p8854My.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
b5154bba_hs6p8854My.execmd.execmd.exedescription pid process target process PID 1632 wrote to memory of 1736 1632 b5154bba_hs6p8854My.exe cmd.exe PID 1632 wrote to memory of 1736 1632 b5154bba_hs6p8854My.exe cmd.exe PID 1632 wrote to memory of 1736 1632 b5154bba_hs6p8854My.exe cmd.exe PID 1632 wrote to memory of 1736 1632 b5154bba_hs6p8854My.exe cmd.exe PID 1632 wrote to memory of 1712 1632 b5154bba_hs6p8854My.exe cmd.exe PID 1632 wrote to memory of 1712 1632 b5154bba_hs6p8854My.exe cmd.exe PID 1632 wrote to memory of 1712 1632 b5154bba_hs6p8854My.exe cmd.exe PID 1632 wrote to memory of 1712 1632 b5154bba_hs6p8854My.exe cmd.exe PID 1736 wrote to memory of 1520 1736 cmd.exe attrib.exe PID 1736 wrote to memory of 1520 1736 cmd.exe attrib.exe PID 1736 wrote to memory of 1520 1736 cmd.exe attrib.exe PID 1736 wrote to memory of 1520 1736 cmd.exe attrib.exe PID 1712 wrote to memory of 1120 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 1120 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 1120 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 1120 1712 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1520 attrib.exe 1120 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5154bba_hs6p8854My.exe"C:\Users\Admin\AppData\Local\Temp\b5154bba_hs6p8854My.exe"1⤵
- Modifies firewall policy service
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\b5154bba_hs6p8854My.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\b5154bba_hs6p8854My.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1120-56-0x0000000000000000-mapping.dmp
-
memory/1520-55-0x0000000000000000-mapping.dmp
-
memory/1632-52-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1632-57-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1712-54-0x0000000000000000-mapping.dmp
-
memory/1736-53-0x0000000000000000-mapping.dmp