Analysis
-
max time kernel
14s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-09-2021 05:02
Behavioral task
behavioral1
Sample
b5154bba_hs6p8854My.exe
Resource
win7-en
windows7_x64
0 signatures
0 seconds
General
-
Target
b5154bba_hs6p8854My.exe
-
Size
658KB
-
MD5
b5154bba3a9d3648b40164f2ec89e059
-
SHA1
e37b5718f3da44132e2170dc85e026b9a998f5d9
-
SHA256
d8b6d9bf469cf33b4effbfc8bcac272a66a01213184580a668a2517df93834a2
-
SHA512
c21c3e0ed025e97b6dbc0bc9b3f9b8e87306df8177e1638892ecbcb2bf199e828bc186e0fb872dd82c7cd4d3bedb5ff2910584057d34709535a498ca612f5553
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
b5154bba_hs6p8854My.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile b5154bba_hs6p8854My.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" b5154bba_hs6p8854My.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" b5154bba_hs6p8854My.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
b5154bba_hs6p8854My.exedescription pid process Token: SeIncreaseQuotaPrivilege 912 b5154bba_hs6p8854My.exe Token: SeSecurityPrivilege 912 b5154bba_hs6p8854My.exe Token: SeTakeOwnershipPrivilege 912 b5154bba_hs6p8854My.exe Token: SeLoadDriverPrivilege 912 b5154bba_hs6p8854My.exe Token: SeSystemProfilePrivilege 912 b5154bba_hs6p8854My.exe Token: SeSystemtimePrivilege 912 b5154bba_hs6p8854My.exe Token: SeProfSingleProcessPrivilege 912 b5154bba_hs6p8854My.exe Token: SeIncBasePriorityPrivilege 912 b5154bba_hs6p8854My.exe Token: SeCreatePagefilePrivilege 912 b5154bba_hs6p8854My.exe Token: SeBackupPrivilege 912 b5154bba_hs6p8854My.exe Token: SeRestorePrivilege 912 b5154bba_hs6p8854My.exe Token: SeShutdownPrivilege 912 b5154bba_hs6p8854My.exe Token: SeDebugPrivilege 912 b5154bba_hs6p8854My.exe Token: SeSystemEnvironmentPrivilege 912 b5154bba_hs6p8854My.exe Token: SeChangeNotifyPrivilege 912 b5154bba_hs6p8854My.exe Token: SeRemoteShutdownPrivilege 912 b5154bba_hs6p8854My.exe Token: SeUndockPrivilege 912 b5154bba_hs6p8854My.exe Token: SeManageVolumePrivilege 912 b5154bba_hs6p8854My.exe Token: SeImpersonatePrivilege 912 b5154bba_hs6p8854My.exe Token: SeCreateGlobalPrivilege 912 b5154bba_hs6p8854My.exe Token: 33 912 b5154bba_hs6p8854My.exe Token: 34 912 b5154bba_hs6p8854My.exe Token: 35 912 b5154bba_hs6p8854My.exe Token: 36 912 b5154bba_hs6p8854My.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b5154bba_hs6p8854My.exepid process 912 b5154bba_hs6p8854My.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b5154bba_hs6p8854My.execmd.execmd.exedescription pid process target process PID 912 wrote to memory of 4036 912 b5154bba_hs6p8854My.exe cmd.exe PID 912 wrote to memory of 4036 912 b5154bba_hs6p8854My.exe cmd.exe PID 912 wrote to memory of 4036 912 b5154bba_hs6p8854My.exe cmd.exe PID 912 wrote to memory of 3340 912 b5154bba_hs6p8854My.exe cmd.exe PID 912 wrote to memory of 3340 912 b5154bba_hs6p8854My.exe cmd.exe PID 912 wrote to memory of 3340 912 b5154bba_hs6p8854My.exe cmd.exe PID 4036 wrote to memory of 852 4036 cmd.exe attrib.exe PID 4036 wrote to memory of 852 4036 cmd.exe attrib.exe PID 4036 wrote to memory of 852 4036 cmd.exe attrib.exe PID 3340 wrote to memory of 3468 3340 cmd.exe attrib.exe PID 3340 wrote to memory of 3468 3340 cmd.exe attrib.exe PID 3340 wrote to memory of 3468 3340 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 852 attrib.exe 3468 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5154bba_hs6p8854My.exe"C:\Users\Admin\AppData\Local\Temp\b5154bba_hs6p8854My.exe"1⤵
- Modifies firewall policy service
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\b5154bba_hs6p8854My.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\b5154bba_hs6p8854My.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/852-117-0x0000000000000000-mapping.dmp
-
memory/912-114-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/3340-116-0x0000000000000000-mapping.dmp
-
memory/3468-118-0x0000000000000000-mapping.dmp
-
memory/4036-115-0x0000000000000000-mapping.dmp