Analysis
-
max time kernel
160s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en -
submitted
14-09-2021 06:40
Static task
static1
Behavioral task
behavioral1
Sample
c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe
Resource
win10-en
General
-
Target
c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe
-
Size
1.5MB
-
MD5
05def69117bc5228432feac2bed343d2
-
SHA1
7dadf53ee11702034176939a5d73891bf3cf5f61
-
SHA256
c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553
-
SHA512
1d253ae2efb360ea4120f18ff2ac20ea175cb3650a9257122b847d0b1b6b366b74e91835368004aa5c8f63136da01fad44ef017b27a5f25197e312d7c60a5e45
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 3652 explorer.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93f19dda2412c86ad7520ba4198f39a0.exe explorer.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93f19dda2412c86ad7520ba4198f39a0.exe explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\93f19dda2412c86ad7520ba4198f39a0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe\" .." explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\93f19dda2412c86ad7520ba4198f39a0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe\" .." explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
explorer.exepid process 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
explorer.exedescription pid process Token: SeDebugPrivilege 3652 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exeexplorer.exedescription pid process target process PID 1824 wrote to memory of 3652 1824 c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe explorer.exe PID 1824 wrote to memory of 3652 1824 c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe explorer.exe PID 1824 wrote to memory of 3652 1824 c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe explorer.exe PID 3652 wrote to memory of 2832 3652 explorer.exe netsh.exe PID 3652 wrote to memory of 2832 3652 explorer.exe netsh.exe PID 3652 wrote to memory of 2832 3652 explorer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe"C:\Users\Admin\AppData\Local\Temp\c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\explorer.exe"C:\Users\Admin\AppData\Roaming\explorer.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\explorer.exe" "explorer.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\explorer.exeMD5
05def69117bc5228432feac2bed343d2
SHA17dadf53ee11702034176939a5d73891bf3cf5f61
SHA256c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553
SHA5121d253ae2efb360ea4120f18ff2ac20ea175cb3650a9257122b847d0b1b6b366b74e91835368004aa5c8f63136da01fad44ef017b27a5f25197e312d7c60a5e45
-
C:\Users\Admin\AppData\Roaming\explorer.exeMD5
05def69117bc5228432feac2bed343d2
SHA17dadf53ee11702034176939a5d73891bf3cf5f61
SHA256c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553
SHA5121d253ae2efb360ea4120f18ff2ac20ea175cb3650a9257122b847d0b1b6b366b74e91835368004aa5c8f63136da01fad44ef017b27a5f25197e312d7c60a5e45
-
memory/1824-117-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/1824-118-0x00000000086F0000-0x00000000086F1000-memory.dmpFilesize
4KB
-
memory/1824-119-0x0000000002A70000-0x0000000002AA6000-memory.dmpFilesize
216KB
-
memory/1824-120-0x0000000000FC0000-0x0000000000FC8000-memory.dmpFilesize
32KB
-
memory/1824-121-0x0000000008C00000-0x0000000008C01000-memory.dmpFilesize
4KB
-
memory/1824-115-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/2832-131-0x0000000000000000-mapping.dmp
-
memory/3652-122-0x0000000000000000-mapping.dmp
-
memory/3652-132-0x0000000002D10000-0x0000000002D11000-memory.dmpFilesize
4KB
-
memory/3652-133-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/3652-134-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/3652-135-0x0000000002D13000-0x0000000002D15000-memory.dmpFilesize
8KB