Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-09-2021 09:11
Behavioral task
behavioral1
Sample
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe
Resource
win10v20210408
General
-
Target
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe
-
Size
659KB
-
MD5
5bfa0be4efc7ffb3b6e2cd63b78fbb5b
-
SHA1
92031a89f86535db2085ed43dd8034e905169c6f
-
SHA256
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab
-
SHA512
f797d3be2e3f99a621be6a0dcc0e4e1cb0bb3263192feae27828b5adf234e350d7adf84f383ef2adb6ccccce0a95a0f6e9a93601a57a48e5f35aed5f218f7130
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\aE8nfjsgA5tn\\Java/exe" d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aE8nfjsgA5tn\\Java/exe" d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exepid process 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exedescription pid process Token: SeIncreaseQuotaPrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeSecurityPrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeTakeOwnershipPrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeLoadDriverPrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeSystemProfilePrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeSystemtimePrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeProfSingleProcessPrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeIncBasePriorityPrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeCreatePagefilePrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeBackupPrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeRestorePrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeShutdownPrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeDebugPrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeSystemEnvironmentPrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeChangeNotifyPrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeRemoteShutdownPrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeUndockPrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeManageVolumePrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeImpersonatePrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeCreateGlobalPrivilege 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: 33 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: 34 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: 35 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exepid process 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.execmd.execmd.exedescription pid process target process PID 1548 wrote to memory of 1616 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe cmd.exe PID 1548 wrote to memory of 1616 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe cmd.exe PID 1548 wrote to memory of 1616 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe cmd.exe PID 1548 wrote to memory of 1616 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe cmd.exe PID 1548 wrote to memory of 964 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe cmd.exe PID 1548 wrote to memory of 964 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe cmd.exe PID 1548 wrote to memory of 964 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe cmd.exe PID 1548 wrote to memory of 964 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe cmd.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1548 wrote to memory of 1608 1548 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 1616 wrote to memory of 1612 1616 cmd.exe attrib.exe PID 1616 wrote to memory of 1612 1616 cmd.exe attrib.exe PID 1616 wrote to memory of 1612 1616 cmd.exe attrib.exe PID 1616 wrote to memory of 1612 1616 cmd.exe attrib.exe PID 964 wrote to memory of 752 964 cmd.exe attrib.exe PID 964 wrote to memory of 752 964 cmd.exe attrib.exe PID 964 wrote to memory of 752 964 cmd.exe attrib.exe PID 964 wrote to memory of 752 964 cmd.exe attrib.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1612 attrib.exe 752 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe"C:\Users\Admin\AppData\Local\Temp\d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe"1⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/752-60-0x0000000000000000-mapping.dmp
-
memory/964-57-0x0000000000000000-mapping.dmp
-
memory/1548-54-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/1548-55-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/1608-58-0x0000000000000000-mapping.dmp
-
memory/1608-62-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1612-59-0x0000000000000000-mapping.dmp
-
memory/1616-56-0x0000000000000000-mapping.dmp