Analysis
-
max time kernel
155s -
max time network
138s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-09-2021 08:37
Behavioral task
behavioral1
Sample
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe
Resource
win10v20210408
General
-
Target
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe
-
Size
659KB
-
MD5
5bfa0be4efc7ffb3b6e2cd63b78fbb5b
-
SHA1
92031a89f86535db2085ed43dd8034e905169c6f
-
SHA256
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab
-
SHA512
f797d3be2e3f99a621be6a0dcc0e4e1cb0bb3263192feae27828b5adf234e350d7adf84f383ef2adb6ccccce0a95a0f6e9a93601a57a48e5f35aed5f218f7130
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\aE8nfjsgA5tn\\Java/exe" d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aE8nfjsgA5tn\\Java/exe" d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exepid process 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exedescription pid process Token: SeIncreaseQuotaPrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeSecurityPrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeTakeOwnershipPrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeLoadDriverPrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeSystemProfilePrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeSystemtimePrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeProfSingleProcessPrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeIncBasePriorityPrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeCreatePagefilePrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeBackupPrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeRestorePrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeShutdownPrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeDebugPrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeSystemEnvironmentPrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeChangeNotifyPrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeRemoteShutdownPrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeUndockPrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeManageVolumePrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeImpersonatePrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: SeCreateGlobalPrivilege 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: 33 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: 34 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: 35 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Token: 36 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exepid process 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.execmd.execmd.exedescription pid process target process PID 900 wrote to memory of 364 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe cmd.exe PID 900 wrote to memory of 364 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe cmd.exe PID 900 wrote to memory of 364 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe cmd.exe PID 900 wrote to memory of 1036 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe cmd.exe PID 900 wrote to memory of 1036 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe cmd.exe PID 900 wrote to memory of 1036 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe cmd.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 900 wrote to memory of 1424 900 d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe notepad.exe PID 364 wrote to memory of 1660 364 cmd.exe attrib.exe PID 364 wrote to memory of 1660 364 cmd.exe attrib.exe PID 364 wrote to memory of 1660 364 cmd.exe attrib.exe PID 1036 wrote to memory of 1704 1036 cmd.exe attrib.exe PID 1036 wrote to memory of 1704 1036 cmd.exe attrib.exe PID 1036 wrote to memory of 1704 1036 cmd.exe attrib.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1660 attrib.exe 1704 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe"C:\Users\Admin\AppData\Local\Temp\d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe"1⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\d35485fe44100a4643b22dc9ccaf443a4e98890710ee52701147e2144cf164ab.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/364-115-0x0000000000000000-mapping.dmp
-
memory/900-114-0x0000000000770000-0x0000000000793000-memory.dmpFilesize
140KB
-
memory/1036-116-0x0000000000000000-mapping.dmp
-
memory/1424-117-0x0000000000000000-mapping.dmp
-
memory/1424-120-0x0000000002940000-0x0000000002941000-memory.dmpFilesize
4KB
-
memory/1660-118-0x0000000000000000-mapping.dmp
-
memory/1704-119-0x0000000000000000-mapping.dmp