Analysis
-
max time kernel
151s -
max time network
187s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-09-2021 08:37
Static task
static1
Behavioral task
behavioral1
Sample
0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe
Resource
win10-en-20210920
General
-
Target
0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe
-
Size
545KB
-
MD5
0a7c4d3e00285907574ed93105e7cbd0
-
SHA1
f5acb2a4339b7c0adc7b952a28a6e25a550ace90
-
SHA256
0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290
-
SHA512
622c50dc8641170f9b32068e40759971095c324f85c35dd8cee6df60196f4d6390f3728820cf373a60d7b98e9402d3f00ef3cd15cfcfe9267e0bcf3d3bee231f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 1692 explorer.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08f4dc96bbb7af09d1a37fe35c75a42f.exe explorer.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08f4dc96bbb7af09d1a37fe35c75a42f.exe explorer.exe -
Loads dropped DLL 1 IoCs
Processes:
0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exepid process 2016 0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\08f4dc96bbb7af09d1a37fe35c75a42f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .." explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\08f4dc96bbb7af09d1a37fe35c75a42f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .." explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
explorer.exepid process 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe 1692 explorer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
explorer.exedescription pid process Token: SeDebugPrivilege 1692 explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exeexplorer.exedescription pid process target process PID 2016 wrote to memory of 1692 2016 0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe explorer.exe PID 2016 wrote to memory of 1692 2016 0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe explorer.exe PID 2016 wrote to memory of 1692 2016 0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe explorer.exe PID 2016 wrote to memory of 1692 2016 0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe explorer.exe PID 1692 wrote to memory of 1588 1692 explorer.exe netsh.exe PID 1692 wrote to memory of 1588 1692 explorer.exe netsh.exe PID 1692 wrote to memory of 1588 1692 explorer.exe netsh.exe PID 1692 wrote to memory of 1588 1692 explorer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe"C:\Users\Admin\AppData\Local\Temp\0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.exe" "explorer.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeMD5
0a7c4d3e00285907574ed93105e7cbd0
SHA1f5acb2a4339b7c0adc7b952a28a6e25a550ace90
SHA2560c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290
SHA512622c50dc8641170f9b32068e40759971095c324f85c35dd8cee6df60196f4d6390f3728820cf373a60d7b98e9402d3f00ef3cd15cfcfe9267e0bcf3d3bee231f
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeMD5
0a7c4d3e00285907574ed93105e7cbd0
SHA1f5acb2a4339b7c0adc7b952a28a6e25a550ace90
SHA2560c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290
SHA512622c50dc8641170f9b32068e40759971095c324f85c35dd8cee6df60196f4d6390f3728820cf373a60d7b98e9402d3f00ef3cd15cfcfe9267e0bcf3d3bee231f
-
\Users\Admin\AppData\Local\Temp\explorer.exeMD5
0a7c4d3e00285907574ed93105e7cbd0
SHA1f5acb2a4339b7c0adc7b952a28a6e25a550ace90
SHA2560c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290
SHA512622c50dc8641170f9b32068e40759971095c324f85c35dd8cee6df60196f4d6390f3728820cf373a60d7b98e9402d3f00ef3cd15cfcfe9267e0bcf3d3bee231f
-
memory/1588-79-0x0000000000000000-mapping.dmp
-
memory/1692-68-0x0000000000000000-mapping.dmp
-
memory/1692-80-0x00000000049C5000-0x00000000049D6000-memory.dmpFilesize
68KB
-
memory/1692-75-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/1692-71-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/2016-64-0x00000000006C0000-0x00000000006FA000-memory.dmpFilesize
232KB
-
memory/2016-66-0x0000000000780000-0x0000000000788000-memory.dmpFilesize
32KB
-
memory/2016-65-0x0000000000410000-0x0000000000417000-memory.dmpFilesize
28KB
-
memory/2016-59-0x0000000001290000-0x0000000001291000-memory.dmpFilesize
4KB
-
memory/2016-74-0x0000000004A65000-0x0000000004A76000-memory.dmpFilesize
68KB
-
memory/2016-63-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/2016-62-0x0000000000350000-0x0000000000376000-memory.dmpFilesize
152KB
-
memory/2016-61-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB