Analysis
-
max time kernel
155s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-09-2021 08:37
Static task
static1
Behavioral task
behavioral1
Sample
0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe
Resource
win10-en-20210920
General
-
Target
0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe
-
Size
545KB
-
MD5
0a7c4d3e00285907574ed93105e7cbd0
-
SHA1
f5acb2a4339b7c0adc7b952a28a6e25a550ace90
-
SHA256
0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290
-
SHA512
622c50dc8641170f9b32068e40759971095c324f85c35dd8cee6df60196f4d6390f3728820cf373a60d7b98e9402d3f00ef3cd15cfcfe9267e0bcf3d3bee231f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 3060 explorer.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08f4dc96bbb7af09d1a37fe35c75a42f.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08f4dc96bbb7af09d1a37fe35c75a42f.exe explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\08f4dc96bbb7af09d1a37fe35c75a42f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .." explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\08f4dc96bbb7af09d1a37fe35c75a42f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .." explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
explorer.exepid process 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe 3060 explorer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
explorer.exedescription pid process Token: SeDebugPrivilege 3060 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exeexplorer.exedescription pid process target process PID 3212 wrote to memory of 3060 3212 0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe explorer.exe PID 3212 wrote to memory of 3060 3212 0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe explorer.exe PID 3212 wrote to memory of 3060 3212 0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe explorer.exe PID 3060 wrote to memory of 4008 3060 explorer.exe netsh.exe PID 3060 wrote to memory of 4008 3060 explorer.exe netsh.exe PID 3060 wrote to memory of 4008 3060 explorer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe"C:\Users\Admin\AppData\Local\Temp\0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.exe" "explorer.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeMD5
0a7c4d3e00285907574ed93105e7cbd0
SHA1f5acb2a4339b7c0adc7b952a28a6e25a550ace90
SHA2560c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290
SHA512622c50dc8641170f9b32068e40759971095c324f85c35dd8cee6df60196f4d6390f3728820cf373a60d7b98e9402d3f00ef3cd15cfcfe9267e0bcf3d3bee231f
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeMD5
0a7c4d3e00285907574ed93105e7cbd0
SHA1f5acb2a4339b7c0adc7b952a28a6e25a550ace90
SHA2560c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290
SHA512622c50dc8641170f9b32068e40759971095c324f85c35dd8cee6df60196f4d6390f3728820cf373a60d7b98e9402d3f00ef3cd15cfcfe9267e0bcf3d3bee231f
-
memory/3060-126-0x0000000000000000-mapping.dmp
-
memory/3060-142-0x0000000004EB3000-0x0000000004EB5000-memory.dmpFilesize
8KB
-
memory/3060-132-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/3212-120-0x0000000002850000-0x0000000002857000-memory.dmpFilesize
28KB
-
memory/3212-122-0x0000000007910000-0x0000000007911000-memory.dmpFilesize
4KB
-
memory/3212-123-0x0000000007900000-0x0000000007901000-memory.dmpFilesize
4KB
-
memory/3212-124-0x000000000AD50000-0x000000000AD58000-memory.dmpFilesize
32KB
-
memory/3212-125-0x000000000AE10000-0x000000000AE11000-memory.dmpFilesize
4KB
-
memory/3212-121-0x0000000007D30000-0x0000000007D31000-memory.dmpFilesize
4KB
-
memory/3212-115-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/3212-119-0x0000000004F60000-0x0000000004F9A000-memory.dmpFilesize
232KB
-
memory/3212-131-0x0000000002873000-0x0000000002875000-memory.dmpFilesize
8KB
-
memory/3212-118-0x00000000027D0000-0x00000000027F6000-memory.dmpFilesize
152KB
-
memory/3212-117-0x0000000002870000-0x0000000002871000-memory.dmpFilesize
4KB
-
memory/4008-141-0x0000000000000000-mapping.dmp