Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-09-2021 13:12
Static task
static1
Behavioral task
behavioral1
Sample
d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exe
Resource
win10v20210408
General
-
Target
d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exe
-
Size
3.7MB
-
MD5
4b4dc6e050a52577e40b23eb0f2f1643
-
SHA1
adc7f113b6fb190df89c41147a01206ab85411c5
-
SHA256
d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd
-
SHA512
3e9e205d10ea3fab1d436cccc157627103e41ff857da7ff733e3cf95cdae9f2e149f8d3b9817c4035edf9bc5de4d62ec6744d7d2c67321f28ef18d5b6ec77ca0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
chrome .exepid process 380 chrome .exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
chrome .exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82b3a5c8055c6c9df621b9015591f5e6.exe chrome .exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82b3a5c8055c6c9df621b9015591f5e6.exe chrome .exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
chrome .exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\82b3a5c8055c6c9df621b9015591f5e6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\chrome .exe\" .." chrome .exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\82b3a5c8055c6c9df621b9015591f5e6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\chrome .exe\" .." chrome .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
chrome .exedescription pid process Token: SeDebugPrivilege 380 chrome .exe Token: 33 380 chrome .exe Token: SeIncBasePriorityPrivilege 380 chrome .exe Token: 33 380 chrome .exe Token: SeIncBasePriorityPrivilege 380 chrome .exe Token: 33 380 chrome .exe Token: SeIncBasePriorityPrivilege 380 chrome .exe Token: 33 380 chrome .exe Token: SeIncBasePriorityPrivilege 380 chrome .exe Token: 33 380 chrome .exe Token: SeIncBasePriorityPrivilege 380 chrome .exe Token: 33 380 chrome .exe Token: SeIncBasePriorityPrivilege 380 chrome .exe Token: 33 380 chrome .exe Token: SeIncBasePriorityPrivilege 380 chrome .exe Token: 33 380 chrome .exe Token: SeIncBasePriorityPrivilege 380 chrome .exe Token: 33 380 chrome .exe Token: SeIncBasePriorityPrivilege 380 chrome .exe Token: 33 380 chrome .exe Token: SeIncBasePriorityPrivilege 380 chrome .exe Token: 33 380 chrome .exe Token: SeIncBasePriorityPrivilege 380 chrome .exe Token: 33 380 chrome .exe Token: SeIncBasePriorityPrivilege 380 chrome .exe Token: 33 380 chrome .exe Token: SeIncBasePriorityPrivilege 380 chrome .exe Token: 33 380 chrome .exe Token: SeIncBasePriorityPrivilege 380 chrome .exe Token: 33 380 chrome .exe Token: SeIncBasePriorityPrivilege 380 chrome .exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exechrome .exedescription pid process target process PID 740 wrote to memory of 380 740 d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exe chrome .exe PID 740 wrote to memory of 380 740 d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exe chrome .exe PID 740 wrote to memory of 380 740 d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exe chrome .exe PID 380 wrote to memory of 1280 380 chrome .exe netsh.exe PID 380 wrote to memory of 1280 380 chrome .exe netsh.exe PID 380 wrote to memory of 1280 380 chrome .exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exe"C:\Users\Admin\AppData\Local\Temp\d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\chrome .exe"C:\Users\Admin\AppData\Roaming\chrome .exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\chrome .exe" "chrome .exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\chrome .exeMD5
4b4dc6e050a52577e40b23eb0f2f1643
SHA1adc7f113b6fb190df89c41147a01206ab85411c5
SHA256d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd
SHA5123e9e205d10ea3fab1d436cccc157627103e41ff857da7ff733e3cf95cdae9f2e149f8d3b9817c4035edf9bc5de4d62ec6744d7d2c67321f28ef18d5b6ec77ca0
-
C:\Users\Admin\AppData\Roaming\chrome .exeMD5
4b4dc6e050a52577e40b23eb0f2f1643
SHA1adc7f113b6fb190df89c41147a01206ab85411c5
SHA256d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd
SHA5123e9e205d10ea3fab1d436cccc157627103e41ff857da7ff733e3cf95cdae9f2e149f8d3b9817c4035edf9bc5de4d62ec6744d7d2c67321f28ef18d5b6ec77ca0
-
memory/380-115-0x0000000000000000-mapping.dmp
-
memory/380-118-0x00000000035A0000-0x00000000035A1000-memory.dmpFilesize
4KB
-
memory/380-120-0x00000000035A1000-0x00000000035A2000-memory.dmpFilesize
4KB
-
memory/740-114-0x0000000002F70000-0x0000000002F71000-memory.dmpFilesize
4KB
-
memory/1280-119-0x0000000000000000-mapping.dmp