Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-09-2021 13:19
Static task
static1
Behavioral task
behavioral1
Sample
d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe
Resource
win10-en-20210920
General
-
Target
d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe
-
Size
1.2MB
-
MD5
87665d443c7a883a9605213fa5028662
-
SHA1
04f910763ed46eb2b40be54f42ad7b7e4b149dd6
-
SHA256
d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e
-
SHA512
b46e0937229313334646aca69b041f1134b048c29518b85381fae86172e7c1f88134bd4576606d5b56c0ba4ee2b7ebd0d5bc979e81597422a57f22bf99d79f00
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
avg.dll.EXEpid process 4308 avg.dll.EXE -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
avg.dll.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7b3667cff0c75e61709ad52657912c8e.exe avg.dll.EXE File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7b3667cff0c75e61709ad52657912c8e.exe avg.dll.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
avg.dll.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\7b3667cff0c75e61709ad52657912c8e = "\"C:\\Users\\Admin\\AppData\\Roaming\\avg.dll.EXE\" .." avg.dll.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7b3667cff0c75e61709ad52657912c8e = "\"C:\\Users\\Admin\\AppData\\Roaming\\avg.dll.EXE\" .." avg.dll.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
Processes:
d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exeavg.dll.EXEpid process 3620 d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe 3620 d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe 3620 d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe 4308 avg.dll.EXE 4308 avg.dll.EXE 4308 avg.dll.EXE 4308 avg.dll.EXE 4308 avg.dll.EXE 4308 avg.dll.EXE 4308 avg.dll.EXE 4308 avg.dll.EXE 4308 avg.dll.EXE 4308 avg.dll.EXE 4308 avg.dll.EXE 4308 avg.dll.EXE 4308 avg.dll.EXE 4308 avg.dll.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
avg.dll.EXEdescription pid process Token: SeDebugPrivilege 4308 avg.dll.EXE Token: 33 4308 avg.dll.EXE Token: SeIncBasePriorityPrivilege 4308 avg.dll.EXE Token: 33 4308 avg.dll.EXE Token: SeIncBasePriorityPrivilege 4308 avg.dll.EXE Token: 33 4308 avg.dll.EXE Token: SeIncBasePriorityPrivilege 4308 avg.dll.EXE Token: 33 4308 avg.dll.EXE Token: SeIncBasePriorityPrivilege 4308 avg.dll.EXE Token: 33 4308 avg.dll.EXE Token: SeIncBasePriorityPrivilege 4308 avg.dll.EXE Token: 33 4308 avg.dll.EXE Token: SeIncBasePriorityPrivilege 4308 avg.dll.EXE Token: 33 4308 avg.dll.EXE Token: SeIncBasePriorityPrivilege 4308 avg.dll.EXE Token: 33 4308 avg.dll.EXE Token: SeIncBasePriorityPrivilege 4308 avg.dll.EXE Token: 33 4308 avg.dll.EXE Token: SeIncBasePriorityPrivilege 4308 avg.dll.EXE Token: 33 4308 avg.dll.EXE Token: SeIncBasePriorityPrivilege 4308 avg.dll.EXE Token: 33 4308 avg.dll.EXE Token: SeIncBasePriorityPrivilege 4308 avg.dll.EXE Token: 33 4308 avg.dll.EXE Token: SeIncBasePriorityPrivilege 4308 avg.dll.EXE Token: 33 4308 avg.dll.EXE Token: SeIncBasePriorityPrivilege 4308 avg.dll.EXE Token: 33 4308 avg.dll.EXE Token: SeIncBasePriorityPrivilege 4308 avg.dll.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exeavg.dll.EXEpid process 3620 d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe 4308 avg.dll.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exeavg.dll.EXEdescription pid process target process PID 3620 wrote to memory of 4308 3620 d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe avg.dll.EXE PID 3620 wrote to memory of 4308 3620 d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe avg.dll.EXE PID 3620 wrote to memory of 4308 3620 d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe avg.dll.EXE PID 4308 wrote to memory of 4292 4308 avg.dll.EXE netsh.exe PID 4308 wrote to memory of 4292 4308 avg.dll.EXE netsh.exe PID 4308 wrote to memory of 4292 4308 avg.dll.EXE netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe"C:\Users\Admin\AppData\Local\Temp\d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\avg.dll.EXE"C:\Users\Admin\AppData\Roaming\avg.dll.EXE"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\avg.dll.EXE" "avg.dll.EXE" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\avg.dll.EXEMD5
87665d443c7a883a9605213fa5028662
SHA104f910763ed46eb2b40be54f42ad7b7e4b149dd6
SHA256d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e
SHA512b46e0937229313334646aca69b041f1134b048c29518b85381fae86172e7c1f88134bd4576606d5b56c0ba4ee2b7ebd0d5bc979e81597422a57f22bf99d79f00
-
C:\Users\Admin\AppData\Roaming\avg.dll.EXEMD5
87665d443c7a883a9605213fa5028662
SHA104f910763ed46eb2b40be54f42ad7b7e4b149dd6
SHA256d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e
SHA512b46e0937229313334646aca69b041f1134b048c29518b85381fae86172e7c1f88134bd4576606d5b56c0ba4ee2b7ebd0d5bc979e81597422a57f22bf99d79f00
-
memory/3620-115-0x0000000003460000-0x0000000003461000-memory.dmpFilesize
4KB
-
memory/4292-120-0x0000000000000000-mapping.dmp
-
memory/4308-116-0x0000000000000000-mapping.dmp
-
memory/4308-119-0x0000000003230000-0x0000000003231000-memory.dmpFilesize
4KB