Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-09-2021 13:24
Static task
static1
Behavioral task
behavioral1
Sample
ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe
Resource
win7-en-20210920
General
-
Target
ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe
-
Size
310KB
-
MD5
7d800ad9f415b03e6bb9a029fa57a3ec
-
SHA1
73d737b77a8fea41dad18dc6cdde0892b0dc9796
-
SHA256
ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145
-
SHA512
5549ec9bdf48419ad8edaceb1120ad4c8ccc0ead7057a7349ca40ccd997c70244eb1c102a4f63e03acd76947a76a0456dc00473458c18509b803451779c5bf0a
Malware Config
Signatures
-
Executes dropped EXE ⋅ 1 IoCs
Processes:
System.exepid process 3300 System.exe -
Modifies Windows Firewall ⋅ 1 TTPs
TTPs:
-
Drops startup file ⋅ 2 IoCs
Processes:
System.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f65c7a4a4880bc336b681db036e15111.exe System.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f65c7a4a4880bc336b681db036e15111.exe System.exe -
Drops file in Windows directory ⋅ 2 IoCs
Processes:
ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe -
Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken ⋅ 33 IoCs
Processes:
System.exedescription pid process Token: SeDebugPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe -
Suspicious use of WriteProcessMemory ⋅ 6 IoCs
Processes:
ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exeSystem.exedescription pid process target process PID 4088 wrote to memory of 3300 4088 ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe System.exe PID 4088 wrote to memory of 3300 4088 ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe System.exe PID 4088 wrote to memory of 3300 4088 ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe System.exe PID 3300 wrote to memory of 3664 3300 System.exe netsh.exe PID 3300 wrote to memory of 3664 3300 System.exe netsh.exe PID 3300 wrote to memory of 3664 3300 System.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exePID:4088"C:\Users\Admin\AppData\Local\Temp\ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe"Drops file in Windows directorySuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System.exePID:3300"C:\Users\Admin\AppData\Roaming\System.exe"Executes dropped EXEDrops startup fileSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exePID:3664netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\System.exe" "System.exe" ENABLE
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
C:\Users\Admin\AppData\Roaming\System.exeMD5
7d800ad9f415b03e6bb9a029fa57a3ec
SHA173d737b77a8fea41dad18dc6cdde0892b0dc9796
SHA256ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145
SHA5125549ec9bdf48419ad8edaceb1120ad4c8ccc0ead7057a7349ca40ccd997c70244eb1c102a4f63e03acd76947a76a0456dc00473458c18509b803451779c5bf0a
-
C:\Users\Admin\AppData\Roaming\System.exeMD5
7d800ad9f415b03e6bb9a029fa57a3ec
SHA173d737b77a8fea41dad18dc6cdde0892b0dc9796
SHA256ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145
SHA5125549ec9bdf48419ad8edaceb1120ad4c8ccc0ead7057a7349ca40ccd997c70244eb1c102a4f63e03acd76947a76a0456dc00473458c18509b803451779c5bf0a
-
memory/3300-116-0x0000000000000000-mapping.dmp
-
memory/3300-119-0x0000000002AA0000-0x0000000002AA1000-memory.dmp
-
memory/3664-120-0x0000000000000000-mapping.dmp
-
memory/4088-115-0x0000000002D90000-0x0000000002D91000-memory.dmp