Analysis
-
max time kernel
149s -
max time network
44s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
23-09-2021 08:11
Static task
static1
Behavioral task
behavioral1
Sample
fadb5aef63fcc65c3243a246021cd60797451bd3e8efdba102ecd9b34aa178e8.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
fadb5aef63fcc65c3243a246021cd60797451bd3e8efdba102ecd9b34aa178e8.exe
Resource
win10v20210408
General
-
Target
fadb5aef63fcc65c3243a246021cd60797451bd3e8efdba102ecd9b34aa178e8.exe
-
Size
343KB
-
MD5
2a9d804a886fdaf9cbed38acb6f2166e
-
SHA1
6ab3b296c0d29c340ef870df8f401a0a578ab404
-
SHA256
fadb5aef63fcc65c3243a246021cd60797451bd3e8efdba102ecd9b34aa178e8
-
SHA512
1051fd46e763ec5d1edaa6b1bf64d479d5aef2dd527905e5b42701acd8e32ff4dc58429167ebe26c46c103116fbbfd2a1223962938ee18ba7b5c96d3b6cc3c08
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 944 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00ec6113236946d7c46bf7b80d881ad4.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00ec6113236946d7c46bf7b80d881ad4.exe svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
fadb5aef63fcc65c3243a246021cd60797451bd3e8efdba102ecd9b34aa178e8.exepid process 1756 fadb5aef63fcc65c3243a246021cd60797451bd3e8efdba102ecd9b34aa178e8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\00ec6113236946d7c46bf7b80d881ad4 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\00ec6113236946d7c46bf7b80d881ad4 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 944 svchost.exe Token: 33 944 svchost.exe Token: SeIncBasePriorityPrivilege 944 svchost.exe Token: 33 944 svchost.exe Token: SeIncBasePriorityPrivilege 944 svchost.exe Token: 33 944 svchost.exe Token: SeIncBasePriorityPrivilege 944 svchost.exe Token: 33 944 svchost.exe Token: SeIncBasePriorityPrivilege 944 svchost.exe Token: 33 944 svchost.exe Token: SeIncBasePriorityPrivilege 944 svchost.exe Token: 33 944 svchost.exe Token: SeIncBasePriorityPrivilege 944 svchost.exe Token: 33 944 svchost.exe Token: SeIncBasePriorityPrivilege 944 svchost.exe Token: 33 944 svchost.exe Token: SeIncBasePriorityPrivilege 944 svchost.exe Token: 33 944 svchost.exe Token: SeIncBasePriorityPrivilege 944 svchost.exe Token: 33 944 svchost.exe Token: SeIncBasePriorityPrivilege 944 svchost.exe Token: 33 944 svchost.exe Token: SeIncBasePriorityPrivilege 944 svchost.exe Token: 33 944 svchost.exe Token: SeIncBasePriorityPrivilege 944 svchost.exe Token: 33 944 svchost.exe Token: SeIncBasePriorityPrivilege 944 svchost.exe Token: 33 944 svchost.exe Token: SeIncBasePriorityPrivilege 944 svchost.exe Token: 33 944 svchost.exe Token: SeIncBasePriorityPrivilege 944 svchost.exe Token: 33 944 svchost.exe Token: SeIncBasePriorityPrivilege 944 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
fadb5aef63fcc65c3243a246021cd60797451bd3e8efdba102ecd9b34aa178e8.exesvchost.exedescription pid process target process PID 1756 wrote to memory of 944 1756 fadb5aef63fcc65c3243a246021cd60797451bd3e8efdba102ecd9b34aa178e8.exe svchost.exe PID 1756 wrote to memory of 944 1756 fadb5aef63fcc65c3243a246021cd60797451bd3e8efdba102ecd9b34aa178e8.exe svchost.exe PID 1756 wrote to memory of 944 1756 fadb5aef63fcc65c3243a246021cd60797451bd3e8efdba102ecd9b34aa178e8.exe svchost.exe PID 1756 wrote to memory of 944 1756 fadb5aef63fcc65c3243a246021cd60797451bd3e8efdba102ecd9b34aa178e8.exe svchost.exe PID 944 wrote to memory of 956 944 svchost.exe netsh.exe PID 944 wrote to memory of 956 944 svchost.exe netsh.exe PID 944 wrote to memory of 956 944 svchost.exe netsh.exe PID 944 wrote to memory of 956 944 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fadb5aef63fcc65c3243a246021cd60797451bd3e8efdba102ecd9b34aa178e8.exe"C:\Users\Admin\AppData\Local\Temp\fadb5aef63fcc65c3243a246021cd60797451bd3e8efdba102ecd9b34aa178e8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svchost.exeMD5
2a9d804a886fdaf9cbed38acb6f2166e
SHA16ab3b296c0d29c340ef870df8f401a0a578ab404
SHA256fadb5aef63fcc65c3243a246021cd60797451bd3e8efdba102ecd9b34aa178e8
SHA5121051fd46e763ec5d1edaa6b1bf64d479d5aef2dd527905e5b42701acd8e32ff4dc58429167ebe26c46c103116fbbfd2a1223962938ee18ba7b5c96d3b6cc3c08
-
C:\Users\Admin\AppData\Roaming\svchost.exeMD5
2a9d804a886fdaf9cbed38acb6f2166e
SHA16ab3b296c0d29c340ef870df8f401a0a578ab404
SHA256fadb5aef63fcc65c3243a246021cd60797451bd3e8efdba102ecd9b34aa178e8
SHA5121051fd46e763ec5d1edaa6b1bf64d479d5aef2dd527905e5b42701acd8e32ff4dc58429167ebe26c46c103116fbbfd2a1223962938ee18ba7b5c96d3b6cc3c08
-
\Users\Admin\AppData\Roaming\svchost.exeMD5
2a9d804a886fdaf9cbed38acb6f2166e
SHA16ab3b296c0d29c340ef870df8f401a0a578ab404
SHA256fadb5aef63fcc65c3243a246021cd60797451bd3e8efdba102ecd9b34aa178e8
SHA5121051fd46e763ec5d1edaa6b1bf64d479d5aef2dd527905e5b42701acd8e32ff4dc58429167ebe26c46c103116fbbfd2a1223962938ee18ba7b5c96d3b6cc3c08
-
memory/944-56-0x0000000000000000-mapping.dmp
-
memory/944-60-0x0000000001F20000-0x0000000001F21000-memory.dmpFilesize
4KB
-
memory/956-61-0x0000000000000000-mapping.dmp
-
memory/1756-53-0x0000000076961000-0x0000000076963000-memory.dmpFilesize
8KB
-
memory/1756-54-0x0000000001F40000-0x0000000001F41000-memory.dmpFilesize
4KB