Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-09-2021 17:02
Static task
static1
Behavioral task
behavioral1
Sample
A4496847096F3B16C8CC2E743E48DABB687480F096384.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
A4496847096F3B16C8CC2E743E48DABB687480F096384.exe
Resource
win10v20210408
General
-
Target
A4496847096F3B16C8CC2E743E48DABB687480F096384.exe
-
Size
146KB
-
MD5
d35bddd3a36c7f33e086db7464c817a4
-
SHA1
9e05674466f0935a5b17031a2278f64809878033
-
SHA256
a4496847096f3b16c8cc2e743e48dabb687480f096384605f8601aa23dd05a8e
-
SHA512
423728567736c18ba050bc04116bb9a8615c5a24e89b9f5cc2d815ce778eaaedf17118814e82d5c804fcf2b0fd1bb3aa8e333588b3712ddb690395816752a4e1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2020 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDT = "C:\\ProgramData\\IDT\\svchost.exe" reg.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.ipify.org 10 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
A4496847096F3B16C8CC2E743E48DABB687480F096384.exesvchost.exepid process 2024 A4496847096F3B16C8CC2E743E48DABB687480F096384.exe 2020 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 2020 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
A4496847096F3B16C8CC2E743E48DABB687480F096384.exesvchost.exedescription pid process Token: SeDebugPrivilege 2024 A4496847096F3B16C8CC2E743E48DABB687480F096384.exe Token: SeDebugPrivilege 2020 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 2020 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
A4496847096F3B16C8CC2E743E48DABB687480F096384.exesvchost.execmd.exedescription pid process target process PID 2024 wrote to memory of 2020 2024 A4496847096F3B16C8CC2E743E48DABB687480F096384.exe svchost.exe PID 2024 wrote to memory of 2020 2024 A4496847096F3B16C8CC2E743E48DABB687480F096384.exe svchost.exe PID 2024 wrote to memory of 2020 2024 A4496847096F3B16C8CC2E743E48DABB687480F096384.exe svchost.exe PID 2020 wrote to memory of 1972 2020 svchost.exe cmd.exe PID 2020 wrote to memory of 1972 2020 svchost.exe cmd.exe PID 2020 wrote to memory of 1972 2020 svchost.exe cmd.exe PID 1972 wrote to memory of 1292 1972 cmd.exe reg.exe PID 1972 wrote to memory of 1292 1972 cmd.exe reg.exe PID 1972 wrote to memory of 1292 1972 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\A4496847096F3B16C8CC2E743E48DABB687480F096384.exe"C:\Users\Admin\AppData\Local\Temp\A4496847096F3B16C8CC2E743E48DABB687480F096384.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\ProgramData\IDT\svchost.exe"C:\ProgramData\IDT\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\system32\cmd.exe"cmd" /C REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v IDT /t REG_EXPAND_SZ /d "%PROGRAMDATA%\IDT\svchost.exe" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v IDT /t REG_EXPAND_SZ /d "C:\ProgramData\IDT\svchost.exe" /f4⤵
- Adds Run key to start application
- Modifies registry key
PID:1292
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\IDT\svchost.exeMD5
d35bddd3a36c7f33e086db7464c817a4
SHA19e05674466f0935a5b17031a2278f64809878033
SHA256a4496847096f3b16c8cc2e743e48dabb687480f096384605f8601aa23dd05a8e
SHA512423728567736c18ba050bc04116bb9a8615c5a24e89b9f5cc2d815ce778eaaedf17118814e82d5c804fcf2b0fd1bb3aa8e333588b3712ddb690395816752a4e1
-
C:\ProgramData\IDT\svchost.exeMD5
d35bddd3a36c7f33e086db7464c817a4
SHA19e05674466f0935a5b17031a2278f64809878033
SHA256a4496847096f3b16c8cc2e743e48dabb687480f096384605f8601aa23dd05a8e
SHA512423728567736c18ba050bc04116bb9a8615c5a24e89b9f5cc2d815ce778eaaedf17118814e82d5c804fcf2b0fd1bb3aa8e333588b3712ddb690395816752a4e1
-
memory/1292-64-0x0000000000000000-mapping.dmp
-
memory/1972-63-0x0000000000000000-mapping.dmp
-
memory/2020-58-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/2020-60-0x000000001B0A0000-0x000000001B0A2000-memory.dmpFilesize
8KB
-
memory/2020-61-0x00000000005A0000-0x00000000005B0000-memory.dmpFilesize
64KB
-
memory/2020-62-0x0000000000B70000-0x0000000000B94000-memory.dmpFilesize
144KB
-
memory/2020-55-0x0000000000000000-mapping.dmp
-
memory/2020-65-0x0000000000EA0000-0x0000000000EA3000-memory.dmpFilesize
12KB
-
memory/2020-66-0x0000000000EB0000-0x0000000000EB4000-memory.dmpFilesize
16KB
-
memory/2020-67-0x0000000000EC0000-0x0000000000EC5000-memory.dmpFilesize
20KB
-
memory/2020-68-0x000000001AA10000-0x000000001AA1C000-memory.dmpFilesize
48KB
-
memory/2020-69-0x000000001AA20000-0x000000001AA22000-memory.dmpFilesize
8KB
-
memory/2020-70-0x000000001ABE0000-0x000000001AC69000-memory.dmpFilesize
548KB
-
memory/2024-53-0x00000000011E0000-0x00000000011E1000-memory.dmpFilesize
4KB