Analysis
-
max time kernel
103s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-09-2021 17:02
Static task
static1
Behavioral task
behavioral1
Sample
A4496847096F3B16C8CC2E743E48DABB687480F096384.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
A4496847096F3B16C8CC2E743E48DABB687480F096384.exe
Resource
win10v20210408
General
-
Target
A4496847096F3B16C8CC2E743E48DABB687480F096384.exe
-
Size
146KB
-
MD5
d35bddd3a36c7f33e086db7464c817a4
-
SHA1
9e05674466f0935a5b17031a2278f64809878033
-
SHA256
a4496847096f3b16c8cc2e743e48dabb687480f096384605f8601aa23dd05a8e
-
SHA512
423728567736c18ba050bc04116bb9a8615c5a24e89b9f5cc2d815ce778eaaedf17118814e82d5c804fcf2b0fd1bb3aa8e333588b3712ddb690395816752a4e1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 996 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDT = "C:\\ProgramData\\IDT\\svchost.exe" reg.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org 8 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
A4496847096F3B16C8CC2E743E48DABB687480F096384.exesvchost.exepid process 564 A4496847096F3B16C8CC2E743E48DABB687480F096384.exe 996 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 996 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
A4496847096F3B16C8CC2E743E48DABB687480F096384.exesvchost.exedescription pid process Token: SeDebugPrivilege 564 A4496847096F3B16C8CC2E743E48DABB687480F096384.exe Token: SeDebugPrivilege 996 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 996 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
A4496847096F3B16C8CC2E743E48DABB687480F096384.exesvchost.execmd.exedescription pid process target process PID 564 wrote to memory of 996 564 A4496847096F3B16C8CC2E743E48DABB687480F096384.exe svchost.exe PID 564 wrote to memory of 996 564 A4496847096F3B16C8CC2E743E48DABB687480F096384.exe svchost.exe PID 996 wrote to memory of 1628 996 svchost.exe cmd.exe PID 996 wrote to memory of 1628 996 svchost.exe cmd.exe PID 1628 wrote to memory of 1764 1628 cmd.exe reg.exe PID 1628 wrote to memory of 1764 1628 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\A4496847096F3B16C8CC2E743E48DABB687480F096384.exe"C:\Users\Admin\AppData\Local\Temp\A4496847096F3B16C8CC2E743E48DABB687480F096384.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\IDT\svchost.exe"C:\ProgramData\IDT\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v IDT /t REG_EXPAND_SZ /d "%PROGRAMDATA%\IDT\svchost.exe" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v IDT /t REG_EXPAND_SZ /d "C:\ProgramData\IDT\svchost.exe" /f4⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\IDT\svchost.exeMD5
d35bddd3a36c7f33e086db7464c817a4
SHA19e05674466f0935a5b17031a2278f64809878033
SHA256a4496847096f3b16c8cc2e743e48dabb687480f096384605f8601aa23dd05a8e
SHA512423728567736c18ba050bc04116bb9a8615c5a24e89b9f5cc2d815ce778eaaedf17118814e82d5c804fcf2b0fd1bb3aa8e333588b3712ddb690395816752a4e1
-
C:\ProgramData\IDT\svchost.exeMD5
d35bddd3a36c7f33e086db7464c817a4
SHA19e05674466f0935a5b17031a2278f64809878033
SHA256a4496847096f3b16c8cc2e743e48dabb687480f096384605f8601aa23dd05a8e
SHA512423728567736c18ba050bc04116bb9a8615c5a24e89b9f5cc2d815ce778eaaedf17118814e82d5c804fcf2b0fd1bb3aa8e333588b3712ddb690395816752a4e1
-
memory/564-114-0x00000237465E0000-0x00000237465E1000-memory.dmpFilesize
4KB
-
memory/996-129-0x0000022D883F0000-0x0000022D883F2000-memory.dmpFilesize
8KB
-
memory/996-121-0x0000022DA2B02000-0x0000022DA2B03000-memory.dmpFilesize
4KB
-
memory/996-122-0x0000022D87F50000-0x0000022D87F60000-memory.dmpFilesize
64KB
-
memory/996-123-0x0000022D88020000-0x0000022D88044000-memory.dmpFilesize
144KB
-
memory/996-126-0x0000022D880F0000-0x0000022D880F3000-memory.dmpFilesize
12KB
-
memory/996-127-0x0000022D88390000-0x0000022D88394000-memory.dmpFilesize
16KB
-
memory/996-128-0x0000022D883A0000-0x0000022D883A5000-memory.dmpFilesize
20KB
-
memory/996-116-0x0000000000000000-mapping.dmp
-
memory/996-130-0x0000022D89C60000-0x0000022D89CE9000-memory.dmpFilesize
548KB
-
memory/996-131-0x0000022D89C20000-0x0000022D89C2C000-memory.dmpFilesize
48KB
-
memory/996-132-0x0000022DA2B03000-0x0000022DA2B04000-memory.dmpFilesize
4KB
-
memory/1628-124-0x0000000000000000-mapping.dmp
-
memory/1764-125-0x0000000000000000-mapping.dmp