Analysis
-
max time kernel
152s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
30-09-2021 11:59
Static task
static1
Behavioral task
behavioral1
Sample
abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe
Resource
win10v20210408
General
-
Target
abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe
-
Size
768KB
-
MD5
9d547d2e07746d84f0c9ce72502a9749
-
SHA1
03419c2d9dcdda38826203dad7a9ef3b5eff6280
-
SHA256
abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df
-
SHA512
862c8b3205539c66a60deba6384a409f52b247c625c55a96c454bf69bf38a3690043eb0f88b4666dda5764742215c42fde5f343c9d3fea5e122e4677b7c4ed44
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
test.exesvchost.exepid process 1780 test.exe 1992 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b82593d475a899b9a3354da582932eb7.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b82593d475a899b9a3354da582932eb7.exe svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exetest.exepid process 972 cmd.exe 1780 test.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\b82593d475a899b9a3354da582932eb7 = "\"C:\\Users\\Admin\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b82593d475a899b9a3354da582932eb7 = "\"C:\\Users\\Admin\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
test.exepid process 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
test.exesvchost.exedescription pid process Token: SeDebugPrivilege 1780 test.exe Token: SeDebugPrivilege 1992 svchost.exe Token: 33 1992 svchost.exe Token: SeIncBasePriorityPrivilege 1992 svchost.exe Token: 33 1992 svchost.exe Token: SeIncBasePriorityPrivilege 1992 svchost.exe Token: 33 1992 svchost.exe Token: SeIncBasePriorityPrivilege 1992 svchost.exe Token: 33 1992 svchost.exe Token: SeIncBasePriorityPrivilege 1992 svchost.exe Token: 33 1992 svchost.exe Token: SeIncBasePriorityPrivilege 1992 svchost.exe Token: 33 1992 svchost.exe Token: SeIncBasePriorityPrivilege 1992 svchost.exe Token: 33 1992 svchost.exe Token: SeIncBasePriorityPrivilege 1992 svchost.exe Token: 33 1992 svchost.exe Token: SeIncBasePriorityPrivilege 1992 svchost.exe Token: 33 1992 svchost.exe Token: SeIncBasePriorityPrivilege 1992 svchost.exe Token: 33 1992 svchost.exe Token: SeIncBasePriorityPrivilege 1992 svchost.exe Token: 33 1992 svchost.exe Token: SeIncBasePriorityPrivilege 1992 svchost.exe Token: 33 1992 svchost.exe Token: SeIncBasePriorityPrivilege 1992 svchost.exe Token: 33 1992 svchost.exe Token: SeIncBasePriorityPrivilege 1992 svchost.exe Token: 33 1992 svchost.exe Token: SeIncBasePriorityPrivilege 1992 svchost.exe Token: 33 1992 svchost.exe Token: SeIncBasePriorityPrivilege 1992 svchost.exe Token: 33 1992 svchost.exe Token: SeIncBasePriorityPrivilege 1992 svchost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.execmd.exetest.exesvchost.exedescription pid process target process PID 1532 wrote to memory of 972 1532 abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe cmd.exe PID 1532 wrote to memory of 972 1532 abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe cmd.exe PID 1532 wrote to memory of 972 1532 abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe cmd.exe PID 1532 wrote to memory of 972 1532 abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe cmd.exe PID 972 wrote to memory of 1780 972 cmd.exe test.exe PID 972 wrote to memory of 1780 972 cmd.exe test.exe PID 972 wrote to memory of 1780 972 cmd.exe test.exe PID 972 wrote to memory of 1780 972 cmd.exe test.exe PID 1780 wrote to memory of 1992 1780 test.exe svchost.exe PID 1780 wrote to memory of 1992 1780 test.exe svchost.exe PID 1780 wrote to memory of 1992 1780 test.exe svchost.exe PID 1780 wrote to memory of 1992 1780 test.exe svchost.exe PID 1992 wrote to memory of 700 1992 svchost.exe netsh.exe PID 1992 wrote to memory of 700 1992 svchost.exe netsh.exe PID 1992 wrote to memory of 700 1992 svchost.exe netsh.exe PID 1992 wrote to memory of 700 1992 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe"C:\Users\Admin\AppData\Local\Temp\abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c test.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\svchost.exe"C:\Users\Admin\svchost.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\svchost.exe" "svchost.exe" ENABLE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\test.exeMD5
fad21654523f2840f6d7d749bc1399bd
SHA1762c60db8a4e7ddb2b5d56d65aa91f1e118b74b6
SHA256336ab64b766c2f89731f9f9efa9174ec93bfcac753b16d40d58dbf4ea02fc314
SHA512393d85d9cef85ce4c6743010c61b6e99e65e8130906803b200ded8f3dea4c495b4395aa6f953b296ee93d26229c3ad4559a4af640e9fb78f53318067c7a22cd5
-
C:\Users\Admin\AppData\Local\Temp\test.exeMD5
fad21654523f2840f6d7d749bc1399bd
SHA1762c60db8a4e7ddb2b5d56d65aa91f1e118b74b6
SHA256336ab64b766c2f89731f9f9efa9174ec93bfcac753b16d40d58dbf4ea02fc314
SHA512393d85d9cef85ce4c6743010c61b6e99e65e8130906803b200ded8f3dea4c495b4395aa6f953b296ee93d26229c3ad4559a4af640e9fb78f53318067c7a22cd5
-
C:\Users\Admin\svchost.exeMD5
fad21654523f2840f6d7d749bc1399bd
SHA1762c60db8a4e7ddb2b5d56d65aa91f1e118b74b6
SHA256336ab64b766c2f89731f9f9efa9174ec93bfcac753b16d40d58dbf4ea02fc314
SHA512393d85d9cef85ce4c6743010c61b6e99e65e8130906803b200ded8f3dea4c495b4395aa6f953b296ee93d26229c3ad4559a4af640e9fb78f53318067c7a22cd5
-
C:\Users\Admin\svchost.exeMD5
fad21654523f2840f6d7d749bc1399bd
SHA1762c60db8a4e7ddb2b5d56d65aa91f1e118b74b6
SHA256336ab64b766c2f89731f9f9efa9174ec93bfcac753b16d40d58dbf4ea02fc314
SHA512393d85d9cef85ce4c6743010c61b6e99e65e8130906803b200ded8f3dea4c495b4395aa6f953b296ee93d26229c3ad4559a4af640e9fb78f53318067c7a22cd5
-
\Users\Admin\AppData\Local\Temp\test.exeMD5
fad21654523f2840f6d7d749bc1399bd
SHA1762c60db8a4e7ddb2b5d56d65aa91f1e118b74b6
SHA256336ab64b766c2f89731f9f9efa9174ec93bfcac753b16d40d58dbf4ea02fc314
SHA512393d85d9cef85ce4c6743010c61b6e99e65e8130906803b200ded8f3dea4c495b4395aa6f953b296ee93d26229c3ad4559a4af640e9fb78f53318067c7a22cd5
-
\Users\Admin\svchost.exeMD5
fad21654523f2840f6d7d749bc1399bd
SHA1762c60db8a4e7ddb2b5d56d65aa91f1e118b74b6
SHA256336ab64b766c2f89731f9f9efa9174ec93bfcac753b16d40d58dbf4ea02fc314
SHA512393d85d9cef85ce4c6743010c61b6e99e65e8130906803b200ded8f3dea4c495b4395aa6f953b296ee93d26229c3ad4559a4af640e9fb78f53318067c7a22cd5
-
memory/700-67-0x0000000000000000-mapping.dmp
-
memory/972-54-0x0000000000000000-mapping.dmp
-
memory/1780-57-0x0000000000000000-mapping.dmp
-
memory/1780-59-0x00000000751D1000-0x00000000751D3000-memory.dmpFilesize
8KB
-
memory/1780-60-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/1992-62-0x0000000000000000-mapping.dmp
-
memory/1992-66-0x0000000001F40000-0x0000000001F41000-memory.dmpFilesize
4KB