Analysis
-
max time kernel
152s -
max time network
106s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-09-2021 11:59
Static task
static1
Behavioral task
behavioral1
Sample
abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe
Resource
win10v20210408
General
-
Target
abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe
-
Size
768KB
-
MD5
9d547d2e07746d84f0c9ce72502a9749
-
SHA1
03419c2d9dcdda38826203dad7a9ef3b5eff6280
-
SHA256
abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df
-
SHA512
862c8b3205539c66a60deba6384a409f52b247c625c55a96c454bf69bf38a3690043eb0f88b4666dda5764742215c42fde5f343c9d3fea5e122e4677b7c4ed44
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
test.exesvchost.exepid process 988 test.exe 1244 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b82593d475a899b9a3354da582932eb7.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b82593d475a899b9a3354da582932eb7.exe svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\b82593d475a899b9a3354da582932eb7 = "\"C:\\Users\\Admin\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b82593d475a899b9a3354da582932eb7 = "\"C:\\Users\\Admin\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
test.exepid process 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe 988 test.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
test.exesvchost.exedescription pid process Token: SeDebugPrivilege 988 test.exe Token: SeDebugPrivilege 1244 svchost.exe Token: 33 1244 svchost.exe Token: SeIncBasePriorityPrivilege 1244 svchost.exe Token: 33 1244 svchost.exe Token: SeIncBasePriorityPrivilege 1244 svchost.exe Token: 33 1244 svchost.exe Token: SeIncBasePriorityPrivilege 1244 svchost.exe Token: 33 1244 svchost.exe Token: SeIncBasePriorityPrivilege 1244 svchost.exe Token: 33 1244 svchost.exe Token: SeIncBasePriorityPrivilege 1244 svchost.exe Token: 33 1244 svchost.exe Token: SeIncBasePriorityPrivilege 1244 svchost.exe Token: 33 1244 svchost.exe Token: SeIncBasePriorityPrivilege 1244 svchost.exe Token: 33 1244 svchost.exe Token: SeIncBasePriorityPrivilege 1244 svchost.exe Token: 33 1244 svchost.exe Token: SeIncBasePriorityPrivilege 1244 svchost.exe Token: 33 1244 svchost.exe Token: SeIncBasePriorityPrivilege 1244 svchost.exe Token: 33 1244 svchost.exe Token: SeIncBasePriorityPrivilege 1244 svchost.exe Token: 33 1244 svchost.exe Token: SeIncBasePriorityPrivilege 1244 svchost.exe Token: 33 1244 svchost.exe Token: SeIncBasePriorityPrivilege 1244 svchost.exe Token: 33 1244 svchost.exe Token: SeIncBasePriorityPrivilege 1244 svchost.exe Token: 33 1244 svchost.exe Token: SeIncBasePriorityPrivilege 1244 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.execmd.exetest.exesvchost.exedescription pid process target process PID 568 wrote to memory of 844 568 abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe cmd.exe PID 568 wrote to memory of 844 568 abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe cmd.exe PID 568 wrote to memory of 844 568 abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe cmd.exe PID 844 wrote to memory of 988 844 cmd.exe test.exe PID 844 wrote to memory of 988 844 cmd.exe test.exe PID 844 wrote to memory of 988 844 cmd.exe test.exe PID 988 wrote to memory of 1244 988 test.exe svchost.exe PID 988 wrote to memory of 1244 988 test.exe svchost.exe PID 988 wrote to memory of 1244 988 test.exe svchost.exe PID 1244 wrote to memory of 1644 1244 svchost.exe netsh.exe PID 1244 wrote to memory of 1644 1244 svchost.exe netsh.exe PID 1244 wrote to memory of 1644 1244 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe"C:\Users\Admin\AppData\Local\Temp\abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c test.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\svchost.exe"C:\Users\Admin\svchost.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\svchost.exe" "svchost.exe" ENABLE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\test.exeMD5
fad21654523f2840f6d7d749bc1399bd
SHA1762c60db8a4e7ddb2b5d56d65aa91f1e118b74b6
SHA256336ab64b766c2f89731f9f9efa9174ec93bfcac753b16d40d58dbf4ea02fc314
SHA512393d85d9cef85ce4c6743010c61b6e99e65e8130906803b200ded8f3dea4c495b4395aa6f953b296ee93d26229c3ad4559a4af640e9fb78f53318067c7a22cd5
-
C:\Users\Admin\AppData\Local\Temp\test.exeMD5
fad21654523f2840f6d7d749bc1399bd
SHA1762c60db8a4e7ddb2b5d56d65aa91f1e118b74b6
SHA256336ab64b766c2f89731f9f9efa9174ec93bfcac753b16d40d58dbf4ea02fc314
SHA512393d85d9cef85ce4c6743010c61b6e99e65e8130906803b200ded8f3dea4c495b4395aa6f953b296ee93d26229c3ad4559a4af640e9fb78f53318067c7a22cd5
-
C:\Users\Admin\svchost.exeMD5
fad21654523f2840f6d7d749bc1399bd
SHA1762c60db8a4e7ddb2b5d56d65aa91f1e118b74b6
SHA256336ab64b766c2f89731f9f9efa9174ec93bfcac753b16d40d58dbf4ea02fc314
SHA512393d85d9cef85ce4c6743010c61b6e99e65e8130906803b200ded8f3dea4c495b4395aa6f953b296ee93d26229c3ad4559a4af640e9fb78f53318067c7a22cd5
-
C:\Users\Admin\svchost.exeMD5
fad21654523f2840f6d7d749bc1399bd
SHA1762c60db8a4e7ddb2b5d56d65aa91f1e118b74b6
SHA256336ab64b766c2f89731f9f9efa9174ec93bfcac753b16d40d58dbf4ea02fc314
SHA512393d85d9cef85ce4c6743010c61b6e99e65e8130906803b200ded8f3dea4c495b4395aa6f953b296ee93d26229c3ad4559a4af640e9fb78f53318067c7a22cd5
-
memory/844-114-0x0000000000000000-mapping.dmp
-
memory/988-115-0x0000000000000000-mapping.dmp
-
memory/988-118-0x0000000002300000-0x0000000002301000-memory.dmpFilesize
4KB
-
memory/1244-119-0x0000000000000000-mapping.dmp
-
memory/1244-122-0x0000000002801000-0x0000000002802000-memory.dmpFilesize
4KB
-
memory/1644-123-0x0000000000000000-mapping.dmp