Analysis
-
max time kernel
83s -
max time network
86s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
16-10-2021 11:59
Static task
static1
Behavioral task
behavioral1
Sample
7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
Resource
win7-en-20210920
General
-
Target
7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
-
Size
5.2MB
-
MD5
2e025daacfe1def8ac1fa48820d2c8ce
-
SHA1
86da098c8b04844ca54c35429d77cdd3273754e3
-
SHA256
7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8
-
SHA512
43c42d5817c59478890b6ab6520bb179960010434b3d114976528f475c331f1e6f69d93e7d7639da75c0ac00b5462825e4e53a830278e58f72cb2b7138454e9d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1468 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exepid process 2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe -
Drops file in Windows directory 4 IoCs
Processes:
7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exesvchost.exedescription ioc process File created C:\Windows\System\xxx1.bak 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe File created C:\Windows\System\svchost.exe 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe File opened for modification C:\Windows\System\svchost.exe 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe File created C:\Windows\System\xxx1.bak svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exe7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exepowershell.exepid process 592 powershell.exe 2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe 1924 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 592 powershell.exe Token: SeDebugPrivilege 1924 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exesvchost.exedescription pid process target process PID 2016 wrote to memory of 592 2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe powershell.exe PID 2016 wrote to memory of 592 2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe powershell.exe PID 2016 wrote to memory of 592 2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe powershell.exe PID 2016 wrote to memory of 1828 2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe netsh.exe PID 2016 wrote to memory of 1828 2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe netsh.exe PID 2016 wrote to memory of 1828 2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe netsh.exe PID 2016 wrote to memory of 640 2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe netsh.exe PID 2016 wrote to memory of 640 2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe netsh.exe PID 2016 wrote to memory of 640 2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe netsh.exe PID 2016 wrote to memory of 1496 2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe schtasks.exe PID 2016 wrote to memory of 1496 2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe schtasks.exe PID 2016 wrote to memory of 1496 2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe schtasks.exe PID 2016 wrote to memory of 1468 2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe svchost.exe PID 2016 wrote to memory of 1468 2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe svchost.exe PID 2016 wrote to memory of 1468 2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe svchost.exe PID 1468 wrote to memory of 1924 1468 svchost.exe powershell.exe PID 1468 wrote to memory of 1924 1468 svchost.exe powershell.exe PID 1468 wrote to memory of 1924 1468 svchost.exe powershell.exe PID 1468 wrote to memory of 1584 1468 svchost.exe netsh.exe PID 1468 wrote to memory of 1584 1468 svchost.exe netsh.exe PID 1468 wrote to memory of 1584 1468 svchost.exe netsh.exe PID 1468 wrote to memory of 1664 1468 svchost.exe netsh.exe PID 1468 wrote to memory of 1664 1468 svchost.exe netsh.exe PID 1468 wrote to memory of 1664 1468 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe"C:\Users\Admin\AppData\Local\Temp\7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
2c9d71907f9d839af00e4ebd8d15340b
SHA13856b534059349b0233c55b8f328ca58f30875ca
SHA25657360d85e677365f6fd01592a63d84539d454e56f0996340dd345ac091fcba69
SHA5122d1c45b118ea98b24cc6bc780dbe683820d29fe49d7fe05956c845208b488c8cb41e77fa27a23a2525bc64632cc8494078a8dcbf6c014578b0cf3194b1fc2a73
-
C:\Windows\system\svchost.exeMD5
2e025daacfe1def8ac1fa48820d2c8ce
SHA186da098c8b04844ca54c35429d77cdd3273754e3
SHA2567fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8
SHA51243c42d5817c59478890b6ab6520bb179960010434b3d114976528f475c331f1e6f69d93e7d7639da75c0ac00b5462825e4e53a830278e58f72cb2b7138454e9d
-
\Windows\system\svchost.exeMD5
2e025daacfe1def8ac1fa48820d2c8ce
SHA186da098c8b04844ca54c35429d77cdd3273754e3
SHA2567fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8
SHA51243c42d5817c59478890b6ab6520bb179960010434b3d114976528f475c331f1e6f69d93e7d7639da75c0ac00b5462825e4e53a830278e58f72cb2b7138454e9d
-
memory/592-64-0x0000000001F64000-0x0000000001F67000-memory.dmpFilesize
12KB
-
memory/592-58-0x0000000000000000-mapping.dmp
-
memory/592-61-0x000007FEF20B0000-0x000007FEF2C0D000-memory.dmpFilesize
11.4MB
-
memory/592-72-0x0000000001F6B000-0x0000000001F8A000-memory.dmpFilesize
124KB
-
memory/592-63-0x0000000001F62000-0x0000000001F64000-memory.dmpFilesize
8KB
-
memory/592-62-0x0000000001F60000-0x0000000001F62000-memory.dmpFilesize
8KB
-
memory/592-65-0x000000001B7A0000-0x000000001BA9F000-memory.dmpFilesize
3.0MB
-
memory/640-67-0x0000000000000000-mapping.dmp
-
memory/1468-73-0x0000000000000000-mapping.dmp
-
memory/1468-92-0x000000001049F000-0x00000000104C7000-memory.dmpFilesize
160KB
-
memory/1468-90-0x000000001037E000-0x000000001049F000-memory.dmpFilesize
1.1MB
-
memory/1468-89-0x0000000010001000-0x0000000010363000-memory.dmpFilesize
3.4MB
-
memory/1496-68-0x0000000000000000-mapping.dmp
-
memory/1584-86-0x0000000000000000-mapping.dmp
-
memory/1664-88-0x0000000000000000-mapping.dmp
-
memory/1828-66-0x0000000000000000-mapping.dmp
-
memory/1924-82-0x000007FEF20B0000-0x000007FEF2C0D000-memory.dmpFilesize
11.4MB
-
memory/1924-83-0x00000000023B0000-0x00000000023B2000-memory.dmpFilesize
8KB
-
memory/1924-84-0x00000000023B2000-0x00000000023B4000-memory.dmpFilesize
8KB
-
memory/1924-85-0x00000000023B4000-0x00000000023B7000-memory.dmpFilesize
12KB
-
memory/1924-79-0x0000000000000000-mapping.dmp
-
memory/1924-87-0x00000000023BB000-0x00000000023DA000-memory.dmpFilesize
124KB
-
memory/2016-55-0x0000000140000000-0x0000000140632400-memory.dmpFilesize
6.2MB
-
memory/2016-56-0x0000000140000000-0x0000000140632400-memory.dmpFilesize
6.2MB
-
memory/2016-59-0x0000000140000000-0x0000000140632400-memory.dmpFilesize
6.2MB
-
memory/2016-54-0x0000000140000000-0x0000000140632400-memory.dmpFilesize
6.2MB
-
memory/2016-57-0x000007FEFB691000-0x000007FEFB693000-memory.dmpFilesize
8KB