Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 18:09
Static task
static1
Behavioral task
behavioral1
Sample
f67e9c9915e81bd08ebb0e2b57909677.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
f67e9c9915e81bd08ebb0e2b57909677.exe
Resource
win10-en-20211014
General
-
Target
f67e9c9915e81bd08ebb0e2b57909677.exe
-
Size
1.2MB
-
MD5
f67e9c9915e81bd08ebb0e2b57909677
-
SHA1
9fd3f0658a7c285d6bdcd6f5b25d3995045a5b88
-
SHA256
45790bd0bb5eef4380c93de089dd9bf9b137a70bdc2f78e976919b6dd4b6bb2b
-
SHA512
c71df4adc7b5bc534b74a25e2b7aadefb1ca0e6c8d9380785f4012bb0974df8f382a8fa3ba21ca8f91a3cbc338821fc7f7e5d3d7ab9e1b2b4ce1e0e4d1fec0fe
Malware Config
Signatures
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 1824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 992 1824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 1824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 1824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 1824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 596 1824 schtasks.exe -
Executes dropped EXE 2 IoCs
Processes:
WinsessionBrokernetIntohost.exelsm.exepid process 1956 WinsessionBrokernetIntohost.exe 2040 lsm.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 768 cmd.exe 768 cmd.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
WinsessionBrokernetIntohost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\PFRO\\explorer.exe\"" WinsessionBrokernetIntohost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\ProgramData\\Application Data\\WMIADAP.exe\"" WinsessionBrokernetIntohost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\MsCtfMonitor\\lsass.exe\"" WinsessionBrokernetIntohost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\KBDINTEL\\lsm.exe\"" WinsessionBrokernetIntohost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Portable Devices\\System.exe\"" WinsessionBrokernetIntohost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\AdapterTroubleshooter\\csrss.exe\"" WinsessionBrokernetIntohost.exe -
Drops file in System32 directory 6 IoCs
Processes:
WinsessionBrokernetIntohost.exedescription ioc process File created C:\Windows\System32\MsCtfMonitor\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9 WinsessionBrokernetIntohost.exe File created C:\Windows\System32\KBDINTEL\lsm.exe WinsessionBrokernetIntohost.exe File created C:\Windows\System32\KBDINTEL\101b941d020240259ca4912829b53995ad543df6 WinsessionBrokernetIntohost.exe File created C:\Windows\System32\AdapterTroubleshooter\csrss.exe WinsessionBrokernetIntohost.exe File created C:\Windows\System32\AdapterTroubleshooter\886983d96e3d3e31032c679b2d4ea91b6c05afef WinsessionBrokernetIntohost.exe File created C:\Windows\System32\MsCtfMonitor\lsass.exe WinsessionBrokernetIntohost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
WinsessionBrokernetIntohost.exedescription ioc process File created C:\Program Files (x86)\Windows Portable Devices\System.exe WinsessionBrokernetIntohost.exe File created C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0e44ea423ffd4ee81fe73670a2a WinsessionBrokernetIntohost.exe -
Drops file in Windows directory 3 IoCs
Processes:
WinsessionBrokernetIntohost.exedescription ioc process File created C:\Windows\PFRO\explorer.exe WinsessionBrokernetIntohost.exe File opened for modification C:\Windows\PFRO\explorer.exe WinsessionBrokernetIntohost.exe File created C:\Windows\PFRO\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 WinsessionBrokernetIntohost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1684 schtasks.exe 992 schtasks.exe 1496 schtasks.exe 1752 schtasks.exe 2036 schtasks.exe 596 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WinsessionBrokernetIntohost.exelsm.exepid process 1956 WinsessionBrokernetIntohost.exe 2040 lsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WinsessionBrokernetIntohost.exelsm.exedescription pid process Token: SeDebugPrivilege 1956 WinsessionBrokernetIntohost.exe Token: SeDebugPrivilege 2040 lsm.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
f67e9c9915e81bd08ebb0e2b57909677.exeWScript.execmd.exeWinsessionBrokernetIntohost.exedescription pid process target process PID 652 wrote to memory of 1632 652 f67e9c9915e81bd08ebb0e2b57909677.exe WScript.exe PID 652 wrote to memory of 1632 652 f67e9c9915e81bd08ebb0e2b57909677.exe WScript.exe PID 652 wrote to memory of 1632 652 f67e9c9915e81bd08ebb0e2b57909677.exe WScript.exe PID 652 wrote to memory of 1632 652 f67e9c9915e81bd08ebb0e2b57909677.exe WScript.exe PID 1632 wrote to memory of 768 1632 WScript.exe cmd.exe PID 1632 wrote to memory of 768 1632 WScript.exe cmd.exe PID 1632 wrote to memory of 768 1632 WScript.exe cmd.exe PID 1632 wrote to memory of 768 1632 WScript.exe cmd.exe PID 768 wrote to memory of 1956 768 cmd.exe WinsessionBrokernetIntohost.exe PID 768 wrote to memory of 1956 768 cmd.exe WinsessionBrokernetIntohost.exe PID 768 wrote to memory of 1956 768 cmd.exe WinsessionBrokernetIntohost.exe PID 768 wrote to memory of 1956 768 cmd.exe WinsessionBrokernetIntohost.exe PID 1956 wrote to memory of 2040 1956 WinsessionBrokernetIntohost.exe lsm.exe PID 1956 wrote to memory of 2040 1956 WinsessionBrokernetIntohost.exe lsm.exe PID 1956 wrote to memory of 2040 1956 WinsessionBrokernetIntohost.exe lsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f67e9c9915e81bd08ebb0e2b57909677.exe"C:\Users\Admin\AppData\Local\Temp\f67e9c9915e81bd08ebb0e2b57909677.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinsessionBrokernet\ufqa67DL2gtzgC.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\WinsessionBrokernet\vxdOo.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinsessionBrokernet\WinsessionBrokernetIntohost.exe"C:\Users\Admin\AppData\Roaming\WinsessionBrokernet\WinsessionBrokernetIntohost.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\KBDINTEL\lsm.exe"C:\Windows\System32\KBDINTEL\lsm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\PFRO\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\ProgramData\Application Data\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\MsCtfMonitor\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\KBDINTEL\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\AdapterTroubleshooter\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WinsessionBrokernet\WinsessionBrokernetIntohost.exeMD5
3c0e66c07059d17b9dec156ae1f99fcf
SHA1a9cf63368c43a839590f55a4896d503909d4ea76
SHA256bd10ea4eeb2a7f1e9b3157ce51752336fe3d6dc56fb49bdc736bbe0ea34f5936
SHA5124a7d7555e6cf982c62fe7185f7b147c959a82b3be5e33aeec7bc9f22ab8adcdf4cf9ca10a2a7be50a7f98c19402f8bde9fff22ff8de3e3727a8a35604767ab39
-
C:\Users\Admin\AppData\Roaming\WinsessionBrokernet\WinsessionBrokernetIntohost.exeMD5
3c0e66c07059d17b9dec156ae1f99fcf
SHA1a9cf63368c43a839590f55a4896d503909d4ea76
SHA256bd10ea4eeb2a7f1e9b3157ce51752336fe3d6dc56fb49bdc736bbe0ea34f5936
SHA5124a7d7555e6cf982c62fe7185f7b147c959a82b3be5e33aeec7bc9f22ab8adcdf4cf9ca10a2a7be50a7f98c19402f8bde9fff22ff8de3e3727a8a35604767ab39
-
C:\Users\Admin\AppData\Roaming\WinsessionBrokernet\ufqa67DL2gtzgC.vbeMD5
79ec3118b469d48b8b3b6a1c0b330fb5
SHA19ef874c6a1ca3af5e07e83260dee0dc6ff7e3816
SHA256b3bbe75c2eed62015193612b19c38eabb1c7a7b51797ad9ffa26b1eb7485839f
SHA5120d085322c07d4553cbe7303a1a88ec329845a25ba07efe83989f912ab4e311f7ef891c2c071e87adb2de2b8b2c4e4ef5a2673b02ad8b45444e6663ead1fd0580
-
C:\Users\Admin\AppData\Roaming\WinsessionBrokernet\vxdOo.batMD5
ea5bc8528b06faf92eaa4f0d6194365b
SHA1734509caf332eeffcdfea6d079b45653876e221d
SHA256e1d8b03b08fd259e5a9cda84dc3f646bd68701ae82586e48072b62107dfb0f7a
SHA51211cc2fd1bd98468908a197944fbd133c23899284fb745159b140d9e1f477d8c96a03c167a229814089fdc31ceed18d32992f05dd96369cbed290b3004d298edb
-
C:\Windows\System32\KBDINTEL\lsm.exeMD5
3c0e66c07059d17b9dec156ae1f99fcf
SHA1a9cf63368c43a839590f55a4896d503909d4ea76
SHA256bd10ea4eeb2a7f1e9b3157ce51752336fe3d6dc56fb49bdc736bbe0ea34f5936
SHA5124a7d7555e6cf982c62fe7185f7b147c959a82b3be5e33aeec7bc9f22ab8adcdf4cf9ca10a2a7be50a7f98c19402f8bde9fff22ff8de3e3727a8a35604767ab39
-
C:\Windows\System32\KBDINTEL\lsm.exeMD5
3c0e66c07059d17b9dec156ae1f99fcf
SHA1a9cf63368c43a839590f55a4896d503909d4ea76
SHA256bd10ea4eeb2a7f1e9b3157ce51752336fe3d6dc56fb49bdc736bbe0ea34f5936
SHA5124a7d7555e6cf982c62fe7185f7b147c959a82b3be5e33aeec7bc9f22ab8adcdf4cf9ca10a2a7be50a7f98c19402f8bde9fff22ff8de3e3727a8a35604767ab39
-
\Users\Admin\AppData\Roaming\WinsessionBrokernet\WinsessionBrokernetIntohost.exeMD5
3c0e66c07059d17b9dec156ae1f99fcf
SHA1a9cf63368c43a839590f55a4896d503909d4ea76
SHA256bd10ea4eeb2a7f1e9b3157ce51752336fe3d6dc56fb49bdc736bbe0ea34f5936
SHA5124a7d7555e6cf982c62fe7185f7b147c959a82b3be5e33aeec7bc9f22ab8adcdf4cf9ca10a2a7be50a7f98c19402f8bde9fff22ff8de3e3727a8a35604767ab39
-
\Users\Admin\AppData\Roaming\WinsessionBrokernet\WinsessionBrokernetIntohost.exeMD5
3c0e66c07059d17b9dec156ae1f99fcf
SHA1a9cf63368c43a839590f55a4896d503909d4ea76
SHA256bd10ea4eeb2a7f1e9b3157ce51752336fe3d6dc56fb49bdc736bbe0ea34f5936
SHA5124a7d7555e6cf982c62fe7185f7b147c959a82b3be5e33aeec7bc9f22ab8adcdf4cf9ca10a2a7be50a7f98c19402f8bde9fff22ff8de3e3727a8a35604767ab39
-
memory/652-55-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/768-60-0x0000000000000000-mapping.dmp
-
memory/1632-56-0x0000000000000000-mapping.dmp
-
memory/1956-66-0x0000000001380000-0x0000000001381000-memory.dmpFilesize
4KB
-
memory/1956-68-0x000000001AEE0000-0x000000001AEE2000-memory.dmpFilesize
8KB
-
memory/1956-64-0x0000000000000000-mapping.dmp
-
memory/2040-69-0x0000000000000000-mapping.dmp
-
memory/2040-72-0x0000000001360000-0x0000000001361000-memory.dmpFilesize
4KB
-
memory/2040-74-0x000000001B140000-0x000000001B142000-memory.dmpFilesize
8KB