Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
06-11-2021 13:17
Static task
static1
Behavioral task
behavioral1
Sample
1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe
Resource
win10-en-20211014
General
-
Target
1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe
-
Size
162KB
-
MD5
46aafec84dd26ba8e4676b91e7a33b1c
-
SHA1
7b0041322232fb0776c7fec31914049e0f980427
-
SHA256
1a8cd081624acf2e77c9851f2e223e6542971749abecc20029d290ffd40fccde
-
SHA512
c136b4745ce1febc97d691a4b0261412cda6a64e0110989bb37938af77cbdd84eb92ac239af29e11172566c6b759cc35bde43845b5f52209f73baeda14a754c6
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Y9cA8bTK55jM6Vs2u1ah.exeinternet.exepid process 1720 Y9cA8bTK55jM6Vs2u1ah.exe 1532 internet.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
internet.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1b5816ba242f2863f6da2fff3128272c.exe internet.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1b5816ba242f2863f6da2fff3128272c.exe internet.exe -
Loads dropped DLL 4 IoCs
Processes:
1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exeY9cA8bTK55jM6Vs2u1ah.exepid process 1840 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe 1840 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe 1720 Y9cA8bTK55jM6Vs2u1ah.exe 1720 Y9cA8bTK55jM6Vs2u1ah.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
internet.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\1b5816ba242f2863f6da2fff3128272c = "\"C:\\Users\\Admin\\AppData\\Roaming\\internet.exe\" .." internet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1b5816ba242f2863f6da2fff3128272c = "\"C:\\Users\\Admin\\AppData\\Roaming\\internet.exe\" .." internet.exe -
Drops file in Windows directory 2 IoCs
Processes:
1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exeinternet.exedescription pid process Token: SeDebugPrivilege 1840 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe Token: 33 1840 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe Token: SeIncBasePriorityPrivilege 1840 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe Token: SeDebugPrivilege 1532 internet.exe Token: 33 1532 internet.exe Token: SeIncBasePriorityPrivilege 1532 internet.exe Token: 33 1532 internet.exe Token: SeIncBasePriorityPrivilege 1532 internet.exe Token: 33 1532 internet.exe Token: SeIncBasePriorityPrivilege 1532 internet.exe Token: 33 1532 internet.exe Token: SeIncBasePriorityPrivilege 1532 internet.exe Token: 33 1532 internet.exe Token: SeIncBasePriorityPrivilege 1532 internet.exe Token: 33 1532 internet.exe Token: SeIncBasePriorityPrivilege 1532 internet.exe Token: 33 1532 internet.exe Token: SeIncBasePriorityPrivilege 1532 internet.exe Token: 33 1532 internet.exe Token: SeIncBasePriorityPrivilege 1532 internet.exe Token: 33 1532 internet.exe Token: SeIncBasePriorityPrivilege 1532 internet.exe Token: 33 1532 internet.exe Token: SeIncBasePriorityPrivilege 1532 internet.exe Token: 33 1532 internet.exe Token: SeIncBasePriorityPrivilege 1532 internet.exe Token: 33 1532 internet.exe Token: SeIncBasePriorityPrivilege 1532 internet.exe Token: 33 1532 internet.exe Token: SeIncBasePriorityPrivilege 1532 internet.exe Token: 33 1532 internet.exe Token: SeIncBasePriorityPrivilege 1532 internet.exe Token: 33 1532 internet.exe Token: SeIncBasePriorityPrivilege 1532 internet.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exeY9cA8bTK55jM6Vs2u1ah.exeinternet.exedescription pid process target process PID 1840 wrote to memory of 1720 1840 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe Y9cA8bTK55jM6Vs2u1ah.exe PID 1840 wrote to memory of 1720 1840 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe Y9cA8bTK55jM6Vs2u1ah.exe PID 1840 wrote to memory of 1720 1840 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe Y9cA8bTK55jM6Vs2u1ah.exe PID 1840 wrote to memory of 1720 1840 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe Y9cA8bTK55jM6Vs2u1ah.exe PID 1720 wrote to memory of 1532 1720 Y9cA8bTK55jM6Vs2u1ah.exe internet.exe PID 1720 wrote to memory of 1532 1720 Y9cA8bTK55jM6Vs2u1ah.exe internet.exe PID 1720 wrote to memory of 1532 1720 Y9cA8bTK55jM6Vs2u1ah.exe internet.exe PID 1720 wrote to memory of 1532 1720 Y9cA8bTK55jM6Vs2u1ah.exe internet.exe PID 1532 wrote to memory of 1088 1532 internet.exe netsh.exe PID 1532 wrote to memory of 1088 1532 internet.exe netsh.exe PID 1532 wrote to memory of 1088 1532 internet.exe netsh.exe PID 1532 wrote to memory of 1088 1532 internet.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe"C:\Users\Admin\AppData\Local\Temp\1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Y9cA8bTK55jM6Vs2u1ah.exe"C:\Users\Admin\AppData\Roaming\Y9cA8bTK55jM6Vs2u1ah.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\internet.exe"C:\Users\Admin\AppData\Roaming\internet.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\internet.exe" "internet.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Y9cA8bTK55jM6Vs2u1ah.exeMD5
43095f8e16dcbb0edc3135fb938e7f97
SHA1dfbe3d053c76582e4f8bc4376da2fe366f0eea04
SHA256414959b916a5536e997ccc5c762fd7fadaad4a3447ce56a0e1ed26fa797e7169
SHA5121f74296ce3da87ab08f1581e698f39c772e1da5d89def5f5b429e4d8cdce03b8fb3354c7f79870bb728e6bfe23cce34a7f11c3b7401bf46f376914d6ccf9e515
-
C:\Users\Admin\AppData\Roaming\Y9cA8bTK55jM6Vs2u1ah.exeMD5
43095f8e16dcbb0edc3135fb938e7f97
SHA1dfbe3d053c76582e4f8bc4376da2fe366f0eea04
SHA256414959b916a5536e997ccc5c762fd7fadaad4a3447ce56a0e1ed26fa797e7169
SHA5121f74296ce3da87ab08f1581e698f39c772e1da5d89def5f5b429e4d8cdce03b8fb3354c7f79870bb728e6bfe23cce34a7f11c3b7401bf46f376914d6ccf9e515
-
C:\Users\Admin\AppData\Roaming\internet.exeMD5
43095f8e16dcbb0edc3135fb938e7f97
SHA1dfbe3d053c76582e4f8bc4376da2fe366f0eea04
SHA256414959b916a5536e997ccc5c762fd7fadaad4a3447ce56a0e1ed26fa797e7169
SHA5121f74296ce3da87ab08f1581e698f39c772e1da5d89def5f5b429e4d8cdce03b8fb3354c7f79870bb728e6bfe23cce34a7f11c3b7401bf46f376914d6ccf9e515
-
C:\Users\Admin\AppData\Roaming\internet.exeMD5
43095f8e16dcbb0edc3135fb938e7f97
SHA1dfbe3d053c76582e4f8bc4376da2fe366f0eea04
SHA256414959b916a5536e997ccc5c762fd7fadaad4a3447ce56a0e1ed26fa797e7169
SHA5121f74296ce3da87ab08f1581e698f39c772e1da5d89def5f5b429e4d8cdce03b8fb3354c7f79870bb728e6bfe23cce34a7f11c3b7401bf46f376914d6ccf9e515
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cchMD5
d9fa34a408b0271bbde549e6be6226a0
SHA1fbe59c4051e3707b9f33a9251f410678d2ef0fbb
SHA256db9d4e5b496d7c2bb869af17952d51d66f04d01aa05fc185a31a7cba2bd9413c
SHA51236405d93bc152515f83dec16df1a65c94db48efc41638ecf166dd5eeb6792f8a795f075efd310377902033f0da07a1409cb4553a927f820d0b3860ffb6006f85
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cchMD5
d9fa34a408b0271bbde549e6be6226a0
SHA1fbe59c4051e3707b9f33a9251f410678d2ef0fbb
SHA256db9d4e5b496d7c2bb869af17952d51d66f04d01aa05fc185a31a7cba2bd9413c
SHA51236405d93bc152515f83dec16df1a65c94db48efc41638ecf166dd5eeb6792f8a795f075efd310377902033f0da07a1409cb4553a927f820d0b3860ffb6006f85
-
\Users\Admin\AppData\Roaming\Y9cA8bTK55jM6Vs2u1ah.exeMD5
43095f8e16dcbb0edc3135fb938e7f97
SHA1dfbe3d053c76582e4f8bc4376da2fe366f0eea04
SHA256414959b916a5536e997ccc5c762fd7fadaad4a3447ce56a0e1ed26fa797e7169
SHA5121f74296ce3da87ab08f1581e698f39c772e1da5d89def5f5b429e4d8cdce03b8fb3354c7f79870bb728e6bfe23cce34a7f11c3b7401bf46f376914d6ccf9e515
-
\Users\Admin\AppData\Roaming\Y9cA8bTK55jM6Vs2u1ah.exeMD5
43095f8e16dcbb0edc3135fb938e7f97
SHA1dfbe3d053c76582e4f8bc4376da2fe366f0eea04
SHA256414959b916a5536e997ccc5c762fd7fadaad4a3447ce56a0e1ed26fa797e7169
SHA5121f74296ce3da87ab08f1581e698f39c772e1da5d89def5f5b429e4d8cdce03b8fb3354c7f79870bb728e6bfe23cce34a7f11c3b7401bf46f376914d6ccf9e515
-
\Users\Admin\AppData\Roaming\internet.exeMD5
43095f8e16dcbb0edc3135fb938e7f97
SHA1dfbe3d053c76582e4f8bc4376da2fe366f0eea04
SHA256414959b916a5536e997ccc5c762fd7fadaad4a3447ce56a0e1ed26fa797e7169
SHA5121f74296ce3da87ab08f1581e698f39c772e1da5d89def5f5b429e4d8cdce03b8fb3354c7f79870bb728e6bfe23cce34a7f11c3b7401bf46f376914d6ccf9e515
-
\Users\Admin\AppData\Roaming\internet.exeMD5
43095f8e16dcbb0edc3135fb938e7f97
SHA1dfbe3d053c76582e4f8bc4376da2fe366f0eea04
SHA256414959b916a5536e997ccc5c762fd7fadaad4a3447ce56a0e1ed26fa797e7169
SHA5121f74296ce3da87ab08f1581e698f39c772e1da5d89def5f5b429e4d8cdce03b8fb3354c7f79870bb728e6bfe23cce34a7f11c3b7401bf46f376914d6ccf9e515
-
memory/1088-73-0x0000000000000000-mapping.dmp
-
memory/1532-66-0x0000000000000000-mapping.dmp
-
memory/1532-72-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1720-59-0x0000000000000000-mapping.dmp
-
memory/1720-63-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB
-
memory/1840-55-0x0000000076351000-0x0000000076353000-memory.dmpFilesize
8KB
-
memory/1840-56-0x0000000002030000-0x0000000002031000-memory.dmpFilesize
4KB