Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
06-11-2021 13:36
Static task
static1
Behavioral task
behavioral1
Sample
1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe
Resource
win10-en-20211014
General
-
Target
1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe
-
Size
162KB
-
MD5
46aafec84dd26ba8e4676b91e7a33b1c
-
SHA1
7b0041322232fb0776c7fec31914049e0f980427
-
SHA256
1a8cd081624acf2e77c9851f2e223e6542971749abecc20029d290ffd40fccde
-
SHA512
c136b4745ce1febc97d691a4b0261412cda6a64e0110989bb37938af77cbdd84eb92ac239af29e11172566c6b759cc35bde43845b5f52209f73baeda14a754c6
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Y9cA8bTK55jM6Vs2u1ah.exeinternet.exepid process 1948 Y9cA8bTK55jM6Vs2u1ah.exe 808 internet.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
internet.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1b5816ba242f2863f6da2fff3128272c.exe internet.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1b5816ba242f2863f6da2fff3128272c.exe internet.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
internet.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\1b5816ba242f2863f6da2fff3128272c = "\"C:\\Users\\Admin\\AppData\\Roaming\\internet.exe\" .." internet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1b5816ba242f2863f6da2fff3128272c = "\"C:\\Users\\Admin\\AppData\\Roaming\\internet.exe\" .." internet.exe -
Drops file in Windows directory 2 IoCs
Processes:
1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exeinternet.exedescription pid process Token: SeDebugPrivilege 2708 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe Token: 33 2708 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe Token: SeIncBasePriorityPrivilege 2708 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe Token: SeDebugPrivilege 808 internet.exe Token: 33 808 internet.exe Token: SeIncBasePriorityPrivilege 808 internet.exe Token: 33 808 internet.exe Token: SeIncBasePriorityPrivilege 808 internet.exe Token: 33 808 internet.exe Token: SeIncBasePriorityPrivilege 808 internet.exe Token: 33 808 internet.exe Token: SeIncBasePriorityPrivilege 808 internet.exe Token: 33 808 internet.exe Token: SeIncBasePriorityPrivilege 808 internet.exe Token: 33 808 internet.exe Token: SeIncBasePriorityPrivilege 808 internet.exe Token: 33 808 internet.exe Token: SeIncBasePriorityPrivilege 808 internet.exe Token: 33 808 internet.exe Token: SeIncBasePriorityPrivilege 808 internet.exe Token: 33 808 internet.exe Token: SeIncBasePriorityPrivilege 808 internet.exe Token: 33 808 internet.exe Token: SeIncBasePriorityPrivilege 808 internet.exe Token: 33 808 internet.exe Token: SeIncBasePriorityPrivilege 808 internet.exe Token: 33 808 internet.exe Token: SeIncBasePriorityPrivilege 808 internet.exe Token: 33 808 internet.exe Token: SeIncBasePriorityPrivilege 808 internet.exe Token: 33 808 internet.exe Token: SeIncBasePriorityPrivilege 808 internet.exe Token: 33 808 internet.exe Token: SeIncBasePriorityPrivilege 808 internet.exe Token: 33 808 internet.exe Token: SeIncBasePriorityPrivilege 808 internet.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exeY9cA8bTK55jM6Vs2u1ah.exeinternet.exedescription pid process target process PID 2708 wrote to memory of 1948 2708 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe Y9cA8bTK55jM6Vs2u1ah.exe PID 2708 wrote to memory of 1948 2708 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe Y9cA8bTK55jM6Vs2u1ah.exe PID 2708 wrote to memory of 1948 2708 1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe Y9cA8bTK55jM6Vs2u1ah.exe PID 1948 wrote to memory of 808 1948 Y9cA8bTK55jM6Vs2u1ah.exe internet.exe PID 1948 wrote to memory of 808 1948 Y9cA8bTK55jM6Vs2u1ah.exe internet.exe PID 1948 wrote to memory of 808 1948 Y9cA8bTK55jM6Vs2u1ah.exe internet.exe PID 808 wrote to memory of 3948 808 internet.exe netsh.exe PID 808 wrote to memory of 3948 808 internet.exe netsh.exe PID 808 wrote to memory of 3948 808 internet.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe"C:\Users\Admin\AppData\Local\Temp\1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Y9cA8bTK55jM6Vs2u1ah.exe"C:\Users\Admin\AppData\Roaming\Y9cA8bTK55jM6Vs2u1ah.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\internet.exe"C:\Users\Admin\AppData\Roaming\internet.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\internet.exe" "internet.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Y9cA8bTK55jM6Vs2u1ah.exeMD5
43095f8e16dcbb0edc3135fb938e7f97
SHA1dfbe3d053c76582e4f8bc4376da2fe366f0eea04
SHA256414959b916a5536e997ccc5c762fd7fadaad4a3447ce56a0e1ed26fa797e7169
SHA5121f74296ce3da87ab08f1581e698f39c772e1da5d89def5f5b429e4d8cdce03b8fb3354c7f79870bb728e6bfe23cce34a7f11c3b7401bf46f376914d6ccf9e515
-
C:\Users\Admin\AppData\Roaming\Y9cA8bTK55jM6Vs2u1ah.exeMD5
43095f8e16dcbb0edc3135fb938e7f97
SHA1dfbe3d053c76582e4f8bc4376da2fe366f0eea04
SHA256414959b916a5536e997ccc5c762fd7fadaad4a3447ce56a0e1ed26fa797e7169
SHA5121f74296ce3da87ab08f1581e698f39c772e1da5d89def5f5b429e4d8cdce03b8fb3354c7f79870bb728e6bfe23cce34a7f11c3b7401bf46f376914d6ccf9e515
-
C:\Users\Admin\AppData\Roaming\internet.exeMD5
43095f8e16dcbb0edc3135fb938e7f97
SHA1dfbe3d053c76582e4f8bc4376da2fe366f0eea04
SHA256414959b916a5536e997ccc5c762fd7fadaad4a3447ce56a0e1ed26fa797e7169
SHA5121f74296ce3da87ab08f1581e698f39c772e1da5d89def5f5b429e4d8cdce03b8fb3354c7f79870bb728e6bfe23cce34a7f11c3b7401bf46f376914d6ccf9e515
-
C:\Users\Admin\AppData\Roaming\internet.exeMD5
43095f8e16dcbb0edc3135fb938e7f97
SHA1dfbe3d053c76582e4f8bc4376da2fe366f0eea04
SHA256414959b916a5536e997ccc5c762fd7fadaad4a3447ce56a0e1ed26fa797e7169
SHA5121f74296ce3da87ab08f1581e698f39c772e1da5d89def5f5b429e4d8cdce03b8fb3354c7f79870bb728e6bfe23cce34a7f11c3b7401bf46f376914d6ccf9e515
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cchMD5
ee0f046b0a649937bb0251e8d866a7b2
SHA1d1f424c5bcfb8dd7b51682a3ff8be5410ecd28a0
SHA256065eea2b0ad58cf09548ae49cbf9ab5b2a0bb6d3f95d6c2def3201e1290b0915
SHA512c7481b507ffd2be109cb608173fbbc911da72d2bbbbf1f5aaca5bda6d15e9fff6b9164738882c03a77c30f99768f0ebf1aa5507d16a957103f5606c234d293df
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cchMD5
ee0f046b0a649937bb0251e8d866a7b2
SHA1d1f424c5bcfb8dd7b51682a3ff8be5410ecd28a0
SHA256065eea2b0ad58cf09548ae49cbf9ab5b2a0bb6d3f95d6c2def3201e1290b0915
SHA512c7481b507ffd2be109cb608173fbbc911da72d2bbbbf1f5aaca5bda6d15e9fff6b9164738882c03a77c30f99768f0ebf1aa5507d16a957103f5606c234d293df
-
memory/808-121-0x0000000000000000-mapping.dmp
-
memory/808-125-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/1948-116-0x0000000000000000-mapping.dmp
-
memory/1948-120-0x0000000002180000-0x0000000002181000-memory.dmpFilesize
4KB
-
memory/2708-115-0x0000000000700000-0x000000000084A000-memory.dmpFilesize
1.3MB
-
memory/3948-126-0x0000000000000000-mapping.dmp