Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
02-12-2021 08:16
Static task
static1
Behavioral task
behavioral1
Sample
Attached Details.exe
Resource
win7-en-20211104
General
-
Target
Attached Details.exe
-
Size
537KB
-
MD5
be45f415c556a8772077f9c60ea9cbf8
-
SHA1
9bc8f15e06e5d5cb7baa875d7b30685e049cc683
-
SHA256
edca5671042af86bafb53a556aace35639b5ccabd30efe4d7e4a5baa61040a3d
-
SHA512
2e04d7a57fa1d5ce4612cd21fd265aebe70a260b2ec81400ec78bbd86b8b443a9de6f647100c5dfa49279e3d2d42c5c4c2954269a86b6ba7081de3dffaef8925
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Attached Details.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Attached Details.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Attached Details.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Attached Details.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Attached Details.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Attached Details.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 856 976 WerFault.exe Attached Details.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
WerFault.exepowershell.exepid process 856 WerFault.exe 856 WerFault.exe 856 WerFault.exe 856 WerFault.exe 856 WerFault.exe 868 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 856 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WerFault.exepowershell.exedescription pid process Token: SeDebugPrivilege 856 WerFault.exe Token: SeDebugPrivilege 868 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Attached Details.exedescription pid process target process PID 976 wrote to memory of 868 976 Attached Details.exe powershell.exe PID 976 wrote to memory of 868 976 Attached Details.exe powershell.exe PID 976 wrote to memory of 868 976 Attached Details.exe powershell.exe PID 976 wrote to memory of 868 976 Attached Details.exe powershell.exe PID 976 wrote to memory of 856 976 Attached Details.exe WerFault.exe PID 976 wrote to memory of 856 976 Attached Details.exe WerFault.exe PID 976 wrote to memory of 856 976 Attached Details.exe WerFault.exe PID 976 wrote to memory of 856 976 Attached Details.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Attached Details.exe"C:\Users\Admin\AppData\Local\Temp\Attached Details.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Attached Details.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 10882⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/856-62-0x0000000000000000-mapping.dmp
-
memory/856-66-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/868-60-0x0000000000000000-mapping.dmp
-
memory/868-61-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/868-63-0x00000000022F0000-0x00000000022F1000-memory.dmpFilesize
4KB
-
memory/868-64-0x00000000022F1000-0x00000000022F2000-memory.dmpFilesize
4KB
-
memory/868-65-0x00000000022F2000-0x00000000022F4000-memory.dmpFilesize
8KB
-
memory/976-55-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/976-57-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/976-58-0x00000000003E0000-0x00000000003E8000-memory.dmpFilesize
32KB
-
memory/976-59-0x0000000005160000-0x00000000051D2000-memory.dmpFilesize
456KB