Analysis
-
max time kernel
4265059s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
15-01-2022 01:58
Static task
static1
Behavioral task
behavioral1
Sample
17a6638d6a4ae2a8d8a70746cdd8ea5992b71bd3c7997652e9b2f1f15d25b8b4.exe
Resource
win10v2004-en-20220112
General
-
Target
17a6638d6a4ae2a8d8a70746cdd8ea5992b71bd3c7997652e9b2f1f15d25b8b4.exe
-
Size
12.5MB
-
MD5
6851a3346e8ac3d2bf0fcf6866b03b67
-
SHA1
06137a14a871c66d64d3db247980ce35e75945a0
-
SHA256
17a6638d6a4ae2a8d8a70746cdd8ea5992b71bd3c7997652e9b2f1f15d25b8b4
-
SHA512
ea59764dc0aa3afafdbf1e4c1a8ccfc209ebd7592cd49a13aa2ea03b512cbda1d8f1fcc4eefd1a81e373b41035cfc2fd289b959951cbb7551a59e2e8e40a02c3
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
17a6638d6a4ae2a8d8a70746cdd8ea5992b71bd3c7997652e9b2f1f15d25b8b4.exepid process 3768 17a6638d6a4ae2a8d8a70746cdd8ea5992b71bd3c7997652e9b2f1f15d25b8b4.exe 3768 17a6638d6a4ae2a8d8a70746cdd8ea5992b71bd3c7997652e9b2f1f15d25b8b4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotification.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MusNotification.exedescription pid process Token: SeShutdownPrivilege 2544 MusNotification.exe Token: SeCreatePagefilePrivilege 2544 MusNotification.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17a6638d6a4ae2a8d8a70746cdd8ea5992b71bd3c7997652e9b2f1f15d25b8b4.exe"C:\Users\Admin\AppData\Local\Temp\17a6638d6a4ae2a8d8a70746cdd8ea5992b71bd3c7997652e9b2f1f15d25b8b4.exe"1⤵
- Loads dropped DLL
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nss6172.tmp\System.dllMD5
2e025e2cee2953cce0160c3cd2e1a64e
SHA1dec3da040ea72d63528240598bf14f344efb2a76
SHA256d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5
SHA5123cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860
-
C:\Users\Admin\AppData\Local\Temp\nss6172.tmp\nsDialogs.dllMD5
65373b20dbff5c3834548dd7330bb0c1
SHA118a160aa0ba10be95f7a95b244c3bf02a3bbfcd6
SHA25657a001c9770c864f983aa33e4c81e60cac4335b83dc036e269f0727a629dd221
SHA5124634b60a83f2524050970ac6c991f4dbfdbbd98a1173415dbb46fe6c8932b1cb2a758ba77d0c8eae5c6134d899135ea4094023f1145b6b5ee78d3728ebd8ef4a