Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 22:51
Static task
static1
Behavioral task
behavioral1
Sample
f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe
Resource
win10-en-20211208
General
-
Target
f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe
-
Size
141KB
-
MD5
d8ef1f38ed340d0cd25c8eef8c4751ce
-
SHA1
a54e7a4c15bb072191adff6676368f75dc3e16fa
-
SHA256
f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293
-
SHA512
8ca363dca8be5942dbe4a45422834267dd088a6b660a2319e1b53712f077a37f0948ab03665965a99b3b105b41870765ce1fec07690b2a83f98c7cfd8fb5535b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 660 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\83a85b3692d1381f2323a4ea4cfeb413.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\83a85b3692d1381f2323a4ea4cfeb413.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\83a85b3692d1381f2323a4ea4cfeb413 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\83a85b3692d1381f2323a4ea4cfeb413 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 660 server.exe Token: 33 660 server.exe Token: SeIncBasePriorityPrivilege 660 server.exe Token: 33 660 server.exe Token: SeIncBasePriorityPrivilege 660 server.exe Token: 33 660 server.exe Token: SeIncBasePriorityPrivilege 660 server.exe Token: 33 660 server.exe Token: SeIncBasePriorityPrivilege 660 server.exe Token: 33 660 server.exe Token: SeIncBasePriorityPrivilege 660 server.exe Token: 33 660 server.exe Token: SeIncBasePriorityPrivilege 660 server.exe Token: 33 660 server.exe Token: SeIncBasePriorityPrivilege 660 server.exe Token: 33 660 server.exe Token: SeIncBasePriorityPrivilege 660 server.exe Token: 33 660 server.exe Token: SeIncBasePriorityPrivilege 660 server.exe Token: 33 660 server.exe Token: SeIncBasePriorityPrivilege 660 server.exe Token: 33 660 server.exe Token: SeIncBasePriorityPrivilege 660 server.exe Token: 33 660 server.exe Token: SeIncBasePriorityPrivilege 660 server.exe Token: 33 660 server.exe Token: SeIncBasePriorityPrivilege 660 server.exe Token: 33 660 server.exe Token: SeIncBasePriorityPrivilege 660 server.exe Token: 33 660 server.exe Token: SeIncBasePriorityPrivilege 660 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exeserver.exedescription pid process target process PID 1724 wrote to memory of 660 1724 f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe server.exe PID 1724 wrote to memory of 660 1724 f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe server.exe PID 1724 wrote to memory of 660 1724 f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe server.exe PID 660 wrote to memory of 988 660 server.exe netsh.exe PID 660 wrote to memory of 988 660 server.exe netsh.exe PID 660 wrote to memory of 988 660 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe"C:\Users\Admin\AppData\Local\Temp\f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
d8ef1f38ed340d0cd25c8eef8c4751ce
SHA1a54e7a4c15bb072191adff6676368f75dc3e16fa
SHA256f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293
SHA5128ca363dca8be5942dbe4a45422834267dd088a6b660a2319e1b53712f077a37f0948ab03665965a99b3b105b41870765ce1fec07690b2a83f98c7cfd8fb5535b
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
d8ef1f38ed340d0cd25c8eef8c4751ce
SHA1a54e7a4c15bb072191adff6676368f75dc3e16fa
SHA256f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293
SHA5128ca363dca8be5942dbe4a45422834267dd088a6b660a2319e1b53712f077a37f0948ab03665965a99b3b105b41870765ce1fec07690b2a83f98c7cfd8fb5535b
-
memory/660-59-0x000007FEF28B0000-0x000007FEF3946000-memory.dmpFilesize
16.6MB
-
memory/660-60-0x0000000000480000-0x0000000000482000-memory.dmpFilesize
8KB
-
memory/1724-54-0x0000000002170000-0x0000000002172000-memory.dmpFilesize
8KB
-
memory/1724-55-0x000007FEF2AC0000-0x000007FEF3B56000-memory.dmpFilesize
16.6MB
-
memory/1724-56-0x000007FEFC521000-0x000007FEFC523000-memory.dmpFilesize
8KB