Analysis
-
max time kernel
157s -
max time network
173s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 22:51
Static task
static1
Behavioral task
behavioral1
Sample
f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe
Resource
win10-en-20211208
General
-
Target
f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe
-
Size
141KB
-
MD5
d8ef1f38ed340d0cd25c8eef8c4751ce
-
SHA1
a54e7a4c15bb072191adff6676368f75dc3e16fa
-
SHA256
f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293
-
SHA512
8ca363dca8be5942dbe4a45422834267dd088a6b660a2319e1b53712f077a37f0948ab03665965a99b3b105b41870765ce1fec07690b2a83f98c7cfd8fb5535b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1124 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\83a85b3692d1381f2323a4ea4cfeb413.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\83a85b3692d1381f2323a4ea4cfeb413.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\83a85b3692d1381f2323a4ea4cfeb413 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\83a85b3692d1381f2323a4ea4cfeb413 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1124 server.exe Token: 33 1124 server.exe Token: SeIncBasePriorityPrivilege 1124 server.exe Token: 33 1124 server.exe Token: SeIncBasePriorityPrivilege 1124 server.exe Token: 33 1124 server.exe Token: SeIncBasePriorityPrivilege 1124 server.exe Token: 33 1124 server.exe Token: SeIncBasePriorityPrivilege 1124 server.exe Token: 33 1124 server.exe Token: SeIncBasePriorityPrivilege 1124 server.exe Token: 33 1124 server.exe Token: SeIncBasePriorityPrivilege 1124 server.exe Token: 33 1124 server.exe Token: SeIncBasePriorityPrivilege 1124 server.exe Token: 33 1124 server.exe Token: SeIncBasePriorityPrivilege 1124 server.exe Token: 33 1124 server.exe Token: SeIncBasePriorityPrivilege 1124 server.exe Token: 33 1124 server.exe Token: SeIncBasePriorityPrivilege 1124 server.exe Token: 33 1124 server.exe Token: SeIncBasePriorityPrivilege 1124 server.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exeserver.exedescription pid process target process PID 2780 wrote to memory of 1124 2780 f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe server.exe PID 2780 wrote to memory of 1124 2780 f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe server.exe PID 1124 wrote to memory of 3680 1124 server.exe netsh.exe PID 1124 wrote to memory of 3680 1124 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe"C:\Users\Admin\AppData\Local\Temp\f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
d8ef1f38ed340d0cd25c8eef8c4751ce
SHA1a54e7a4c15bb072191adff6676368f75dc3e16fa
SHA256f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293
SHA5128ca363dca8be5942dbe4a45422834267dd088a6b660a2319e1b53712f077a37f0948ab03665965a99b3b105b41870765ce1fec07690b2a83f98c7cfd8fb5535b
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
d8ef1f38ed340d0cd25c8eef8c4751ce
SHA1a54e7a4c15bb072191adff6676368f75dc3e16fa
SHA256f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293
SHA5128ca363dca8be5942dbe4a45422834267dd088a6b660a2319e1b53712f077a37f0948ab03665965a99b3b105b41870765ce1fec07690b2a83f98c7cfd8fb5535b
-
memory/1124-119-0x0000000000D50000-0x0000000000D52000-memory.dmpFilesize
8KB
-
memory/2780-116-0x0000000002290000-0x0000000002292000-memory.dmpFilesize
8KB