Analysis
-
max time kernel
155s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22/01/2022, 01:11
Static task
static1
Behavioral task
behavioral1
Sample
a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe
Resource
win10-en-20211208
General
-
Target
a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe
-
Size
855KB
-
MD5
96aaf9d1fb5128f7bf74af569c547a71
-
SHA1
078621841d45a72b5db5c45bb0bc8872d051acaa
-
SHA256
a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0
-
SHA512
ab14e9cb092e5998125c3c2673c32cf1ff4b544bd56acf49d4f0763d3ccde05f72d0e7c3573ef169ed4d40dc779419fd01be4490039c0e9eac459768d80234c1
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\j68QmrzfeBZIXLKG\\dEx1TdOVUAJc.exe\",explorer.exe" a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\j68QmrzfeBZIXLKG\\btscqmOwyEV5.exe\",explorer.exe" a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe -
Executes dropped EXE 1 IoCs
pid Process 1384 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe -
Deletes itself 1 IoCs
pid Process 1868 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 1296 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinStartup = "C:\\Users\\Admin\\AppData\\Roaming\\WinStartup\\WinHostProcess.exe" a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1652 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1384 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1296 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe Token: SeDebugPrivilege 1296 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe Token: SeDebugPrivilege 1384 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe Token: SeDebugPrivilege 1384 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe Token: SeDebugPrivilege 1384 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe Token: 33 1384 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe Token: SeIncBasePriorityPrivilege 1384 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1384 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1296 wrote to memory of 1384 1296 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe 27 PID 1296 wrote to memory of 1384 1296 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe 27 PID 1296 wrote to memory of 1384 1296 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe 27 PID 1296 wrote to memory of 1384 1296 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe 27 PID 1296 wrote to memory of 1868 1296 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe 28 PID 1296 wrote to memory of 1868 1296 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe 28 PID 1296 wrote to memory of 1868 1296 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe 28 PID 1296 wrote to memory of 1868 1296 a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe 28 PID 1868 wrote to memory of 1652 1868 cmd.exe 30 PID 1868 wrote to memory of 1652 1868 cmd.exe 30 PID 1868 wrote to memory of 1652 1868 cmd.exe 30 PID 1868 wrote to memory of 1652 1868 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe"C:\Users\Admin\AppData\Local\Temp\a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0\a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe"C:\Users\Admin\AppData\Local\Temp\a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0\a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1384
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\a633aeabdd9695dfff9ce5c5a350a6b9af55e9fb88a5ed3c3c150b4bceeb5cc0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:1652
-
-