Analysis
-
max time kernel
156s -
max time network
166s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 02:54
Static task
static1
Behavioral task
behavioral1
Sample
81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Resource
win7-en-20211208
General
-
Target
81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
-
Size
272KB
-
MD5
ec9ccaf9a8e0421748c3460f76289a48
-
SHA1
23aee36ceec415d2ebc48c8cc7ac1c12927bc1f5
-
SHA256
81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9
-
SHA512
bdcdd39418b965d9918a63825daa15fd64e47316b515c472e03f9071beaa40ada6ae003c6448b9349f4298a7e987ed48edea23863b0d7b811cadebb83a5d0568
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 2144 system.exe -
Drops startup file 1 IoCs
Processes:
81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysystem.lnk 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe File opened for modification C:\Windows\assembly\Desktop.ini 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe -
Drops file in Windows directory 3 IoCs
Processes:
81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exedescription ioc process File opened for modification C:\Windows\assembly 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe File created C:\Windows\assembly\Desktop.ini 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe File opened for modification C:\Windows\assembly\Desktop.ini 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exesystem.exedescription pid process Token: SeDebugPrivilege 2680 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe Token: 33 2680 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe Token: SeIncBasePriorityPrivilege 2680 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe Token: 33 2680 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe Token: SeIncBasePriorityPrivilege 2680 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe Token: 33 2680 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe Token: SeIncBasePriorityPrivilege 2680 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe Token: SeDebugPrivilege 2144 system.exe Token: 33 2144 system.exe Token: SeIncBasePriorityPrivilege 2144 system.exe Token: 33 2144 system.exe Token: SeIncBasePriorityPrivilege 2144 system.exe Token: 33 2144 system.exe Token: SeIncBasePriorityPrivilege 2144 system.exe Token: 33 2144 system.exe Token: SeIncBasePriorityPrivilege 2144 system.exe Token: 33 2144 system.exe Token: SeIncBasePriorityPrivilege 2144 system.exe Token: 33 2144 system.exe Token: SeIncBasePriorityPrivilege 2144 system.exe Token: 33 2144 system.exe Token: SeIncBasePriorityPrivilege 2144 system.exe Token: 33 2144 system.exe Token: SeIncBasePriorityPrivilege 2144 system.exe Token: 33 2144 system.exe Token: SeIncBasePriorityPrivilege 2144 system.exe Token: 33 2144 system.exe Token: SeIncBasePriorityPrivilege 2144 system.exe Token: 33 2144 system.exe Token: SeIncBasePriorityPrivilege 2144 system.exe Token: 33 2144 system.exe Token: SeIncBasePriorityPrivilege 2144 system.exe Token: 33 2144 system.exe Token: SeIncBasePriorityPrivilege 2144 system.exe Token: 33 2144 system.exe Token: SeIncBasePriorityPrivilege 2144 system.exe Token: 33 2680 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe Token: SeIncBasePriorityPrivilege 2680 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe Token: 33 2144 system.exe Token: SeIncBasePriorityPrivilege 2144 system.exe Token: 33 2144 system.exe Token: SeIncBasePriorityPrivilege 2144 system.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exepid process 2680 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe 2680 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exedescription pid process target process PID 2680 wrote to memory of 2144 2680 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe system.exe PID 2680 wrote to memory of 2144 2680 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe system.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe"C:\Users\Admin\AppData\Local\Temp\81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\system.exe"C:\Users\Admin\AppData\Local\Temp\system.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
574a3592c32eb216dd587f9251eea990
SHA117438599a6b3d38589344cfd43ea56c69e04401d
SHA256c5c1e31e4f6ac4fc431cf20fe01460ec008329d0b7e757497852cc787556ba99
SHA512a930786f05b663f1fba81bc4b50bbf3046b6c5c555e557b86af283d346c24c9a6f6518c422f94104d6e75e2bb15c68b148e5c7f0e657045c7e2b3c28edffd5bc
-
MD5
574a3592c32eb216dd587f9251eea990
SHA117438599a6b3d38589344cfd43ea56c69e04401d
SHA256c5c1e31e4f6ac4fc431cf20fe01460ec008329d0b7e757497852cc787556ba99
SHA512a930786f05b663f1fba81bc4b50bbf3046b6c5c555e557b86af283d346c24c9a6f6518c422f94104d6e75e2bb15c68b148e5c7f0e657045c7e2b3c28edffd5bc