Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 04:00
Static task
static1
Behavioral task
behavioral1
Sample
65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe
Resource
win7-en-20211208
General
-
Target
65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe
-
Size
253KB
-
MD5
1e3df53f02b103486c1a7bfab4c8281c
-
SHA1
68954874ab932ca885cdde3a5f4102dee272fdc5
-
SHA256
65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2
-
SHA512
8c9f119c76f8cdef31355b9db00792551f8b376f9fe029985f91c4cd519e283cfde09ac7bee7abf55c789f629da6a9022b2c4e6bd9e3d8e096db39f413134296
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsîft\\svchost.exe" 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1256 svchost.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsîft\svchost.exe upx \Users\Admin\AppData\Roaming\Microsîft\svchost.exe upx C:\Users\Admin\AppData\Roaming\Microsîft\svchost.exe upx -
Loads dropped DLL 2 IoCs
Processes:
65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exepid process 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsîft\\svchost.exe" 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsîft\\svchost.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 1256 svchost.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exesvchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeSecurityPrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeTakeOwnershipPrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeLoadDriverPrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeSystemProfilePrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeSystemtimePrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeProfSingleProcessPrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeIncBasePriorityPrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeCreatePagefilePrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeBackupPrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeRestorePrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeShutdownPrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeDebugPrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeSystemEnvironmentPrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeChangeNotifyPrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeRemoteShutdownPrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeUndockPrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeManageVolumePrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeImpersonatePrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeCreateGlobalPrivilege 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: 33 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: 34 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: 35 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeIncreaseQuotaPrivilege 1256 svchost.exe Token: SeSecurityPrivilege 1256 svchost.exe Token: SeTakeOwnershipPrivilege 1256 svchost.exe Token: SeLoadDriverPrivilege 1256 svchost.exe Token: SeSystemProfilePrivilege 1256 svchost.exe Token: SeSystemtimePrivilege 1256 svchost.exe Token: SeProfSingleProcessPrivilege 1256 svchost.exe Token: SeIncBasePriorityPrivilege 1256 svchost.exe Token: SeCreatePagefilePrivilege 1256 svchost.exe Token: SeBackupPrivilege 1256 svchost.exe Token: SeRestorePrivilege 1256 svchost.exe Token: SeShutdownPrivilege 1256 svchost.exe Token: SeDebugPrivilege 1256 svchost.exe Token: SeSystemEnvironmentPrivilege 1256 svchost.exe Token: SeChangeNotifyPrivilege 1256 svchost.exe Token: SeRemoteShutdownPrivilege 1256 svchost.exe Token: SeUndockPrivilege 1256 svchost.exe Token: SeManageVolumePrivilege 1256 svchost.exe Token: SeImpersonatePrivilege 1256 svchost.exe Token: SeCreateGlobalPrivilege 1256 svchost.exe Token: 33 1256 svchost.exe Token: 34 1256 svchost.exe Token: 35 1256 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 1256 svchost.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.execmd.exesvchost.exedescription pid process target process PID 1620 wrote to memory of 516 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe cmd.exe PID 1620 wrote to memory of 516 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe cmd.exe PID 1620 wrote to memory of 516 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe cmd.exe PID 1620 wrote to memory of 516 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe cmd.exe PID 516 wrote to memory of 432 516 cmd.exe attrib.exe PID 516 wrote to memory of 432 516 cmd.exe attrib.exe PID 516 wrote to memory of 432 516 cmd.exe attrib.exe PID 516 wrote to memory of 432 516 cmd.exe attrib.exe PID 1620 wrote to memory of 1256 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe svchost.exe PID 1620 wrote to memory of 1256 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe svchost.exe PID 1620 wrote to memory of 1256 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe svchost.exe PID 1620 wrote to memory of 1256 1620 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe svchost.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1956 1256 svchost.exe notepad.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe"C:\Users\Admin\AppData\Local\Temp\65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\Microsîft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsîft\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsîft\svchost.exeMD5
1e3df53f02b103486c1a7bfab4c8281c
SHA168954874ab932ca885cdde3a5f4102dee272fdc5
SHA25665090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2
SHA5128c9f119c76f8cdef31355b9db00792551f8b376f9fe029985f91c4cd519e283cfde09ac7bee7abf55c789f629da6a9022b2c4e6bd9e3d8e096db39f413134296
-
\Users\Admin\AppData\Roaming\Microsîft\svchost.exeMD5
1e3df53f02b103486c1a7bfab4c8281c
SHA168954874ab932ca885cdde3a5f4102dee272fdc5
SHA25665090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2
SHA5128c9f119c76f8cdef31355b9db00792551f8b376f9fe029985f91c4cd519e283cfde09ac7bee7abf55c789f629da6a9022b2c4e6bd9e3d8e096db39f413134296
-
\Users\Admin\AppData\Roaming\Microsîft\svchost.exeMD5
1e3df53f02b103486c1a7bfab4c8281c
SHA168954874ab932ca885cdde3a5f4102dee272fdc5
SHA25665090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2
SHA5128c9f119c76f8cdef31355b9db00792551f8b376f9fe029985f91c4cd519e283cfde09ac7bee7abf55c789f629da6a9022b2c4e6bd9e3d8e096db39f413134296
-
memory/1256-80-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1620-54-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/1620-55-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1956-60-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1956-81-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB