Analysis
-
max time kernel
4294205s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
23-03-2022 21:00
General
-
Target
6.exe
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs
-
suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops file in System32 directory 6 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
System policy modification 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\ProgramData\Favorites\spoolsv.exe"C:\ProgramData\Favorites\spoolsv.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ProgramData\Favorites\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\capisp\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\10\6.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6" /sc ONLOGON /tr "'C:\Windows\IME\de-DE\6.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\SyncCenter\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\PerfLogs\Admin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\WiaExtensionHost64\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Favorites\spoolsv.exeFilesize
564KB
MD5748a4bea8c0624a4c7a69f67263e0839
SHA16955b7d516df38992ac6bff9d0b0f5df150df859
SHA256220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e
SHA5125fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd
-
C:\Users\Public\Favorites\spoolsv.exeFilesize
564KB
MD5748a4bea8c0624a4c7a69f67263e0839
SHA16955b7d516df38992ac6bff9d0b0f5df150df859
SHA256220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e
SHA5125fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd
-
memory/1636-54-0x00000000001D0000-0x0000000000264000-memory.dmpFilesize
592KB
-
memory/1636-55-0x000000001B000000-0x000000001B002000-memory.dmpFilesize
8KB
-
memory/1636-56-0x00000000003E0000-0x00000000003EC000-memory.dmpFilesize
48KB
-
memory/1636-57-0x00000000003F0000-0x00000000003FA000-memory.dmpFilesize
40KB
-
memory/1636-58-0x0000000000420000-0x000000000042C000-memory.dmpFilesize
48KB
-
memory/1636-59-0x0000000000410000-0x000000000041C000-memory.dmpFilesize
48KB
-
memory/1984-60-0x0000000000000000-mapping.dmp
-
memory/1984-63-0x00000000002E0000-0x0000000000374000-memory.dmpFilesize
592KB
-
memory/1984-64-0x000000001B060000-0x000000001B062000-memory.dmpFilesize
8KB