Analysis
-
max time kernel
43s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 14:52
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220414-en
General
-
Target
tmp.exe
-
Size
3.8MB
-
MD5
af472706053409a5478d0fe3a71c601b
-
SHA1
b4226313a464857f5a5ee2bc7ba976c23ee44729
-
SHA256
f7e9080ca25ee0e68a9f7b1557dd8e5ebed57777c83186742ab3489706c30b21
-
SHA512
5a23bd12d8eefdf06203c9d7fce9efa95092159f084cae79d27811699c21067783d7afe5350cbf2a26e0852d8bb009b5656b5e672a40b6bbe872b6d5283eb1ed
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
tmp.tmppid process 908 tmp.tmp -
Loads dropped DLL 4 IoCs
Processes:
tmp.exetmp.tmppid process 1488 tmp.exe 908 tmp.tmp 908 tmp.tmp 908 tmp.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
tmp.tmppid process 908 tmp.tmp 908 tmp.tmp -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tmp.tmpdescription pid process Token: SeDebugPrivilege 908 tmp.tmp Token: SeDebugPrivilege 908 tmp.tmp -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
tmp.exetmp.tmpnet.exedescription pid process target process PID 1488 wrote to memory of 908 1488 tmp.exe tmp.tmp PID 1488 wrote to memory of 908 1488 tmp.exe tmp.tmp PID 1488 wrote to memory of 908 1488 tmp.exe tmp.tmp PID 1488 wrote to memory of 908 1488 tmp.exe tmp.tmp PID 1488 wrote to memory of 908 1488 tmp.exe tmp.tmp PID 1488 wrote to memory of 908 1488 tmp.exe tmp.tmp PID 1488 wrote to memory of 908 1488 tmp.exe tmp.tmp PID 908 wrote to memory of 936 908 tmp.tmp net.exe PID 908 wrote to memory of 936 908 tmp.tmp net.exe PID 908 wrote to memory of 936 908 tmp.tmp net.exe PID 908 wrote to memory of 936 908 tmp.tmp net.exe PID 936 wrote to memory of 1984 936 net.exe net1.exe PID 936 wrote to memory of 1984 936 net.exe net1.exe PID 936 wrote to memory of 1984 936 net.exe net1.exe PID 936 wrote to memory of 1984 936 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-26KBT.tmp\tmp.tmp"C:\Users\Admin\AppData\Local\Temp\is-26KBT.tmp\tmp.tmp" /SL5="$60124,3722629,56832,C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop routerService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop routerService4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-26KBT.tmp\tmp.tmpFilesize
691KB
MD59303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
\Users\Admin\AppData\Local\Temp\is-1GUBP.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-1GUBP.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-1GUBP.tmp\uninstall.dllFilesize
375KB
MD55efac3416a1e01008e3b3fe3f0cc17f5
SHA1f803065bf98b7f7449897f90ae666ad0cd8a9e4b
SHA25681816fcbaa62d9a89bf27ab2e2eb0b3fe0201f83d2139fda491708e7456ab0ba
SHA512ce90b01e2696156743527be8bb5f098a748d405a9b6f783c41d5f0c2b312d7945d9bb4dc95c5504e7795ec348ad7ec0697f9ff2ed3495256340714be1e6733fe
-
\Users\Admin\AppData\Local\Temp\is-26KBT.tmp\tmp.tmpFilesize
691KB
MD59303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
memory/908-58-0x0000000000000000-mapping.dmp
-
memory/936-64-0x0000000000000000-mapping.dmp
-
memory/1488-54-0x0000000075271000-0x0000000075273000-memory.dmpFilesize
8KB
-
memory/1488-55-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1488-66-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1984-65-0x0000000000000000-mapping.dmp