Analysis
-
max time kernel
151s -
max time network
39s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:28
Behavioral task
behavioral1
Sample
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
-
Size
658KB
-
MD5
6d6aceaf5c3f2d9c02d292c15e4ff3d6
-
SHA1
b92e13064b7693551963909d879f1e9eae57a021
-
SHA256
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3
-
SHA512
6a78c45f1dc631f77b2bc5f7e2bc3e7dc31c8aa81f46f549de035616f922c277dce75bf12a710d3be02731e87f649a5cbb36e08226e256a141bad91ba51cfbb9
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe -
Disables Task Manager via registry modification
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exedescription pid process Token: SeIncreaseQuotaPrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeSecurityPrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeTakeOwnershipPrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeLoadDriverPrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeSystemProfilePrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeSystemtimePrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeProfSingleProcessPrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeIncBasePriorityPrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeCreatePagefilePrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeBackupPrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeRestorePrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeShutdownPrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeDebugPrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeSystemEnvironmentPrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeChangeNotifyPrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeRemoteShutdownPrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeUndockPrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeManageVolumePrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeImpersonatePrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeCreateGlobalPrivilege 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: 33 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: 34 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: 35 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exepid process 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.execmd.execmd.exedescription pid process target process PID 240 wrote to memory of 848 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe cmd.exe PID 240 wrote to memory of 848 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe cmd.exe PID 240 wrote to memory of 848 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe cmd.exe PID 240 wrote to memory of 848 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe cmd.exe PID 240 wrote to memory of 1436 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe cmd.exe PID 240 wrote to memory of 1436 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe cmd.exe PID 240 wrote to memory of 1436 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe cmd.exe PID 240 wrote to memory of 1436 240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe cmd.exe PID 1436 wrote to memory of 1304 1436 cmd.exe attrib.exe PID 1436 wrote to memory of 1304 1436 cmd.exe attrib.exe PID 1436 wrote to memory of 1304 1436 cmd.exe attrib.exe PID 1436 wrote to memory of 1304 1436 cmd.exe attrib.exe PID 848 wrote to memory of 1320 848 cmd.exe attrib.exe PID 848 wrote to memory of 1320 848 cmd.exe attrib.exe PID 848 wrote to memory of 1320 848 cmd.exe attrib.exe PID 848 wrote to memory of 1320 848 cmd.exe attrib.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1320 attrib.exe 1304 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe"C:\Users\Admin\AppData\Local\Temp\ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe"1⤵
- Modifies firewall policy service
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/240-54-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/848-55-0x0000000000000000-mapping.dmp
-
memory/1304-57-0x0000000000000000-mapping.dmp
-
memory/1320-58-0x0000000000000000-mapping.dmp
-
memory/1436-56-0x0000000000000000-mapping.dmp