Analysis
-
max time kernel
46s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:38
Behavioral task
behavioral1
Sample
8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Resource
win10v2004-20220414-en
General
-
Target
8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
-
Size
251KB
-
MD5
dfa5a24fcaf54c7a0281e86994eba56b
-
SHA1
bb3a4e20e147f646c560b95c645f0ac813ab8ef7
-
SHA256
8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf
-
SHA512
efc1e5843f4145563599cf94a983013d986b7bf1f5acb188ab8e9a67e18129c447ad510fe03294ad10924690c79196bbc912acc158e898337880336d36fa1ea6
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\Java" 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\Java" 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exedescription pid process Token: SeIncreaseQuotaPrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeSecurityPrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeTakeOwnershipPrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeLoadDriverPrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeSystemProfilePrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeSystemtimePrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeProfSingleProcessPrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeIncBasePriorityPrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeCreatePagefilePrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeBackupPrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeRestorePrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeShutdownPrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeDebugPrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeSystemEnvironmentPrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeChangeNotifyPrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeRemoteShutdownPrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeUndockPrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeManageVolumePrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeImpersonatePrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeCreateGlobalPrivilege 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: 33 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: 34 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: 35 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.execmd.execmd.exedescription pid process target process PID 1672 wrote to memory of 1028 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe cmd.exe PID 1672 wrote to memory of 1028 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe cmd.exe PID 1672 wrote to memory of 1028 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe cmd.exe PID 1672 wrote to memory of 1028 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe cmd.exe PID 1672 wrote to memory of 1808 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe cmd.exe PID 1672 wrote to memory of 1808 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe cmd.exe PID 1672 wrote to memory of 1808 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe cmd.exe PID 1672 wrote to memory of 1808 1672 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe cmd.exe PID 1028 wrote to memory of 1932 1028 cmd.exe attrib.exe PID 1028 wrote to memory of 1932 1028 cmd.exe attrib.exe PID 1028 wrote to memory of 1932 1028 cmd.exe attrib.exe PID 1028 wrote to memory of 1932 1028 cmd.exe attrib.exe PID 1808 wrote to memory of 2012 1808 cmd.exe attrib.exe PID 1808 wrote to memory of 2012 1808 cmd.exe attrib.exe PID 1808 wrote to memory of 2012 1808 cmd.exe attrib.exe PID 1808 wrote to memory of 2012 1808 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1932 attrib.exe 2012 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe"C:\Users\Admin\AppData\Local\Temp\8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1028-55-0x0000000000000000-mapping.dmp
-
memory/1672-54-0x00000000763C1000-0x00000000763C3000-memory.dmpFilesize
8KB
-
memory/1808-56-0x0000000000000000-mapping.dmp
-
memory/1932-57-0x0000000000000000-mapping.dmp
-
memory/2012-58-0x0000000000000000-mapping.dmp