Analysis
-
max time kernel
151s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:49
Static task
static1
Behavioral task
behavioral1
Sample
767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe
Resource
win10v2004-20220414-en
General
-
Target
767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe
-
Size
181KB
-
MD5
33caaaa642770f60f9298e627ac2a70e
-
SHA1
b79349e8ef626045d86d3d099d4ad6cf58d6c7c0
-
SHA256
767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f
-
SHA512
4aaf1835f7909672d8356e7b4bbb06391be57030d98fd3e9bbe3bed42720dd001d8c32a64f1e197156d0365551ab3004ee1e01554f5bbf99b246f9d06fed3d64
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 844 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\db7cacf80649a64239b0e12870c9e1a0.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\db7cacf80649a64239b0e12870c9e1a0.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exepid process 1636 767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\db7cacf80649a64239b0e12870c9e1a0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\db7cacf80649a64239b0e12870c9e1a0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exepid process 1636 767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe 1636 767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exeserver.exedescription pid process Token: SeDebugPrivilege 1636 767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe Token: SeDebugPrivilege 844 server.exe Token: 33 844 server.exe Token: SeIncBasePriorityPrivilege 844 server.exe Token: 33 844 server.exe Token: SeIncBasePriorityPrivilege 844 server.exe Token: 33 844 server.exe Token: SeIncBasePriorityPrivilege 844 server.exe Token: 33 844 server.exe Token: SeIncBasePriorityPrivilege 844 server.exe Token: 33 844 server.exe Token: SeIncBasePriorityPrivilege 844 server.exe Token: 33 844 server.exe Token: SeIncBasePriorityPrivilege 844 server.exe Token: 33 844 server.exe Token: SeIncBasePriorityPrivilege 844 server.exe Token: 33 844 server.exe Token: SeIncBasePriorityPrivilege 844 server.exe Token: 33 844 server.exe Token: SeIncBasePriorityPrivilege 844 server.exe Token: 33 844 server.exe Token: SeIncBasePriorityPrivilege 844 server.exe Token: 33 844 server.exe Token: SeIncBasePriorityPrivilege 844 server.exe Token: 33 844 server.exe Token: SeIncBasePriorityPrivilege 844 server.exe Token: 33 844 server.exe Token: SeIncBasePriorityPrivilege 844 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exeserver.exedescription pid process target process PID 1636 wrote to memory of 844 1636 767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe server.exe PID 1636 wrote to memory of 844 1636 767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe server.exe PID 1636 wrote to memory of 844 1636 767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe server.exe PID 1636 wrote to memory of 844 1636 767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe server.exe PID 844 wrote to memory of 1500 844 server.exe netsh.exe PID 844 wrote to memory of 1500 844 server.exe netsh.exe PID 844 wrote to memory of 1500 844 server.exe netsh.exe PID 844 wrote to memory of 1500 844 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe"C:\Users\Admin\AppData\Local\Temp\767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
181KB
MD533caaaa642770f60f9298e627ac2a70e
SHA1b79349e8ef626045d86d3d099d4ad6cf58d6c7c0
SHA256767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f
SHA5124aaf1835f7909672d8356e7b4bbb06391be57030d98fd3e9bbe3bed42720dd001d8c32a64f1e197156d0365551ab3004ee1e01554f5bbf99b246f9d06fed3d64
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
181KB
MD533caaaa642770f60f9298e627ac2a70e
SHA1b79349e8ef626045d86d3d099d4ad6cf58d6c7c0
SHA256767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f
SHA5124aaf1835f7909672d8356e7b4bbb06391be57030d98fd3e9bbe3bed42720dd001d8c32a64f1e197156d0365551ab3004ee1e01554f5bbf99b246f9d06fed3d64
-
\Users\Admin\AppData\Roaming\server.exeFilesize
181KB
MD533caaaa642770f60f9298e627ac2a70e
SHA1b79349e8ef626045d86d3d099d4ad6cf58d6c7c0
SHA256767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f
SHA5124aaf1835f7909672d8356e7b4bbb06391be57030d98fd3e9bbe3bed42720dd001d8c32a64f1e197156d0365551ab3004ee1e01554f5bbf99b246f9d06fed3d64
-
memory/844-57-0x0000000000000000-mapping.dmp
-
memory/844-61-0x0000000074790000-0x0000000074D3B000-memory.dmpFilesize
5.7MB
-
memory/1500-62-0x0000000000000000-mapping.dmp
-
memory/1636-54-0x0000000076011000-0x0000000076013000-memory.dmpFilesize
8KB
-
memory/1636-55-0x0000000074D40000-0x00000000752EB000-memory.dmpFilesize
5.7MB