Analysis
-
max time kernel
149s -
max time network
60s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:58
Static task
static1
Behavioral task
behavioral1
Sample
7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6.exe
Resource
win10v2004-20220414-en
General
-
Target
7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6.exe
-
Size
93KB
-
MD5
87ab3c97f998f8ed39ed7222fd550778
-
SHA1
8fcd2ac075ef9cba0953686d1702960ac24c3933
-
SHA256
7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6
-
SHA512
87525fb6607882d0b1984f3e5f45021c0b932c1c66fad776cedcb8557a9cb5f391f10ad9c393aed91a53e95e27de72353dad195d78b324884fae775572449a49
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1960 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 4 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1960 svchost.exe Token: 33 1960 svchost.exe Token: SeIncBasePriorityPrivilege 1960 svchost.exe Token: 33 1960 svchost.exe Token: SeIncBasePriorityPrivilege 1960 svchost.exe Token: 33 1960 svchost.exe Token: SeIncBasePriorityPrivilege 1960 svchost.exe Token: 33 1960 svchost.exe Token: SeIncBasePriorityPrivilege 1960 svchost.exe Token: 33 1960 svchost.exe Token: SeIncBasePriorityPrivilege 1960 svchost.exe Token: 33 1960 svchost.exe Token: SeIncBasePriorityPrivilege 1960 svchost.exe Token: 33 1960 svchost.exe Token: SeIncBasePriorityPrivilege 1960 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6.exesvchost.exedescription pid process target process PID 480 wrote to memory of 1960 480 7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6.exe svchost.exe PID 480 wrote to memory of 1960 480 7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6.exe svchost.exe PID 480 wrote to memory of 1960 480 7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6.exe svchost.exe PID 1960 wrote to memory of 1388 1960 svchost.exe netsh.exe PID 1960 wrote to memory of 1388 1960 svchost.exe netsh.exe PID 1960 wrote to memory of 1388 1960 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6.exe"C:\Users\Admin\AppData\Local\Temp\7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
93KB
MD587ab3c97f998f8ed39ed7222fd550778
SHA18fcd2ac075ef9cba0953686d1702960ac24c3933
SHA2567d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6
SHA51287525fb6607882d0b1984f3e5f45021c0b932c1c66fad776cedcb8557a9cb5f391f10ad9c393aed91a53e95e27de72353dad195d78b324884fae775572449a49
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
93KB
MD587ab3c97f998f8ed39ed7222fd550778
SHA18fcd2ac075ef9cba0953686d1702960ac24c3933
SHA2567d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6
SHA51287525fb6607882d0b1984f3e5f45021c0b932c1c66fad776cedcb8557a9cb5f391f10ad9c393aed91a53e95e27de72353dad195d78b324884fae775572449a49
-
memory/480-54-0x000007FEF2E80000-0x000007FEF3F16000-memory.dmpFilesize
16.6MB
-
memory/480-55-0x0000000001F96000-0x0000000001FB5000-memory.dmpFilesize
124KB
-
memory/1388-61-0x0000000000000000-mapping.dmp
-
memory/1388-62-0x000007FEFB8E1000-0x000007FEFB8E3000-memory.dmpFilesize
8KB
-
memory/1960-56-0x0000000000000000-mapping.dmp
-
memory/1960-59-0x000007FEF2E80000-0x000007FEF3F16000-memory.dmpFilesize
16.6MB
-
memory/1960-60-0x0000000001EC6000-0x0000000001EE5000-memory.dmpFilesize
124KB