Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:00
Static task
static1
Behavioral task
behavioral1
Sample
52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe
Resource
win10v2004-20220414-en
General
-
Target
52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe
-
Size
118KB
-
MD5
9fea48280651d7daede8ff94fddcc39c
-
SHA1
ec94b5bc9bdd7e910b7c49992c52daf69f387891
-
SHA256
52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41
-
SHA512
02d19421ed966cece01d187ab5e8d4a5fcb17b4d4042457c668d40a958e2053bd70525661639da3fb3b02352586bd78edb29f0774653040d96051d0055899298
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Internet Explorer.exepid process 916 Internet Explorer.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 2 IoCs
Processes:
52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exepid process 1672 52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe 1672 52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Internet Explorer.exepid process 916 Internet Explorer.exe 916 Internet Explorer.exe 916 Internet Explorer.exe 916 Internet Explorer.exe 916 Internet Explorer.exe 916 Internet Explorer.exe 916 Internet Explorer.exe 916 Internet Explorer.exe 916 Internet Explorer.exe 916 Internet Explorer.exe 916 Internet Explorer.exe 916 Internet Explorer.exe 916 Internet Explorer.exe 916 Internet Explorer.exe 916 Internet Explorer.exe 916 Internet Explorer.exe 916 Internet Explorer.exe 916 Internet Explorer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Internet Explorer.exedescription pid process Token: SeDebugPrivilege 916 Internet Explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exeInternet Explorer.exedescription pid process target process PID 1672 wrote to memory of 916 1672 52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe Internet Explorer.exe PID 1672 wrote to memory of 916 1672 52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe Internet Explorer.exe PID 1672 wrote to memory of 916 1672 52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe Internet Explorer.exe PID 1672 wrote to memory of 916 1672 52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe Internet Explorer.exe PID 916 wrote to memory of 1412 916 Internet Explorer.exe netsh.exe PID 916 wrote to memory of 1412 916 Internet Explorer.exe netsh.exe PID 916 wrote to memory of 1412 916 Internet Explorer.exe netsh.exe PID 916 wrote to memory of 1412 916 Internet Explorer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe"C:\Users\Admin\AppData\Local\Temp\52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Roaming\Internet Explorer.exe"C:\Users\Admin\AppData\Roaming\Internet Explorer.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Internet Explorer.exe" "Internet Explorer.exe" ENABLE3⤵PID:1412
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Internet Explorer.exeFilesize
118KB
MD59fea48280651d7daede8ff94fddcc39c
SHA1ec94b5bc9bdd7e910b7c49992c52daf69f387891
SHA25652f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41
SHA51202d19421ed966cece01d187ab5e8d4a5fcb17b4d4042457c668d40a958e2053bd70525661639da3fb3b02352586bd78edb29f0774653040d96051d0055899298
-
C:\Users\Admin\AppData\Roaming\Internet Explorer.exeFilesize
118KB
MD59fea48280651d7daede8ff94fddcc39c
SHA1ec94b5bc9bdd7e910b7c49992c52daf69f387891
SHA25652f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41
SHA51202d19421ed966cece01d187ab5e8d4a5fcb17b4d4042457c668d40a958e2053bd70525661639da3fb3b02352586bd78edb29f0774653040d96051d0055899298
-
\Users\Admin\AppData\Roaming\Internet Explorer.exeFilesize
118KB
MD59fea48280651d7daede8ff94fddcc39c
SHA1ec94b5bc9bdd7e910b7c49992c52daf69f387891
SHA25652f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41
SHA51202d19421ed966cece01d187ab5e8d4a5fcb17b4d4042457c668d40a958e2053bd70525661639da3fb3b02352586bd78edb29f0774653040d96051d0055899298
-
\Users\Admin\AppData\Roaming\Internet Explorer.exeFilesize
118KB
MD59fea48280651d7daede8ff94fddcc39c
SHA1ec94b5bc9bdd7e910b7c49992c52daf69f387891
SHA25652f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41
SHA51202d19421ed966cece01d187ab5e8d4a5fcb17b4d4042457c668d40a958e2053bd70525661639da3fb3b02352586bd78edb29f0774653040d96051d0055899298
-
memory/916-58-0x0000000000000000-mapping.dmp
-
memory/916-63-0x0000000074F50000-0x00000000754FB000-memory.dmpFilesize
5.7MB
-
memory/916-65-0x0000000001FA6000-0x0000000001FB7000-memory.dmpFilesize
68KB
-
memory/1412-62-0x0000000000000000-mapping.dmp
-
memory/1672-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1672-55-0x0000000074F50000-0x00000000754FB000-memory.dmpFilesize
5.7MB