Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:22
Static task
static1
Behavioral task
behavioral1
Sample
a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe
Resource
win10v2004-20220414-en
General
-
Target
a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe
-
Size
32KB
-
MD5
f895f2c00c328e2d2a7bce695c63020f
-
SHA1
6eea1cbe833845785c800348b5293ff6a1b8cb7a
-
SHA256
a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181
-
SHA512
3f351e7f3943c64c1e99eb03c92af8243589b2ff661b4fbf5f1a91af2db257c3209ac71014027ce5663e48e4b9d8c03ae29cf87bbd2d3fa5ee9289572cd0904e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1220 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a684bb567bad75f3e8c3ee386f57b056.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a684bb567bad75f3e8c3ee386f57b056.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exepid process 836 a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\a684bb567bad75f3e8c3ee386f57b056 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a684bb567bad75f3e8c3ee386f57b056 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exepid process 836 a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe 836 a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exeserver.exedescription pid process Token: SeDebugPrivilege 836 a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe Token: SeDebugPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe Token: 33 1220 server.exe Token: SeIncBasePriorityPrivilege 1220 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exeserver.exedescription pid process target process PID 836 wrote to memory of 1220 836 a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe server.exe PID 836 wrote to memory of 1220 836 a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe server.exe PID 836 wrote to memory of 1220 836 a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe server.exe PID 836 wrote to memory of 1220 836 a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe server.exe PID 1220 wrote to memory of 1548 1220 server.exe netsh.exe PID 1220 wrote to memory of 1548 1220 server.exe netsh.exe PID 1220 wrote to memory of 1548 1220 server.exe netsh.exe PID 1220 wrote to memory of 1548 1220 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe"C:\Users\Admin\AppData\Local\Temp\a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
32KB
MD5f895f2c00c328e2d2a7bce695c63020f
SHA16eea1cbe833845785c800348b5293ff6a1b8cb7a
SHA256a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181
SHA5123f351e7f3943c64c1e99eb03c92af8243589b2ff661b4fbf5f1a91af2db257c3209ac71014027ce5663e48e4b9d8c03ae29cf87bbd2d3fa5ee9289572cd0904e
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
32KB
MD5f895f2c00c328e2d2a7bce695c63020f
SHA16eea1cbe833845785c800348b5293ff6a1b8cb7a
SHA256a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181
SHA5123f351e7f3943c64c1e99eb03c92af8243589b2ff661b4fbf5f1a91af2db257c3209ac71014027ce5663e48e4b9d8c03ae29cf87bbd2d3fa5ee9289572cd0904e
-
\Users\Admin\AppData\Roaming\server.exeFilesize
32KB
MD5f895f2c00c328e2d2a7bce695c63020f
SHA16eea1cbe833845785c800348b5293ff6a1b8cb7a
SHA256a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181
SHA5123f351e7f3943c64c1e99eb03c92af8243589b2ff661b4fbf5f1a91af2db257c3209ac71014027ce5663e48e4b9d8c03ae29cf87bbd2d3fa5ee9289572cd0904e
-
memory/836-54-0x0000000075721000-0x0000000075723000-memory.dmpFilesize
8KB
-
memory/836-55-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/1220-57-0x0000000000000000-mapping.dmp
-
memory/1220-61-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/1548-62-0x0000000000000000-mapping.dmp