Analysis
-
max time kernel
151s -
max time network
184s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:56
Static task
static1
Behavioral task
behavioral1
Sample
911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exe
Resource
win7-20220414-en
General
-
Target
911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exe
-
Size
157KB
-
MD5
182e2cce08ee92c62f64752aaa23c369
-
SHA1
e47112a7f7ce5c3105249f043bb809daf490b7d8
-
SHA256
911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6
-
SHA512
b66d06c7862641351c12b2c91cca3be32b1a8d35e9525e1447b14385b8dc81129f93b10b58ba6058de88818bc9209a6d54be24b4b8a0dda7cf9b53b0b19e4f6a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1036 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5934cc70b7761544be3a5ffb07586caa.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5934cc70b7761544be3a5ffb07586caa.exe svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exepid process 1628 911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1036 svchost.exe Token: 33 1036 svchost.exe Token: SeIncBasePriorityPrivilege 1036 svchost.exe Token: 33 1036 svchost.exe Token: SeIncBasePriorityPrivilege 1036 svchost.exe Token: 33 1036 svchost.exe Token: SeIncBasePriorityPrivilege 1036 svchost.exe Token: 33 1036 svchost.exe Token: SeIncBasePriorityPrivilege 1036 svchost.exe Token: 33 1036 svchost.exe Token: SeIncBasePriorityPrivilege 1036 svchost.exe Token: 33 1036 svchost.exe Token: SeIncBasePriorityPrivilege 1036 svchost.exe Token: 33 1036 svchost.exe Token: SeIncBasePriorityPrivilege 1036 svchost.exe Token: 33 1036 svchost.exe Token: SeIncBasePriorityPrivilege 1036 svchost.exe Token: 33 1036 svchost.exe Token: SeIncBasePriorityPrivilege 1036 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exesvchost.exedescription pid process target process PID 1628 wrote to memory of 1036 1628 911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exe svchost.exe PID 1628 wrote to memory of 1036 1628 911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exe svchost.exe PID 1628 wrote to memory of 1036 1628 911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exe svchost.exe PID 1628 wrote to memory of 1036 1628 911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exe svchost.exe PID 1036 wrote to memory of 884 1036 svchost.exe netsh.exe PID 1036 wrote to memory of 884 1036 svchost.exe netsh.exe PID 1036 wrote to memory of 884 1036 svchost.exe netsh.exe PID 1036 wrote to memory of 884 1036 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exe"C:\Users\Admin\AppData\Local\Temp\911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE3⤵PID:884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
157KB
MD5182e2cce08ee92c62f64752aaa23c369
SHA1e47112a7f7ce5c3105249f043bb809daf490b7d8
SHA256911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6
SHA512b66d06c7862641351c12b2c91cca3be32b1a8d35e9525e1447b14385b8dc81129f93b10b58ba6058de88818bc9209a6d54be24b4b8a0dda7cf9b53b0b19e4f6a
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
157KB
MD5182e2cce08ee92c62f64752aaa23c369
SHA1e47112a7f7ce5c3105249f043bb809daf490b7d8
SHA256911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6
SHA512b66d06c7862641351c12b2c91cca3be32b1a8d35e9525e1447b14385b8dc81129f93b10b58ba6058de88818bc9209a6d54be24b4b8a0dda7cf9b53b0b19e4f6a
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
157KB
MD5182e2cce08ee92c62f64752aaa23c369
SHA1e47112a7f7ce5c3105249f043bb809daf490b7d8
SHA256911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6
SHA512b66d06c7862641351c12b2c91cca3be32b1a8d35e9525e1447b14385b8dc81129f93b10b58ba6058de88818bc9209a6d54be24b4b8a0dda7cf9b53b0b19e4f6a
-
memory/884-62-0x0000000000000000-mapping.dmp
-
memory/1036-57-0x0000000000000000-mapping.dmp
-
memory/1036-61-0x0000000074690000-0x0000000074C3B000-memory.dmpFilesize
5.7MB
-
memory/1628-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1628-55-0x0000000074690000-0x0000000074C3B000-memory.dmpFilesize
5.7MB