Analysis
-
max time kernel
3s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 03:41
Static task
static1
Behavioral task
behavioral1
Sample
244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe
Resource
win7-20220414-en
General
-
Target
244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe
-
Size
5.5MB
-
MD5
42f3db290bdb873ea53f87dd71262d41
-
SHA1
97c643cee498989e193330f0af5b3d5a9d50977b
-
SHA256
244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf
-
SHA512
2ced086d1488f1cda5d0dfbff9b30f1c838896f925bf615c71b26816ba43a2632f74d1da0880eccaf3b4793c3ad44b24063437285995d034d62751e9cc108841
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Injector.execsrss.exepid process 1288 Injector.exe 1560 csrss.exe -
Loads dropped DLL 5 IoCs
Processes:
244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.execmd.exepid process 1792 244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe 1792 244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe 1792 244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe 1792 244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe 1380 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 268 taskkill.exe 1820 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1820 taskkill.exe Token: SeDebugPrivilege 268 taskkill.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exeWScript.execmd.exedescription pid process target process PID 1792 wrote to memory of 1268 1792 244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe WScript.exe PID 1792 wrote to memory of 1268 1792 244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe WScript.exe PID 1792 wrote to memory of 1268 1792 244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe WScript.exe PID 1792 wrote to memory of 1268 1792 244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe WScript.exe PID 1792 wrote to memory of 1288 1792 244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe Injector.exe PID 1792 wrote to memory of 1288 1792 244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe Injector.exe PID 1792 wrote to memory of 1288 1792 244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe Injector.exe PID 1792 wrote to memory of 1288 1792 244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe Injector.exe PID 1268 wrote to memory of 1380 1268 WScript.exe cmd.exe PID 1268 wrote to memory of 1380 1268 WScript.exe cmd.exe PID 1268 wrote to memory of 1380 1268 WScript.exe cmd.exe PID 1268 wrote to memory of 1380 1268 WScript.exe cmd.exe PID 1268 wrote to memory of 1380 1268 WScript.exe cmd.exe PID 1268 wrote to memory of 1380 1268 WScript.exe cmd.exe PID 1268 wrote to memory of 1380 1268 WScript.exe cmd.exe PID 1380 wrote to memory of 1820 1380 cmd.exe taskkill.exe PID 1380 wrote to memory of 1820 1380 cmd.exe taskkill.exe PID 1380 wrote to memory of 1820 1380 cmd.exe taskkill.exe PID 1380 wrote to memory of 1820 1380 cmd.exe taskkill.exe PID 1380 wrote to memory of 268 1380 cmd.exe taskkill.exe PID 1380 wrote to memory of 268 1380 cmd.exe taskkill.exe PID 1380 wrote to memory of 268 1380 cmd.exe taskkill.exe PID 1380 wrote to memory of 268 1380 cmd.exe taskkill.exe PID 1380 wrote to memory of 1768 1380 cmd.exe reg.exe PID 1380 wrote to memory of 1768 1380 cmd.exe reg.exe PID 1380 wrote to memory of 1768 1380 cmd.exe reg.exe PID 1380 wrote to memory of 1768 1380 cmd.exe reg.exe PID 1380 wrote to memory of 1084 1380 cmd.exe attrib.exe PID 1380 wrote to memory of 1084 1380 cmd.exe attrib.exe PID 1380 wrote to memory of 1084 1380 cmd.exe attrib.exe PID 1380 wrote to memory of 1084 1380 cmd.exe attrib.exe PID 1380 wrote to memory of 1560 1380 cmd.exe csrss.exe PID 1380 wrote to memory of 1560 1380 cmd.exe csrss.exe PID 1380 wrote to memory of 1560 1380 cmd.exe csrss.exe PID 1380 wrote to memory of 1560 1380 cmd.exe csrss.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe"C:\Users\Admin\AppData\Local\Temp\244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im csrss.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1820 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ccsrss.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:268 -
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f4⤵PID:1768
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\System32\vipcatalog"4⤵
- Views/modifies file attributes
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\csrss.exe"csrss.exe" /silentinstall4⤵
- Executes dropped EXE
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"2⤵
- Executes dropped EXE
PID:1288
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
2.2MB
MD5439564aa3c2b3fa4f28273c47036a22a
SHA1820f3cb07a4cd7e6601cb072362f921656ff870f
SHA256bced15349dc6331e5bbdcf87915a22d9e833a1e61e1aba0061196412f5a72782
SHA512dc4e879d999b7b8fa8a6dd116625addc87c570af9a57cb866c6b8d09b25a8da040ab905558a2052c45fc9722a492f7b1afe4a5a879f40319b7b54c2dae17350d
-
Filesize
2.0MB
MD524e09cdb30c90832e671abeb4631eae5
SHA10ebf52631f4cf8c42dccc2cf6c3ad807b7e85126
SHA2561311f41cf4a5ede4d7e5d9a2c19c8c01d9477501a52b900b3ab26713e1c423cd
SHA512bb1c5296f794c79fe8e1ef37d8e8b074a2569ea0e271500e805e36e44a834fc4afebdb1a4ca4afc9d31b334b65600b0426a81a4c806f13c1166444b42a115993
-
Filesize
663B
MD5836eb56035271bdd5ba96d7d3e9ea733
SHA1f38a9c5e37947dbcf59e9bb728316eeefb1cc630
SHA256c70172116a25dcc9c067a4c557103e5e2350c419cd728b8efc6a438409179748
SHA512f9ff472f6f892604d3457738636ef5af20a35346264677c510dda5a76bbb0f9c7645e7a38cea77864c903e257df4eeb4e5daf4254c4e12b4d06df57b21fea2e9
-
Filesize
117B
MD565fc32766a238ff3e95984e325357dbb
SHA13ac16a2648410be8aa75f3e2817fbf69bb0e8922
SHA256a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420
SHA512621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
2.6MB
MD5dd62926280171739773745792e3975a6
SHA173429a73d97ca1a28d5a9eae1cb5f4addaf2e52d
SHA256a3bcf5dade28e370eb1239f42f9817dd78833f2c407856aa81d5f943a5282d34
SHA5125cddc822b1bd04afc2afec53a7ad1d50250583392b5ddeefa32a2a2767a1d940bb2e57964f33a8799d760348a8232bb4add0425014829612478877423620a93a