Analysis
-
max time kernel
29s -
max time network
23s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 18:36
General
-
Target
4b61679662313916b18999fbe63ea2d0163d2b3e6aad16e09aea27cbb97dac9e.exe
-
Size
2.1MB
-
MD5
087d6c8306538655e99a7cbc734152e6
-
SHA1
3f4499b01e23549ce5c2992ffaf098de9ed4cbc6
-
SHA256
4b61679662313916b18999fbe63ea2d0163d2b3e6aad16e09aea27cbb97dac9e
-
SHA512
60b8822d1cff7fb8b82484a50fb195148d9f0d11c5d5d14a9f01c5622a324ec433828087c32416037b0567d68527364d6795bb302575d6b5e739e027ea400b40
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in Windows directory 5 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b61679662313916b18999fbe63ea2d0163d2b3e6aad16e09aea27cbb97dac9e.exe"C:\Users\Admin\AppData\Local\Temp\4b61679662313916b18999fbe63ea2d0163d2b3e6aad16e09aea27cbb97dac9e.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts3⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\net.exenet stop MicrosotMaims2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MicrosotMaims3⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotMaims2⤵
-
C:\Windows\SysWOW64\net.exenet stop MicrosotMais2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MicrosotMais3⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotMais2⤵
-
C:\Windows\SysWOW64\net.exenet stop lanmanserver /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop lanmanserver /y3⤵
-
C:\Windows\SysWOW64\sc.exesc config lanmanserver start= DISABLED 2>nul2⤵
-
C:\Windows\SysWOW64\sc.exesc delete lanmanserver2⤵
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.02⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.03⤵
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.02⤵
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.12⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.13⤵
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.12⤵
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install MicrosotMaims c:\windows\Fonts\conhost.exe2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set MicrosotMaims DisplayName Network Location Service2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set MicrosotMaims Description Provides performance library information from Windows Management.2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start MicrosotMaims2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tem.vbsFilesize
275B
MD568416e79c8377392e4b42c88ee39e646
SHA16e5b53d68cd68887b8e79c30ae3250ad4de8c2fe
SHA256369f620f0e615ecc9a2d9512f7e11593c0aafd00f40cbe044bf3300e7d60973b
SHA5125399532b4463afa82b221cb745885ba0ace8f9287902914857ce949ae11c966fcdff41be407498a3a33b350a4b57bee0865e5e636335d54cf639540c77b259fc
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
memory/364-72-0x0000000000000000-mapping.dmp
-
memory/548-77-0x0000000000000000-mapping.dmp
-
memory/584-61-0x0000000000000000-mapping.dmp
-
memory/840-60-0x0000000000000000-mapping.dmp
-
memory/852-70-0x0000000000000000-mapping.dmp
-
memory/892-67-0x0000000000000000-mapping.dmp
-
memory/896-82-0x0000000000000000-mapping.dmp
-
memory/912-78-0x0000000000000000-mapping.dmp
-
memory/1056-81-0x0000000000000000-mapping.dmp
-
memory/1060-80-0x0000000000000000-mapping.dmp
-
memory/1068-63-0x0000000000000000-mapping.dmp
-
memory/1208-64-0x0000000000000000-mapping.dmp
-
memory/1264-65-0x0000000000000000-mapping.dmp
-
memory/1284-66-0x0000000000000000-mapping.dmp
-
memory/1492-59-0x0000000000000000-mapping.dmp
-
memory/1504-57-0x0000000000000000-mapping.dmp
-
memory/1604-74-0x0000000000000000-mapping.dmp
-
memory/1624-79-0x0000000000000000-mapping.dmp
-
memory/1660-62-0x0000000000000000-mapping.dmp
-
memory/1732-58-0x0000000000000000-mapping.dmp
-
memory/1844-54-0x0000000075261000-0x0000000075263000-memory.dmpFilesize
8KB
-
memory/1900-69-0x0000000000000000-mapping.dmp
-
memory/1980-55-0x0000000000000000-mapping.dmp
-
memory/2040-56-0x0000000000000000-mapping.dmp