Analysis
-
max time kernel
113s -
max time network
101s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:47
Static task
static1
Behavioral task
behavioral1
Sample
eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe
Resource
win10v2004-20220414-en
General
-
Target
eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe
-
Size
3.3MB
-
MD5
2630e21380cd389caa9a31e5b7113ab0
-
SHA1
67dd9f56bb740893b075afcf6572d645e2e31c8d
-
SHA256
eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2
-
SHA512
68cc1da89814aa666dab9f57b6414ad2bc3e75659886b9718e2261d6098aa109dbe7a2809956497da11fffe305943511a13e27b96bd364719d4469a04f10ea84
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 564 cmd.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exedescription ioc process File opened for modification \??\PhysicalDrive0 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1740 taskkill.exe -
Processes:
eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe = "11001" eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1740 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exepid process 1952 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe 1952 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.execmd.exedescription pid process target process PID 1952 wrote to memory of 564 1952 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe cmd.exe PID 1952 wrote to memory of 564 1952 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe cmd.exe PID 1952 wrote to memory of 564 1952 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe cmd.exe PID 1952 wrote to memory of 564 1952 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe cmd.exe PID 1952 wrote to memory of 564 1952 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe cmd.exe PID 1952 wrote to memory of 564 1952 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe cmd.exe PID 1952 wrote to memory of 564 1952 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe cmd.exe PID 564 wrote to memory of 1740 564 cmd.exe taskkill.exe PID 564 wrote to memory of 1740 564 cmd.exe taskkill.exe PID 564 wrote to memory of 1740 564 cmd.exe taskkill.exe PID 564 wrote to memory of 1740 564 cmd.exe taskkill.exe PID 564 wrote to memory of 1940 564 cmd.exe PING.EXE PID 564 wrote to memory of 1940 564 cmd.exe PING.EXE PID 564 wrote to memory of 1940 564 cmd.exe PING.EXE PID 564 wrote to memory of 1940 564 cmd.exe PING.EXE PID 564 wrote to memory of 1280 564 cmd.exe PING.EXE PID 564 wrote to memory of 1280 564 cmd.exe PING.EXE PID 564 wrote to memory of 1280 564 cmd.exe PING.EXE PID 564 wrote to memory of 1280 564 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe"C:\Users\Admin\AppData\Local\Temp\eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /PID 1952 /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 2 -l 13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 2 -l 13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\update.batFilesize
640B
MD5c73fae63658c07ba294bdaa360fa86d0
SHA1a4db595ea58e203854b8f1a2a37ef739945a71f5
SHA256b88d3c3343370af0f3b518dca6531d8d98e233ef8631b0493ae1da798d900170
SHA512b34af77d06e32004d5d0e7bae3ba81698a61a384547539e3652fe60c8e41f5182a54ffef96355e1133ec52dcf87947f0696700695e633ca52c1b31d6fa9dbe07
-
memory/564-55-0x0000000000000000-mapping.dmp
-
memory/1280-59-0x0000000000000000-mapping.dmp
-
memory/1740-57-0x0000000000000000-mapping.dmp
-
memory/1940-58-0x0000000000000000-mapping.dmp
-
memory/1952-54-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB