Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:33
Static task
static1
Behavioral task
behavioral1
Sample
a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Resource
win7-20220414-en
General
-
Target
a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
-
Size
252KB
-
MD5
532a6afb45c841f08a0ff9f104559334
-
SHA1
2fe9463e271b50907d72174992f4adf5c5c5eace
-
SHA256
a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62
-
SHA512
313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\proverka_stiller.exe" a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
proverka_stiller.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile proverka_stiller.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" proverka_stiller.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" proverka_stiller.exe -
Executes dropped EXE 1 IoCs
Processes:
proverka_stiller.exepid process 924 proverka_stiller.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe upx \Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe upx C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe upx C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe upx -
Loads dropped DLL 2 IoCs
Processes:
a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exepid process 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\proverka_stiller.exe" a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exeproverka_stiller.exedescription pid process Token: SeIncreaseQuotaPrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeSecurityPrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeTakeOwnershipPrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeLoadDriverPrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeSystemProfilePrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeSystemtimePrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeProfSingleProcessPrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeIncBasePriorityPrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeCreatePagefilePrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeBackupPrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeRestorePrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeShutdownPrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeDebugPrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeSystemEnvironmentPrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeChangeNotifyPrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeRemoteShutdownPrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeUndockPrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeManageVolumePrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeImpersonatePrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeCreateGlobalPrivilege 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: 33 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: 34 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: 35 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe Token: SeIncreaseQuotaPrivilege 924 proverka_stiller.exe Token: SeSecurityPrivilege 924 proverka_stiller.exe Token: SeTakeOwnershipPrivilege 924 proverka_stiller.exe Token: SeLoadDriverPrivilege 924 proverka_stiller.exe Token: SeSystemProfilePrivilege 924 proverka_stiller.exe Token: SeSystemtimePrivilege 924 proverka_stiller.exe Token: SeProfSingleProcessPrivilege 924 proverka_stiller.exe Token: SeIncBasePriorityPrivilege 924 proverka_stiller.exe Token: SeCreatePagefilePrivilege 924 proverka_stiller.exe Token: SeBackupPrivilege 924 proverka_stiller.exe Token: SeRestorePrivilege 924 proverka_stiller.exe Token: SeShutdownPrivilege 924 proverka_stiller.exe Token: SeDebugPrivilege 924 proverka_stiller.exe Token: SeSystemEnvironmentPrivilege 924 proverka_stiller.exe Token: SeChangeNotifyPrivilege 924 proverka_stiller.exe Token: SeRemoteShutdownPrivilege 924 proverka_stiller.exe Token: SeUndockPrivilege 924 proverka_stiller.exe Token: SeManageVolumePrivilege 924 proverka_stiller.exe Token: SeImpersonatePrivilege 924 proverka_stiller.exe Token: SeCreateGlobalPrivilege 924 proverka_stiller.exe Token: 33 924 proverka_stiller.exe Token: 34 924 proverka_stiller.exe Token: 35 924 proverka_stiller.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
proverka_stiller.exepid process 924 proverka_stiller.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exedescription pid process target process PID 1744 wrote to memory of 924 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe proverka_stiller.exe PID 1744 wrote to memory of 924 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe proverka_stiller.exe PID 1744 wrote to memory of 924 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe proverka_stiller.exe PID 1744 wrote to memory of 924 1744 a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe proverka_stiller.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe"C:\Users\Admin\AppData\Local\Temp\a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exeFilesize
252KB
MD5532a6afb45c841f08a0ff9f104559334
SHA12fe9463e271b50907d72174992f4adf5c5c5eace
SHA256a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62
SHA512313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4
-
C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exeFilesize
252KB
MD5532a6afb45c841f08a0ff9f104559334
SHA12fe9463e271b50907d72174992f4adf5c5c5eace
SHA256a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62
SHA512313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4
-
\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exeFilesize
252KB
MD5532a6afb45c841f08a0ff9f104559334
SHA12fe9463e271b50907d72174992f4adf5c5c5eace
SHA256a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62
SHA512313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4
-
\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exeFilesize
252KB
MD5532a6afb45c841f08a0ff9f104559334
SHA12fe9463e271b50907d72174992f4adf5c5c5eace
SHA256a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62
SHA512313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4
-
memory/924-57-0x0000000000000000-mapping.dmp
-
memory/1744-54-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB