Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 19:16
Behavioral task
behavioral1
Sample
37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe
-
Size
690KB
-
MD5
4f2ac7edd1bda1c4e4d629b42ce590ef
-
SHA1
8eb7ad9073f82112d2327b85dc47813666dda5a6
-
SHA256
37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f
-
SHA512
f22625988d8d284a5212e458a2593950c3e3f8a6667bee246e4be281e2a057d9b642085ad9afb7f9cd647eb4360c214b4de71fc09e6821ab4985a10888e12d55
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exedescription pid process target process PID 748 set thread context of 2016 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 2016 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeSecurityPrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeTakeOwnershipPrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeLoadDriverPrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeSystemProfilePrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeSystemtimePrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeProfSingleProcessPrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeIncBasePriorityPrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeCreatePagefilePrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeBackupPrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeRestorePrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeShutdownPrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeDebugPrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeSystemEnvironmentPrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeChangeNotifyPrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeRemoteShutdownPrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeUndockPrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeManageVolumePrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeImpersonatePrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeCreateGlobalPrivilege 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: 33 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: 34 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: 35 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe Token: SeIncreaseQuotaPrivilege 2016 iexplore.exe Token: SeSecurityPrivilege 2016 iexplore.exe Token: SeTakeOwnershipPrivilege 2016 iexplore.exe Token: SeLoadDriverPrivilege 2016 iexplore.exe Token: SeSystemProfilePrivilege 2016 iexplore.exe Token: SeSystemtimePrivilege 2016 iexplore.exe Token: SeProfSingleProcessPrivilege 2016 iexplore.exe Token: SeIncBasePriorityPrivilege 2016 iexplore.exe Token: SeCreatePagefilePrivilege 2016 iexplore.exe Token: SeBackupPrivilege 2016 iexplore.exe Token: SeRestorePrivilege 2016 iexplore.exe Token: SeShutdownPrivilege 2016 iexplore.exe Token: SeDebugPrivilege 2016 iexplore.exe Token: SeSystemEnvironmentPrivilege 2016 iexplore.exe Token: SeChangeNotifyPrivilege 2016 iexplore.exe Token: SeRemoteShutdownPrivilege 2016 iexplore.exe Token: SeUndockPrivilege 2016 iexplore.exe Token: SeManageVolumePrivilege 2016 iexplore.exe Token: SeImpersonatePrivilege 2016 iexplore.exe Token: SeCreateGlobalPrivilege 2016 iexplore.exe Token: 33 2016 iexplore.exe Token: 34 2016 iexplore.exe Token: 35 2016 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2016 iexplore.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.execmd.execmd.exeiexplore.exedescription pid process target process PID 748 wrote to memory of 1936 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe cmd.exe PID 748 wrote to memory of 1936 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe cmd.exe PID 748 wrote to memory of 1936 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe cmd.exe PID 748 wrote to memory of 1936 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe cmd.exe PID 748 wrote to memory of 1876 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe cmd.exe PID 748 wrote to memory of 1876 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe cmd.exe PID 748 wrote to memory of 1876 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe cmd.exe PID 748 wrote to memory of 1876 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe cmd.exe PID 748 wrote to memory of 2016 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe iexplore.exe PID 748 wrote to memory of 2016 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe iexplore.exe PID 748 wrote to memory of 2016 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe iexplore.exe PID 748 wrote to memory of 2016 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe iexplore.exe PID 748 wrote to memory of 2016 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe iexplore.exe PID 748 wrote to memory of 2016 748 37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe iexplore.exe PID 1876 wrote to memory of 2028 1876 cmd.exe attrib.exe PID 1876 wrote to memory of 2028 1876 cmd.exe attrib.exe PID 1876 wrote to memory of 2028 1876 cmd.exe attrib.exe PID 1876 wrote to memory of 2028 1876 cmd.exe attrib.exe PID 1936 wrote to memory of 2032 1936 cmd.exe attrib.exe PID 1936 wrote to memory of 2032 1936 cmd.exe attrib.exe PID 1936 wrote to memory of 2032 1936 cmd.exe attrib.exe PID 1936 wrote to memory of 2032 1936 cmd.exe attrib.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe PID 2016 wrote to memory of 1984 2016 iexplore.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2032 attrib.exe 2028 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe"C:\Users\Admin\AppData\Local\Temp\37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe"1⤵
- Modifies firewall policy service
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\37e0c72ff5d602968aa7c84e60d0690111f99c30cea4aa36381a990ac870c29f.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Modifies firewall policy service
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/748-54-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB
-
memory/1876-56-0x0000000000000000-mapping.dmp
-
memory/1936-55-0x0000000000000000-mapping.dmp
-
memory/1984-59-0x0000000000000000-mapping.dmp
-
memory/2028-57-0x0000000000000000-mapping.dmp
-
memory/2032-58-0x0000000000000000-mapping.dmp