Analysis
-
max time kernel
21s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 21:54
Static task
static1
Behavioral task
behavioral1
Sample
4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
Resource
win10v2004-20220414-en
General
-
Target
4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
-
Size
2.6MB
-
MD5
5d9b726cdc7455d58b5e6771d1316f55
-
SHA1
f803ca6b3986813dbbb700794fc2aba02d93a5c7
-
SHA256
4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e
-
SHA512
4a7ebdded0ad97031011a5bbb2c98440eab4cc66309f518b128e6a6773c9add54767c36f4d915faf0e52e10b69f9441af9d3edf46a9d4a9cb1620565d7bd34c1
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wscript.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 1700 wscript.exe -
Loads dropped DLL 5 IoCs
Processes:
4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exepid process 1364 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe 1364 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe 1364 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe 1364 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe 1364 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1060 WMIC.exe Token: SeSecurityPrivilege 1060 WMIC.exe Token: SeTakeOwnershipPrivilege 1060 WMIC.exe Token: SeLoadDriverPrivilege 1060 WMIC.exe Token: SeSystemProfilePrivilege 1060 WMIC.exe Token: SeSystemtimePrivilege 1060 WMIC.exe Token: SeProfSingleProcessPrivilege 1060 WMIC.exe Token: SeIncBasePriorityPrivilege 1060 WMIC.exe Token: SeCreatePagefilePrivilege 1060 WMIC.exe Token: SeBackupPrivilege 1060 WMIC.exe Token: SeRestorePrivilege 1060 WMIC.exe Token: SeShutdownPrivilege 1060 WMIC.exe Token: SeDebugPrivilege 1060 WMIC.exe Token: SeSystemEnvironmentPrivilege 1060 WMIC.exe Token: SeRemoteShutdownPrivilege 1060 WMIC.exe Token: SeUndockPrivilege 1060 WMIC.exe Token: SeManageVolumePrivilege 1060 WMIC.exe Token: 33 1060 WMIC.exe Token: 34 1060 WMIC.exe Token: 35 1060 WMIC.exe Token: SeIncreaseQuotaPrivilege 1060 WMIC.exe Token: SeSecurityPrivilege 1060 WMIC.exe Token: SeTakeOwnershipPrivilege 1060 WMIC.exe Token: SeLoadDriverPrivilege 1060 WMIC.exe Token: SeSystemProfilePrivilege 1060 WMIC.exe Token: SeSystemtimePrivilege 1060 WMIC.exe Token: SeProfSingleProcessPrivilege 1060 WMIC.exe Token: SeIncBasePriorityPrivilege 1060 WMIC.exe Token: SeCreatePagefilePrivilege 1060 WMIC.exe Token: SeBackupPrivilege 1060 WMIC.exe Token: SeRestorePrivilege 1060 WMIC.exe Token: SeShutdownPrivilege 1060 WMIC.exe Token: SeDebugPrivilege 1060 WMIC.exe Token: SeSystemEnvironmentPrivilege 1060 WMIC.exe Token: SeRemoteShutdownPrivilege 1060 WMIC.exe Token: SeUndockPrivilege 1060 WMIC.exe Token: SeManageVolumePrivilege 1060 WMIC.exe Token: 33 1060 WMIC.exe Token: 34 1060 WMIC.exe Token: 35 1060 WMIC.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.execmd.exedescription pid process target process PID 1364 wrote to memory of 1304 1364 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe cmd.exe PID 1364 wrote to memory of 1304 1364 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe cmd.exe PID 1364 wrote to memory of 1304 1364 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe cmd.exe PID 1364 wrote to memory of 1304 1364 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe cmd.exe PID 1304 wrote to memory of 1060 1304 cmd.exe WMIC.exe PID 1304 wrote to memory of 1060 1304 cmd.exe WMIC.exe PID 1304 wrote to memory of 1060 1304 cmd.exe WMIC.exe PID 1304 wrote to memory of 1060 1304 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe"C:\Users\Admin\AppData\Local\Temp\4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\cmd.exe"C:\windows\system32\cmd.exe" /c wmic process call create "wscript %temp%\start.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process call create "wscript C:\Users\Admin\AppData\Local\Temp\start.vbs"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wscript.exewscript C:\Users\Admin\AppData\Local\Temp\start.vbs1⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\start.vbsFilesize
321B
MD551546c284d2ee505bc551247ab0c105e
SHA166fd2bbbaffbd68051e189fa44d97ae9ae2749b1
SHA25631c473f41ac9d4515870b8c5b128cd5f3c901fcfe45116435cd1c3266f3f9ed5
SHA5120ea834a7d869cbb94d7bcddce1b63cd3126ac1fd771fe00fcc075d06f285352004a2ff3702270488f3753d245328a779320f1b2abfd325ef45537c0cbe83e76e
-
\Users\Admin\AppData\Local\Temp\nso3F63.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
\Users\Admin\AppData\Local\Temp\nso3F63.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
\Users\Admin\AppData\Local\Temp\nso3F63.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
\Users\Admin\AppData\Local\Temp\nso3F63.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
\Users\Admin\AppData\Local\Temp\nso3F63.tmp\nsUnzip.dllFilesize
146KB
MD577a26c23948070dc012bba65e7f390aa
SHA17e112775770f9b3b24e2a238b5f7c66f8802e5d8
SHA2564e4e429ecf1c49119a21c817899f64152b03b41b036fc1d92aee335043364c43
SHA5122e7ffa4ed5c97f555e1b0d6f55ffcfd53cd28302fc77d95fdaea89e0b6b42e67e366331e52358e78e8266d079cc2ca3ea4c909197fb38a5b4c8151c7678d0065
-
memory/1060-61-0x0000000000000000-mapping.dmp
-
memory/1304-60-0x0000000000000000-mapping.dmp
-
memory/1364-54-0x0000000076461000-0x0000000076463000-memory.dmpFilesize
8KB