Analysis
-
max time kernel
90s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 13:49
Behavioral task
behavioral1
Sample
f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
-
Size
689KB
-
MD5
9e25e98bed41833e4e27afd395dff950
-
SHA1
cadf77649528213974c44cfd5986b00258f8675d
-
SHA256
f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662
-
SHA512
7183a0861e543c991b60fd8dc8d2d697d5dca99f86ee5db1230f3f4f8f240c9a6cf52cb6a5d5d2928825c40ffe144100b40112003f61c77af49f61e634f1068c
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exedescription pid process Token: SeIncreaseQuotaPrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeSecurityPrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeTakeOwnershipPrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeLoadDriverPrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeSystemProfilePrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeSystemtimePrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeProfSingleProcessPrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeIncBasePriorityPrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeCreatePagefilePrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeBackupPrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeRestorePrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeShutdownPrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeDebugPrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeSystemEnvironmentPrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeChangeNotifyPrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeRemoteShutdownPrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeUndockPrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeManageVolumePrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeImpersonatePrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: SeCreateGlobalPrivilege 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: 33 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: 34 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: 35 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe Token: 36 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exepid process 4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe"C:\Users\Admin\AppData\Local\Temp\f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe"1⤵
- Modifies firewall policy service
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx