Overview

overview

7

Static

static

21ddbef7a8...7a.exe

windows7_x64

7

21ddbef7a8...7a.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    42s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12-06-2022 07:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21ddbef7a8d998786b0b7acf5677fecf35bd7cc00b973850b6709671c3fff37a.exe

  • Size

    235KB

  • MD5

    4b53491b53623cc0a8616eaedea6f81c

  • SHA1

    db2ea45c85e25dedf3e4a332b3bcd2b94e12ac3f

  • SHA256

    21ddbef7a8d998786b0b7acf5677fecf35bd7cc00b973850b6709671c3fff37a

  • SHA512

    01a2de0218babfa5a280fcd77a6a1ad681b124b2836b113cb161255b94ce13060b11412a26052b2cfda002b62e20c4d64fc76aa48941b9eb763d54ee0b1e109d

Score
7/10
discovery

Malware Config

Signatures

  • Modifies file permissions 1 TTPs 15 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 8 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\21ddbef7a8d998786b0b7acf5677fecf35bd7cc00b973850b6709671c3fff37a.exe
    "C:\Users\Admin\AppData\Local\Temp\21ddbef7a8d998786b0b7acf5677fecf35bd7cc00b973850b6709671c3fff37a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5FA.tmp\5FB.tmp\5FC.bat C:\Users\Admin\AppData\Local\Temp\21ddbef7a8d998786b0b7acf5677fecf35bd7cc00b973850b6709671c3fff37a.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM IntelConfigService.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1320
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM msexec.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1656
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM cftmon.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1820
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM ntosknl.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1392
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM sqlserver.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1256
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM xCoreManagment.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1212
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM ApplicationsFrameHost.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:292
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM Wrap.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1964
      • C:\Windows\system32\attrib.exe
        attrib "C:\ProgramData\MicrosoftUpdateManager" -s -h -r /S /D
        3⤵
        • Views/modifies file attributes
        PID:1372
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\MicrosoftUpdateManager" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1956
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\MicrosoftUpdateManager" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:744
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\MicrosoftUpdateManager" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1524
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\MicrosoftUpdateManager" /inheritance:e /grant "Users:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1332
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\MicrosoftUpdateManager" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:996
      • C:\Windows\system32\attrib.exe
        attrib "C:\ProgramData\WindowsBackup" -s -h -r /S /D
        3⤵
        • Views/modifies file attributes
        PID:384
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\WindowsBackup" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:272
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\WindowsBackup" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:784
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\WindowsBackup" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:544
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\WindowsBackup" /inheritance:e /grant "Users:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:740
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\WindowsBackup" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:540
      • C:\Windows\system32\attrib.exe
        attrib "C:\ProgramData\IntelCore" -s -h -r /S /D
        3⤵
        • Views/modifies file attributes
        PID:912
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\IntelCore" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1552
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\IntelCore" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1140
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\IntelCore" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1720
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\IntelCore" /inheritance:e /grant "Users:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1320
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\IntelCore" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2024
      • C:\Windows\system32\reg.exe
        REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v Windows Update Manager /F
        3⤵
          PID:1656
        • C:\Windows\system32\reg.exe
          REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Update Manager /F
          3⤵
            PID:1168
          • C:\Windows\system32\reg.exe
            REG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Update Manager /F
            3⤵
              PID:520
            • C:\Windows\system32\reg.exe
              REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v System /F
              3⤵
                PID:1696
              • C:\Windows\system32\reg.exe
                REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v System /F
                3⤵
                  PID:1316
                • C:\Windows\system32\reg.exe
                  REG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v System /F
                  3⤵
                    PID:1312
                  • C:\Windows\system32\reg.exe
                    REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v Windows Start-Up Application /F
                    3⤵
                      PID:1568
                    • C:\Windows\system32\reg.exe
                      REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Start-Up Application /F
                      3⤵
                        PID:1404
                      • C:\Windows\system32\reg.exe
                        REG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Start-Up Application /F
                        3⤵
                          PID:1256

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Hidden Files and Directories

                    1
                    T1158

                    Privilege Escalation

                    Defense Evasion

                    File Permissions Modification

                    1
                    T1222

                    Hidden Files and Directories

                    1
                    T1158

                    Credential Access

                    Discovery

                    System Information Discovery

                    1
                    T1082

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\5FA.tmp\5FB.tmp\5FC.bat
                      Filesize

                      2KB

                      MD5

                      b8c26dc9560c1406c0738ca755dc3caf

                      SHA1

                      05993ce61ba127b1bc72006d826561974c1046bb

                      SHA256

                      1e7fe4fd0c12a3e4577634b1dc2fc75c7579cd23d6eab9f5f22f18c6eb22514a

                      SHA512

                      e59cce1ca34b363586a4cd778fc0121b19d29af270285b813f219f0582f71f14e13a8aab3f130703664cdc9a2ed962e394684f81e3cd865a307726996091998a

                      Download Submit
                    • memory/272-72-0x0000000000000000-mapping.dmp
                      Download
                    • memory/292-63-0x0000000000000000-mapping.dmp
                      Download
                    • memory/384-71-0x0000000000000000-mapping.dmp
                      Download
                    • memory/520-85-0x0000000000000000-mapping.dmp
                      Download
                    • memory/540-76-0x0000000000000000-mapping.dmp
                      Download
                    • memory/544-74-0x0000000000000000-mapping.dmp
                      Download
                    • memory/740-75-0x0000000000000000-mapping.dmp
                      Download
                    • memory/744-67-0x0000000000000000-mapping.dmp
                      Download
                    • memory/784-73-0x0000000000000000-mapping.dmp
                      Download
                    • memory/912-77-0x0000000000000000-mapping.dmp
                      Download
                    • memory/996-70-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1036-54-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp
                      Filesize

                      8KB

                      Download
                    • memory/1140-79-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1168-84-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1212-62-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1256-61-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1256-91-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1312-88-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1316-87-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1320-81-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1320-57-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1332-69-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1372-65-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1392-60-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1404-90-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1524-68-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1552-78-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1568-89-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1656-58-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1656-83-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1696-86-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1720-80-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1820-59-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1928-55-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1956-66-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1964-64-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2024-82-0x0000000000000000-mapping.dmp
                      Download