Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-06-2022 20:24
Static task
static1
Behavioral task
behavioral1
Sample
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe
Resource
win10v2004-20220414-en
General
-
Target
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe
-
Size
532KB
-
MD5
fc9a12a9bb842acc8879398df0066302
-
SHA1
09391f5dd89078cbff1b554b601a515ea8ce0bf8
-
SHA256
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62
-
SHA512
6f834185ecf024e2feaeaa6a933b09f05ab7099f683323bb1d83e45d4166821c8608a6f9348a38cbe68ab67e1bc806df1c23f9e36a2f3b0ed58ba8ce55248139
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exepid Process 896 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 304 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 672 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exepid Process 1088 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 896 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/868-56-0x0000000000440000-0x0000000000470000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\winstartedwinb = "C:\\Users\\Admin\\AppData\\Roaming\\defenderwb\\winlogimam.exe" 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exedescription pid Process procid_target PID 868 set thread context of 1088 868 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 28 PID 896 set thread context of 304 896 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exedescription pid Process Token: SeDebugPrivilege 868 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe Token: SeDebugPrivilege 1088 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe Token: SeDebugPrivilege 896 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe Token: SeDebugPrivilege 304 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe Token: 33 304 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe Token: SeIncBasePriorityPrivilege 304 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exepid Process 304 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.execmd.exe2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exedescription pid Process procid_target PID 868 wrote to memory of 1088 868 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 28 PID 868 wrote to memory of 1088 868 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 28 PID 868 wrote to memory of 1088 868 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 28 PID 868 wrote to memory of 1088 868 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 28 PID 868 wrote to memory of 1088 868 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 28 PID 868 wrote to memory of 1088 868 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 28 PID 868 wrote to memory of 1088 868 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 28 PID 868 wrote to memory of 1088 868 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 28 PID 868 wrote to memory of 1088 868 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 28 PID 1088 wrote to memory of 896 1088 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 30 PID 1088 wrote to memory of 896 1088 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 30 PID 1088 wrote to memory of 896 1088 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 30 PID 1088 wrote to memory of 896 1088 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 30 PID 1088 wrote to memory of 672 1088 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 31 PID 1088 wrote to memory of 672 1088 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 31 PID 1088 wrote to memory of 672 1088 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 31 PID 1088 wrote to memory of 672 1088 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 31 PID 672 wrote to memory of 1712 672 cmd.exe 33 PID 672 wrote to memory of 1712 672 cmd.exe 33 PID 672 wrote to memory of 1712 672 cmd.exe 33 PID 672 wrote to memory of 1712 672 cmd.exe 33 PID 896 wrote to memory of 304 896 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 34 PID 896 wrote to memory of 304 896 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 34 PID 896 wrote to memory of 304 896 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 34 PID 896 wrote to memory of 304 896 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 34 PID 896 wrote to memory of 304 896 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 34 PID 896 wrote to memory of 304 896 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 34 PID 896 wrote to memory of 304 896 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 34 PID 896 wrote to memory of 304 896 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 34 PID 896 wrote to memory of 304 896 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:304
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10004⤵
- Runs ping.exe
PID:1712
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe
Filesize532KB
MD5fc9a12a9bb842acc8879398df0066302
SHA109391f5dd89078cbff1b554b601a515ea8ce0bf8
SHA2562d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62
SHA5126f834185ecf024e2feaeaa6a933b09f05ab7099f683323bb1d83e45d4166821c8608a6f9348a38cbe68ab67e1bc806df1c23f9e36a2f3b0ed58ba8ce55248139
-
C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe
Filesize532KB
MD5fc9a12a9bb842acc8879398df0066302
SHA109391f5dd89078cbff1b554b601a515ea8ce0bf8
SHA2562d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62
SHA5126f834185ecf024e2feaeaa6a933b09f05ab7099f683323bb1d83e45d4166821c8608a6f9348a38cbe68ab67e1bc806df1c23f9e36a2f3b0ed58ba8ce55248139
-
C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe
Filesize532KB
MD5fc9a12a9bb842acc8879398df0066302
SHA109391f5dd89078cbff1b554b601a515ea8ce0bf8
SHA2562d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62
SHA5126f834185ecf024e2feaeaa6a933b09f05ab7099f683323bb1d83e45d4166821c8608a6f9348a38cbe68ab67e1bc806df1c23f9e36a2f3b0ed58ba8ce55248139
-
\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe
Filesize532KB
MD5fc9a12a9bb842acc8879398df0066302
SHA109391f5dd89078cbff1b554b601a515ea8ce0bf8
SHA2562d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62
SHA5126f834185ecf024e2feaeaa6a933b09f05ab7099f683323bb1d83e45d4166821c8608a6f9348a38cbe68ab67e1bc806df1c23f9e36a2f3b0ed58ba8ce55248139
-
\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe
Filesize532KB
MD5fc9a12a9bb842acc8879398df0066302
SHA109391f5dd89078cbff1b554b601a515ea8ce0bf8
SHA2562d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62
SHA5126f834185ecf024e2feaeaa6a933b09f05ab7099f683323bb1d83e45d4166821c8608a6f9348a38cbe68ab67e1bc806df1c23f9e36a2f3b0ed58ba8ce55248139