Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 08:56
Static task
static1
Behavioral task
behavioral1
Sample
264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe
Resource
win10v2004-20220414-en
General
-
Target
264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe
-
Size
1.0MB
-
MD5
c0b375a5c4bcfc0a08699ad368de0b67
-
SHA1
644ec97218b4b0b41e560a1e8f57221de1b3fbf5
-
SHA256
264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2
-
SHA512
bb465698545e59b3d2d294e23f3535b7408a42c488005917f161964b161cd0ddc7729605b03dee7b5699f3a7c9a166d579a842de357eff76c7236c18d637006c
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ScreenRotate.exeScreenRotate.exepid Process 852 ScreenRotate.exe 1884 ScreenRotate.exe -
Drops startup file 1 IoCs
Processes:
ScreenRotate.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScreenRotate.lnk ScreenRotate.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exeScreenRotate.exepid Process 1096 cmd.exe 852 ScreenRotate.exe 852 ScreenRotate.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ScreenRotate.exedescription pid Process procid_target PID 852 set thread context of 1884 852 ScreenRotate.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 3 IoCs
Processes:
cmd.execmd.execmd.exedescription ioc Process File created C:\Users\Admin\AppData\Local\Temp\264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe:Zone.Identifier cmd.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\ScreenRotate.exe\:Zone.Identifier:$DATA cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\ScreenRotate.exe:Zone.Identifier cmd.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exeScreenRotate.exeScreenRotate.exedescription pid Process Token: SeDebugPrivilege 1944 264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe Token: SeDebugPrivilege 852 ScreenRotate.exe Token: SeDebugPrivilege 1884 ScreenRotate.exe Token: 33 1884 ScreenRotate.exe Token: SeIncBasePriorityPrivilege 1884 ScreenRotate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ScreenRotate.exepid Process 1884 ScreenRotate.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.execmd.exeScreenRotate.exedescription pid Process procid_target PID 1944 wrote to memory of 1728 1944 264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe 27 PID 1944 wrote to memory of 1728 1944 264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe 27 PID 1944 wrote to memory of 1728 1944 264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe 27 PID 1944 wrote to memory of 1728 1944 264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe 27 PID 1944 wrote to memory of 2028 1944 264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe 29 PID 1944 wrote to memory of 2028 1944 264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe 29 PID 1944 wrote to memory of 2028 1944 264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe 29 PID 1944 wrote to memory of 2028 1944 264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe 29 PID 1944 wrote to memory of 1096 1944 264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe 31 PID 1944 wrote to memory of 1096 1944 264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe 31 PID 1944 wrote to memory of 1096 1944 264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe 31 PID 1944 wrote to memory of 1096 1944 264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe 31 PID 1096 wrote to memory of 852 1096 cmd.exe 33 PID 1096 wrote to memory of 852 1096 cmd.exe 33 PID 1096 wrote to memory of 852 1096 cmd.exe 33 PID 1096 wrote to memory of 852 1096 cmd.exe 33 PID 852 wrote to memory of 1072 852 ScreenRotate.exe 34 PID 852 wrote to memory of 1072 852 ScreenRotate.exe 34 PID 852 wrote to memory of 1072 852 ScreenRotate.exe 34 PID 852 wrote to memory of 1072 852 ScreenRotate.exe 34 PID 852 wrote to memory of 1884 852 ScreenRotate.exe 36 PID 852 wrote to memory of 1884 852 ScreenRotate.exe 36 PID 852 wrote to memory of 1884 852 ScreenRotate.exe 36 PID 852 wrote to memory of 1884 852 ScreenRotate.exe 36 PID 852 wrote to memory of 1884 852 ScreenRotate.exe 36 PID 852 wrote to memory of 1884 852 ScreenRotate.exe 36 PID 852 wrote to memory of 1884 852 ScreenRotate.exe 36 PID 852 wrote to memory of 1884 852 ScreenRotate.exe 36 PID 852 wrote to memory of 1884 852 ScreenRotate.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe"C:\Users\Admin\AppData\Local\Temp\264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe:Zone.Identifier"2⤵
- NTFS ADS
PID:1728
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\ScreenRotate.exe"2⤵
- NTFS ADS
PID:2028
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\ScreenRotate.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\ScreenRotate.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\ScreenRotate.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\ScreenRotate.exe:Zone.Identifier"4⤵
- NTFS ADS
PID:1072
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\ScreenRotate.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\ScreenRotate.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1884
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1728
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5c0b375a5c4bcfc0a08699ad368de0b67
SHA1644ec97218b4b0b41e560a1e8f57221de1b3fbf5
SHA256264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2
SHA512bb465698545e59b3d2d294e23f3535b7408a42c488005917f161964b161cd0ddc7729605b03dee7b5699f3a7c9a166d579a842de357eff76c7236c18d637006c
-
Filesize
1.0MB
MD5c0b375a5c4bcfc0a08699ad368de0b67
SHA1644ec97218b4b0b41e560a1e8f57221de1b3fbf5
SHA256264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2
SHA512bb465698545e59b3d2d294e23f3535b7408a42c488005917f161964b161cd0ddc7729605b03dee7b5699f3a7c9a166d579a842de357eff76c7236c18d637006c
-
Filesize
1.0MB
MD5c0b375a5c4bcfc0a08699ad368de0b67
SHA1644ec97218b4b0b41e560a1e8f57221de1b3fbf5
SHA256264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2
SHA512bb465698545e59b3d2d294e23f3535b7408a42c488005917f161964b161cd0ddc7729605b03dee7b5699f3a7c9a166d579a842de357eff76c7236c18d637006c
-
Filesize
1.0MB
MD5c0b375a5c4bcfc0a08699ad368de0b67
SHA1644ec97218b4b0b41e560a1e8f57221de1b3fbf5
SHA256264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2
SHA512bb465698545e59b3d2d294e23f3535b7408a42c488005917f161964b161cd0ddc7729605b03dee7b5699f3a7c9a166d579a842de357eff76c7236c18d637006c
-
Filesize
1.0MB
MD5c0b375a5c4bcfc0a08699ad368de0b67
SHA1644ec97218b4b0b41e560a1e8f57221de1b3fbf5
SHA256264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2
SHA512bb465698545e59b3d2d294e23f3535b7408a42c488005917f161964b161cd0ddc7729605b03dee7b5699f3a7c9a166d579a842de357eff76c7236c18d637006c
-
Filesize
1.0MB
MD5c0b375a5c4bcfc0a08699ad368de0b67
SHA1644ec97218b4b0b41e560a1e8f57221de1b3fbf5
SHA256264e72b1322193ffd3eb1185dc67a87661962835e3beebd6250a3b3bc1b6e4d2
SHA512bb465698545e59b3d2d294e23f3535b7408a42c488005917f161964b161cd0ddc7729605b03dee7b5699f3a7c9a166d579a842de357eff76c7236c18d637006c