Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 05:42
Static task
static1
Behavioral task
behavioral1
Sample
10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe
Resource
win10v2004-20220414-en
General
-
Target
10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe
-
Size
62KB
-
MD5
3d931e0e173d08cf672d9977a03d4d62
-
SHA1
59f989fecf93c9e7b084215af0f205eac9ecb957
-
SHA256
10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668
-
SHA512
c5550f4d1be18ae030ae25078e8689e198b58b758f06cde1230f148bfb746c4f75a089f091e6a7a04013f3450383fab257eddff9c2432c30e3630e2dc9b9f2c6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
msgs.exepid process 1636 msgs.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
msgs.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1595ec1b10f663098eed3aa73bd31f01.exe msgs.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1595ec1b10f663098eed3aa73bd31f01.exe msgs.exe -
Loads dropped DLL 1 IoCs
Processes:
10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exepid process 384 10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msgs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\1595ec1b10f663098eed3aa73bd31f01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\msgs.exe\" .." msgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1595ec1b10f663098eed3aa73bd31f01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\msgs.exe\" .." msgs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
msgs.exedescription pid process Token: SeDebugPrivilege 1636 msgs.exe Token: 33 1636 msgs.exe Token: SeIncBasePriorityPrivilege 1636 msgs.exe Token: 33 1636 msgs.exe Token: SeIncBasePriorityPrivilege 1636 msgs.exe Token: 33 1636 msgs.exe Token: SeIncBasePriorityPrivilege 1636 msgs.exe Token: 33 1636 msgs.exe Token: SeIncBasePriorityPrivilege 1636 msgs.exe Token: 33 1636 msgs.exe Token: SeIncBasePriorityPrivilege 1636 msgs.exe Token: 33 1636 msgs.exe Token: SeIncBasePriorityPrivilege 1636 msgs.exe Token: 33 1636 msgs.exe Token: SeIncBasePriorityPrivilege 1636 msgs.exe Token: 33 1636 msgs.exe Token: SeIncBasePriorityPrivilege 1636 msgs.exe Token: 33 1636 msgs.exe Token: SeIncBasePriorityPrivilege 1636 msgs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exemsgs.exedescription pid process target process PID 384 wrote to memory of 1636 384 10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe msgs.exe PID 384 wrote to memory of 1636 384 10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe msgs.exe PID 384 wrote to memory of 1636 384 10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe msgs.exe PID 384 wrote to memory of 1636 384 10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe msgs.exe PID 1636 wrote to memory of 1684 1636 msgs.exe netsh.exe PID 1636 wrote to memory of 1684 1636 msgs.exe netsh.exe PID 1636 wrote to memory of 1684 1636 msgs.exe netsh.exe PID 1636 wrote to memory of 1684 1636 msgs.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe"C:\Users\Admin\AppData\Local\Temp\10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\msgs.exe"C:\Users\Admin\AppData\Local\Temp\msgs.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\msgs.exe" "msgs.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\msgs.exeFilesize
62KB
MD53d931e0e173d08cf672d9977a03d4d62
SHA159f989fecf93c9e7b084215af0f205eac9ecb957
SHA25610a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668
SHA512c5550f4d1be18ae030ae25078e8689e198b58b758f06cde1230f148bfb746c4f75a089f091e6a7a04013f3450383fab257eddff9c2432c30e3630e2dc9b9f2c6
-
C:\Users\Admin\AppData\Local\Temp\msgs.exeFilesize
62KB
MD53d931e0e173d08cf672d9977a03d4d62
SHA159f989fecf93c9e7b084215af0f205eac9ecb957
SHA25610a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668
SHA512c5550f4d1be18ae030ae25078e8689e198b58b758f06cde1230f148bfb746c4f75a089f091e6a7a04013f3450383fab257eddff9c2432c30e3630e2dc9b9f2c6
-
\Users\Admin\AppData\Local\Temp\msgs.exeFilesize
62KB
MD53d931e0e173d08cf672d9977a03d4d62
SHA159f989fecf93c9e7b084215af0f205eac9ecb957
SHA25610a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668
SHA512c5550f4d1be18ae030ae25078e8689e198b58b758f06cde1230f148bfb746c4f75a089f091e6a7a04013f3450383fab257eddff9c2432c30e3630e2dc9b9f2c6
-
memory/384-54-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB
-
memory/384-55-0x0000000074980000-0x0000000074F2B000-memory.dmpFilesize
5.7MB
-
memory/384-61-0x0000000074980000-0x0000000074F2B000-memory.dmpFilesize
5.7MB
-
memory/1636-57-0x0000000000000000-mapping.dmp
-
memory/1636-62-0x0000000074980000-0x0000000074F2B000-memory.dmpFilesize
5.7MB
-
memory/1636-65-0x0000000074980000-0x0000000074F2B000-memory.dmpFilesize
5.7MB
-
memory/1684-63-0x0000000000000000-mapping.dmp