Analysis
-
max time kernel
11s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 00:14
Behavioral task
behavioral1
Sample
39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Resource
win10v2004-20220721-en
General
-
Target
39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
-
Size
690KB
-
MD5
b1054ce8f34ae583487bd889bf03fb39
-
SHA1
405a0010eda09b5878596a7d91abf0ffe58634db
-
SHA256
39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36
-
SHA512
5f03041137cb4fb942b96f8d6e2f44849be7d393b9f7231581ad6637d8ebba7864c38defe922f238661dc525e6d2dc726e3e456cbc540f977b13162100629345
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\java" 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2020 attrib.exe 1352 attrib.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\java" 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exedescription pid process Token: SeIncreaseQuotaPrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeSecurityPrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeTakeOwnershipPrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeLoadDriverPrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeSystemProfilePrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeSystemtimePrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeProfSingleProcessPrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeIncBasePriorityPrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeCreatePagefilePrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeBackupPrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeRestorePrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeShutdownPrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeDebugPrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeSystemEnvironmentPrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeChangeNotifyPrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeRemoteShutdownPrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeUndockPrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeManageVolumePrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeImpersonatePrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeCreateGlobalPrivilege 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: 33 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: 34 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: 35 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.execmd.execmd.exedescription pid process target process PID 1756 wrote to memory of 1676 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe cmd.exe PID 1756 wrote to memory of 1676 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe cmd.exe PID 1756 wrote to memory of 1676 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe cmd.exe PID 1756 wrote to memory of 1676 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe cmd.exe PID 1756 wrote to memory of 1364 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe cmd.exe PID 1756 wrote to memory of 1364 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe cmd.exe PID 1756 wrote to memory of 1364 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe cmd.exe PID 1756 wrote to memory of 1364 1756 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe cmd.exe PID 1676 wrote to memory of 1352 1676 cmd.exe attrib.exe PID 1676 wrote to memory of 1352 1676 cmd.exe attrib.exe PID 1676 wrote to memory of 1352 1676 cmd.exe attrib.exe PID 1676 wrote to memory of 1352 1676 cmd.exe attrib.exe PID 1364 wrote to memory of 2020 1364 cmd.exe attrib.exe PID 1364 wrote to memory of 2020 1364 cmd.exe attrib.exe PID 1364 wrote to memory of 2020 1364 cmd.exe attrib.exe PID 1364 wrote to memory of 2020 1364 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2020 attrib.exe 1352 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe"C:\Users\Admin\AppData\Local\Temp\39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1352-57-0x0000000000000000-mapping.dmp
-
memory/1364-56-0x0000000000000000-mapping.dmp
-
memory/1676-55-0x0000000000000000-mapping.dmp
-
memory/1756-54-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/2020-58-0x0000000000000000-mapping.dmp