Analysis
-
max time kernel
189s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2022 21:00
Behavioral task
behavioral1
Sample
payload.exe
Resource
win7-20220715-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
payload.exe
Resource
win10v2004-20220721-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
payload.exe
-
Size
27KB
-
MD5
719586d8b62ee3203fafc4834472c722
-
SHA1
8668e69c2eadf4087f56cd4ad5f30b5a960abfb3
-
SHA256
a4eb32f9273e31ef4f46e2a7036cd89aa35e8fe8aa0b67982b0c149d30e88590
-
SHA512
6e667e3e75a5f682c7b16d2cf31b30d0019f708efe9c00011e793d3b2b71ad592638911ced815aeb4d14ca356e11c88ba7ed4c6eef3181650e849aa2fd27ec34
Score
7/10
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
payload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk payload.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
payload.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
payload.exedescription pid process Token: SeDebugPrivilege 5032 payload.exe Token: 33 5032 payload.exe Token: SeIncBasePriorityPrivilege 5032 payload.exe Token: 33 5032 payload.exe Token: SeIncBasePriorityPrivilege 5032 payload.exe Token: 33 5032 payload.exe Token: SeIncBasePriorityPrivilege 5032 payload.exe Token: 33 5032 payload.exe Token: SeIncBasePriorityPrivilege 5032 payload.exe Token: 33 5032 payload.exe Token: SeIncBasePriorityPrivilege 5032 payload.exe Token: 33 5032 payload.exe Token: SeIncBasePriorityPrivilege 5032 payload.exe Token: 33 5032 payload.exe Token: SeIncBasePriorityPrivilege 5032 payload.exe Token: 33 5032 payload.exe Token: SeIncBasePriorityPrivilege 5032 payload.exe Token: 33 5032 payload.exe Token: SeIncBasePriorityPrivilege 5032 payload.exe Token: 33 5032 payload.exe Token: SeIncBasePriorityPrivilege 5032 payload.exe Token: 33 5032 payload.exe Token: SeIncBasePriorityPrivilege 5032 payload.exe Token: 33 5032 payload.exe Token: SeIncBasePriorityPrivilege 5032 payload.exe Token: 33 5032 payload.exe Token: SeIncBasePriorityPrivilege 5032 payload.exe Token: 33 5032 payload.exe Token: SeIncBasePriorityPrivilege 5032 payload.exe Token: 33 5032 payload.exe Token: SeIncBasePriorityPrivilege 5032 payload.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
payload.exedescription pid process target process PID 5032 wrote to memory of 2192 5032 payload.exe attrib.exe PID 5032 wrote to memory of 2192 5032 payload.exe attrib.exe PID 5032 wrote to memory of 2192 5032 payload.exe attrib.exe PID 5032 wrote to memory of 2572 5032 payload.exe attrib.exe PID 5032 wrote to memory of 2572 5032 payload.exe attrib.exe PID 5032 wrote to memory of 2572 5032 payload.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2192 attrib.exe 2572 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payload.exe"C:\Users\Admin\AppData\Local\Temp\payload.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"2⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"2⤵
- Views/modifies file attributes