Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
02-08-2022 21:05
Behavioral task
behavioral1
Sample
payload.exe
Resource
win7-20220715-en
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
payload.exe
Resource
win10v2004-20220721-en
6 signatures
150 seconds
General
-
Target
payload.exe
-
Size
27KB
-
MD5
719586d8b62ee3203fafc4834472c722
-
SHA1
8668e69c2eadf4087f56cd4ad5f30b5a960abfb3
-
SHA256
a4eb32f9273e31ef4f46e2a7036cd89aa35e8fe8aa0b67982b0c149d30e88590
-
SHA512
6e667e3e75a5f682c7b16d2cf31b30d0019f708efe9c00011e793d3b2b71ad592638911ced815aeb4d14ca356e11c88ba7ed4c6eef3181650e849aa2fd27ec34
Score
7/10
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
payload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk payload.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
payload.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
payload.exedescription pid process Token: SeDebugPrivilege 2012 payload.exe Token: 33 2012 payload.exe Token: SeIncBasePriorityPrivilege 2012 payload.exe Token: 33 2012 payload.exe Token: SeIncBasePriorityPrivilege 2012 payload.exe Token: 33 2012 payload.exe Token: SeIncBasePriorityPrivilege 2012 payload.exe Token: 33 2012 payload.exe Token: SeIncBasePriorityPrivilege 2012 payload.exe Token: 33 2012 payload.exe Token: SeIncBasePriorityPrivilege 2012 payload.exe Token: 33 2012 payload.exe Token: SeIncBasePriorityPrivilege 2012 payload.exe Token: 33 2012 payload.exe Token: SeIncBasePriorityPrivilege 2012 payload.exe Token: 33 2012 payload.exe Token: SeIncBasePriorityPrivilege 2012 payload.exe Token: 33 2012 payload.exe Token: SeIncBasePriorityPrivilege 2012 payload.exe Token: 33 2012 payload.exe Token: SeIncBasePriorityPrivilege 2012 payload.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
payload.exedescription pid process target process PID 2012 wrote to memory of 1492 2012 payload.exe attrib.exe PID 2012 wrote to memory of 1492 2012 payload.exe attrib.exe PID 2012 wrote to memory of 1492 2012 payload.exe attrib.exe PID 2012 wrote to memory of 1492 2012 payload.exe attrib.exe PID 2012 wrote to memory of 1276 2012 payload.exe attrib.exe PID 2012 wrote to memory of 1276 2012 payload.exe attrib.exe PID 2012 wrote to memory of 1276 2012 payload.exe attrib.exe PID 2012 wrote to memory of 1276 2012 payload.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1492 attrib.exe 1276 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payload.exe"C:\Users\Admin\AppData\Local\Temp\payload.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"2⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1276-57-0x0000000000000000-mapping.dmp
-
memory/1492-56-0x0000000000000000-mapping.dmp
-
memory/2012-54-0x0000000075791000-0x0000000075793000-memory.dmpFilesize
8KB
-
memory/2012-55-0x0000000074E00000-0x00000000753AB000-memory.dmpFilesize
5.7MB
-
memory/2012-58-0x0000000074E00000-0x00000000753AB000-memory.dmpFilesize
5.7MB