Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2022 21:05
Behavioral task
behavioral1
Sample
payload.exe
Resource
win7-20220715-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
payload.exe
Resource
win10v2004-20220721-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
payload.exe
-
Size
27KB
-
MD5
719586d8b62ee3203fafc4834472c722
-
SHA1
8668e69c2eadf4087f56cd4ad5f30b5a960abfb3
-
SHA256
a4eb32f9273e31ef4f46e2a7036cd89aa35e8fe8aa0b67982b0c149d30e88590
-
SHA512
6e667e3e75a5f682c7b16d2cf31b30d0019f708efe9c00011e793d3b2b71ad592638911ced815aeb4d14ca356e11c88ba7ed4c6eef3181650e849aa2fd27ec34
Score
7/10
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
payload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk payload.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
payload.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
payload.exedescription pid process Token: SeDebugPrivilege 4476 payload.exe Token: 33 4476 payload.exe Token: SeIncBasePriorityPrivilege 4476 payload.exe Token: 33 4476 payload.exe Token: SeIncBasePriorityPrivilege 4476 payload.exe Token: 33 4476 payload.exe Token: SeIncBasePriorityPrivilege 4476 payload.exe Token: 33 4476 payload.exe Token: SeIncBasePriorityPrivilege 4476 payload.exe Token: 33 4476 payload.exe Token: SeIncBasePriorityPrivilege 4476 payload.exe Token: 33 4476 payload.exe Token: SeIncBasePriorityPrivilege 4476 payload.exe Token: 33 4476 payload.exe Token: SeIncBasePriorityPrivilege 4476 payload.exe Token: 33 4476 payload.exe Token: SeIncBasePriorityPrivilege 4476 payload.exe Token: 33 4476 payload.exe Token: SeIncBasePriorityPrivilege 4476 payload.exe Token: 33 4476 payload.exe Token: SeIncBasePriorityPrivilege 4476 payload.exe Token: 33 4476 payload.exe Token: SeIncBasePriorityPrivilege 4476 payload.exe Token: 33 4476 payload.exe Token: SeIncBasePriorityPrivilege 4476 payload.exe Token: 33 4476 payload.exe Token: SeIncBasePriorityPrivilege 4476 payload.exe Token: 33 4476 payload.exe Token: SeIncBasePriorityPrivilege 4476 payload.exe Token: 33 4476 payload.exe Token: SeIncBasePriorityPrivilege 4476 payload.exe Token: 33 4476 payload.exe Token: SeIncBasePriorityPrivilege 4476 payload.exe Token: 33 4476 payload.exe Token: SeIncBasePriorityPrivilege 4476 payload.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
payload.exedescription pid process target process PID 4476 wrote to memory of 1496 4476 payload.exe attrib.exe PID 4476 wrote to memory of 1496 4476 payload.exe attrib.exe PID 4476 wrote to memory of 1496 4476 payload.exe attrib.exe PID 4476 wrote to memory of 340 4476 payload.exe attrib.exe PID 4476 wrote to memory of 340 4476 payload.exe attrib.exe PID 4476 wrote to memory of 340 4476 payload.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1496 attrib.exe 340 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payload.exe"C:\Users\Admin\AppData\Local\Temp\payload.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"2⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"2⤵
- Views/modifies file attributes