Analysis
-
max time kernel
8s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 06:30
Static task
static1
Behavioral task
behavioral1
Sample
a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe
Resource
win7-20220812-en
General
-
Target
a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe
-
Size
32KB
-
MD5
c7e2a311a5ca80ba57a1627cf4b147ac
-
SHA1
171e4136d2547248cac6170dc7a8b9cfc9bd62f2
-
SHA256
a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8
-
SHA512
1ea1d9806b7aa7dbc370c544c4e82dfc28750558c9f450c81bdc8365d61557486a7bbde13adc423ad799efbd841a396cd5939a04a9fbfa257a8307dd5688c3a4
-
SSDEEP
384:PQXWtTyg1fJDMVD9ORAtKT5KDBUdrZw7QSc:PgSyg9JwSRGC5eBUrZr
Malware Config
Signatures
-
Processes:
a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exea6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
k4.exek4.exek4.exek4.exepid process 1512 k4.exe 4896 k4.exe 1512 k4.exe 4896 k4.exe -
Processes:
a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exea6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 628 taskkill.exe 628 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 628 taskkill.exe Token: SeDebugPrivilege 628 taskkill.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exea6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exepid process 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.execmd.exea6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.execmd.exedescription pid process target process PID 4324 wrote to memory of 1512 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe k4.exe PID 4324 wrote to memory of 1512 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe k4.exe PID 4324 wrote to memory of 4896 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe k4.exe PID 4324 wrote to memory of 4896 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe k4.exe PID 4324 wrote to memory of 4968 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe cmd.exe PID 4324 wrote to memory of 4968 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe cmd.exe PID 4324 wrote to memory of 4968 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe cmd.exe PID 4968 wrote to memory of 628 4968 cmd.exe taskkill.exe PID 4968 wrote to memory of 628 4968 cmd.exe taskkill.exe PID 4968 wrote to memory of 628 4968 cmd.exe taskkill.exe PID 4324 wrote to memory of 1512 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe k4.exe PID 4324 wrote to memory of 1512 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe k4.exe PID 4324 wrote to memory of 4896 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe k4.exe PID 4324 wrote to memory of 4896 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe k4.exe PID 4324 wrote to memory of 4968 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe cmd.exe PID 4324 wrote to memory of 4968 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe cmd.exe PID 4324 wrote to memory of 4968 4324 a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe cmd.exe PID 4968 wrote to memory of 628 4968 cmd.exe taskkill.exe PID 4968 wrote to memory of 628 4968 cmd.exe taskkill.exe PID 4968 wrote to memory of 628 4968 cmd.exe taskkill.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exea6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe"C:\Users\Admin\AppData\Local\Temp\a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe2⤵
- Executes dropped EXE
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe /D2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im k4.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im k4.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe"C:\Users\Admin\AppData\Local\Temp\a6941755e5b2bd44d696020e8c058581380aa75a1c594bf48e6c2512863b06e8.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe2⤵
- Executes dropped EXE
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe /D2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im k4.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im k4.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
memory/628-138-0x0000000000000000-mapping.dmp
-
memory/628-138-0x0000000000000000-mapping.dmp
-
memory/1512-132-0x0000000000000000-mapping.dmp
-
memory/1512-132-0x0000000000000000-mapping.dmp
-
memory/4896-135-0x0000000000000000-mapping.dmp
-
memory/4896-135-0x0000000000000000-mapping.dmp
-
memory/4968-137-0x0000000000000000-mapping.dmp
-
memory/4968-137-0x0000000000000000-mapping.dmp