Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 00:42
Static task
static1
Behavioral task
behavioral1
Sample
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
Resource
win10v2004-20220901-en
General
-
Target
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
-
Size
354KB
-
MD5
6742b8f2ce2a31ea67be7a05b27a7450
-
SHA1
ea8db160fa12648a1b1819c82c2db25205f51c84
-
SHA256
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab
-
SHA512
8cdab5ad6991187cceb1201d4c762aea5ac4dcaaa2ed90d24a07bcb90edb141d5c6c26f4a783cc7a795f6f8d2b81db45175c2e836585e57d9369be6f8e6fff3a
-
SSDEEP
3072:owi51kpjgUdkY8NvGKISQ69TKDWVmXKi+rnd2q4HXEcKCDEakrraOmU84qAUJbXO:EopjgUqY8MSkWVdQDjgToNNvDROyEbZ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exepid process 1428 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1168 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exepid process 1380 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe 1380 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\System32\\javaq.exe" c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\\System32\\javaq.exe" c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exepid process 1428 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exec727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exedescription pid process Token: SeDebugPrivilege 1380 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe Token: SeDebugPrivilege 1428 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exepid process 1428 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.execmd.exedescription pid process target process PID 1380 wrote to memory of 1428 1380 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe PID 1380 wrote to memory of 1428 1380 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe PID 1380 wrote to memory of 1428 1380 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe PID 1380 wrote to memory of 1428 1380 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe PID 1380 wrote to memory of 1168 1380 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe cmd.exe PID 1380 wrote to memory of 1168 1380 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe cmd.exe PID 1380 wrote to memory of 1168 1380 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe cmd.exe PID 1380 wrote to memory of 1168 1380 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe cmd.exe PID 1168 wrote to memory of 524 1168 cmd.exe PING.EXE PID 1168 wrote to memory of 524 1168 cmd.exe PING.EXE PID 1168 wrote to memory of 524 1168 cmd.exe PING.EXE PID 1168 wrote to memory of 524 1168 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1428
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:524
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
Filesize354KB
MD56742b8f2ce2a31ea67be7a05b27a7450
SHA1ea8db160fa12648a1b1819c82c2db25205f51c84
SHA256c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab
SHA5128cdab5ad6991187cceb1201d4c762aea5ac4dcaaa2ed90d24a07bcb90edb141d5c6c26f4a783cc7a795f6f8d2b81db45175c2e836585e57d9369be6f8e6fff3a
-
C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
Filesize354KB
MD56742b8f2ce2a31ea67be7a05b27a7450
SHA1ea8db160fa12648a1b1819c82c2db25205f51c84
SHA256c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab
SHA5128cdab5ad6991187cceb1201d4c762aea5ac4dcaaa2ed90d24a07bcb90edb141d5c6c26f4a783cc7a795f6f8d2b81db45175c2e836585e57d9369be6f8e6fff3a
-
\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
Filesize354KB
MD56742b8f2ce2a31ea67be7a05b27a7450
SHA1ea8db160fa12648a1b1819c82c2db25205f51c84
SHA256c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab
SHA5128cdab5ad6991187cceb1201d4c762aea5ac4dcaaa2ed90d24a07bcb90edb141d5c6c26f4a783cc7a795f6f8d2b81db45175c2e836585e57d9369be6f8e6fff3a
-
\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
Filesize354KB
MD56742b8f2ce2a31ea67be7a05b27a7450
SHA1ea8db160fa12648a1b1819c82c2db25205f51c84
SHA256c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab
SHA5128cdab5ad6991187cceb1201d4c762aea5ac4dcaaa2ed90d24a07bcb90edb141d5c6c26f4a783cc7a795f6f8d2b81db45175c2e836585e57d9369be6f8e6fff3a