Analysis
-
max time kernel
148s -
max time network
99s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 01:18
Static task
static1
Behavioral task
behavioral1
Sample
4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exe
Resource
win10v2004-20220812-en
General
-
Target
4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exe
-
Size
819KB
-
MD5
091675fc7b4c7806023eaccfe27caf2b
-
SHA1
7603e97f7076dfd3bc01de04176357f74f86345f
-
SHA256
4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4
-
SHA512
6ca45dfcb08845e1e3475070be171ce4a328d618428e6e1dcf7212c3bf1e8fd3eb2277f9d6cc2d805ff418772f540f6df0e3f53d0fe7e79912c22000f096df65
-
SSDEEP
12288:v7Xnn6YD41EDjrKOp/yQaOoikVYQedOzOYspvGS8kZehMU6b3FSMTmRFYdq7AWbf:TXIYrMQaOoDDldS1H3MMTSSdqR33
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
privacy.exepid process 1248 privacy.exe -
Loads dropped DLL 3 IoCs
Processes:
4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exepid process 1008 4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exe 1008 4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exe 1008 4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
privacy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Privacy Protection = "C:\\ProgramData\\privacy.exe" privacy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run privacy.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
privacy.exedescription ioc process File opened (read-only) \??\K: privacy.exe File opened (read-only) \??\L: privacy.exe File opened (read-only) \??\N: privacy.exe File opened (read-only) \??\S: privacy.exe File opened (read-only) \??\U: privacy.exe File opened (read-only) \??\V: privacy.exe File opened (read-only) \??\Y: privacy.exe File opened (read-only) \??\Z: privacy.exe File opened (read-only) \??\F: privacy.exe File opened (read-only) \??\H: privacy.exe File opened (read-only) \??\I: privacy.exe File opened (read-only) \??\T: privacy.exe File opened (read-only) \??\P: privacy.exe File opened (read-only) \??\R: privacy.exe File opened (read-only) \??\W: privacy.exe File opened (read-only) \??\X: privacy.exe File opened (read-only) \??\O: privacy.exe File opened (read-only) \??\Q: privacy.exe File opened (read-only) \??\E: privacy.exe File opened (read-only) \??\G: privacy.exe File opened (read-only) \??\J: privacy.exe File opened (read-only) \??\M: privacy.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
privacy.exedescription ioc process File opened for modification \??\PhysicalDrive0 privacy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exeprivacy.exepid process 1008 4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exepid process 1008 4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
privacy.exepid process 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
privacy.exepid process 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe 1248 privacy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
privacy.exepid process 1248 privacy.exe 1248 privacy.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exedescription pid process target process PID 1008 wrote to memory of 1248 1008 4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exe privacy.exe PID 1008 wrote to memory of 1248 1008 4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exe privacy.exe PID 1008 wrote to memory of 1248 1008 4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exe privacy.exe PID 1008 wrote to memory of 1248 1008 4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exe privacy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exe"C:\Users\Admin\AppData\Local\Temp\4bf6806b7f2144b75632d9163b9e1da763d92872c7a4ca0f89017e1c13df43b4.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\privacy.exeC:\ProgramData\privacy.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\privacy.exeFilesize
800KB
MD5d60d2ba146e7044aa8074eed646fe281
SHA1c7c8ad62aa86c0d5faad8b3f4583a01653b1a418
SHA256d96bfc86aef9fe686cb0b4a3efc8a815cae22beb707fa8f2af713b6e4a10b6b3
SHA512066bfaa2050937a127fa5e7673c9ae707c91b6a2e8c4da2ff4ecadcb58e2fdf61b9b2ca583b36eb417d3a07c52dfc3f6aee7bd6c8bd553e7ed693cd4eff78a7d
-
\ProgramData\privacy.exeFilesize
800KB
MD5d60d2ba146e7044aa8074eed646fe281
SHA1c7c8ad62aa86c0d5faad8b3f4583a01653b1a418
SHA256d96bfc86aef9fe686cb0b4a3efc8a815cae22beb707fa8f2af713b6e4a10b6b3
SHA512066bfaa2050937a127fa5e7673c9ae707c91b6a2e8c4da2ff4ecadcb58e2fdf61b9b2ca583b36eb417d3a07c52dfc3f6aee7bd6c8bd553e7ed693cd4eff78a7d
-
\ProgramData\privacy.exeFilesize
800KB
MD5d60d2ba146e7044aa8074eed646fe281
SHA1c7c8ad62aa86c0d5faad8b3f4583a01653b1a418
SHA256d96bfc86aef9fe686cb0b4a3efc8a815cae22beb707fa8f2af713b6e4a10b6b3
SHA512066bfaa2050937a127fa5e7673c9ae707c91b6a2e8c4da2ff4ecadcb58e2fdf61b9b2ca583b36eb417d3a07c52dfc3f6aee7bd6c8bd553e7ed693cd4eff78a7d
-
\ProgramData\privacy.exeFilesize
800KB
MD5d60d2ba146e7044aa8074eed646fe281
SHA1c7c8ad62aa86c0d5faad8b3f4583a01653b1a418
SHA256d96bfc86aef9fe686cb0b4a3efc8a815cae22beb707fa8f2af713b6e4a10b6b3
SHA512066bfaa2050937a127fa5e7673c9ae707c91b6a2e8c4da2ff4ecadcb58e2fdf61b9b2ca583b36eb417d3a07c52dfc3f6aee7bd6c8bd553e7ed693cd4eff78a7d
-
memory/1008-54-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/1008-55-0x0000000000400000-0x00000000004F7000-memory.dmpFilesize
988KB
-
memory/1248-59-0x0000000000000000-mapping.dmp
-
memory/1248-62-0x0000000000400000-0x0000000000A27000-memory.dmpFilesize
6.2MB
-
memory/1248-64-0x0000000000ACF000-0x0000000000AD1000-memory.dmpFilesize
8KB
-
memory/1248-65-0x0000000000400000-0x0000000000A27000-memory.dmpFilesize
6.2MB
-
memory/1248-66-0x0000000000400000-0x0000000000A27000-memory.dmpFilesize
6.2MB