Analysis
-
max time kernel
153s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 08:17
Static task
static1
Behavioral task
behavioral1
Sample
583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe
Resource
win10v2004-20220901-en
General
-
Target
583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe
-
Size
201KB
-
MD5
4b061b31e2afb8b32fce1a32b9230040
-
SHA1
863b53797647010e8b68a3646b7085d9f62bbde5
-
SHA256
583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a
-
SHA512
aa460cc4ce1402bbd7f6cbac88d850880fd8b5a9b10ab7a3fe974d3cb15a360bcae416f585b81cd1d37fcddb88c18f01697acb3007f0111cf30aa61c80f6d8ac
-
SSDEEP
6144:Hza2Nj+MLxwkcWTq/81DDiSTz9nqEja3TXU0xtFi:HqEjk7l7Fi
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 756 security.exe 1632 security.exe -
resource yara_rule behavioral1/memory/1896-59-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1896-61-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1896-62-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1896-65-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1896-66-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1896-69-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1896-108-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1632-110-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1632-112-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Loads dropped DLL 5 IoCs
pid Process 1896 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 1896 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 1896 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 1896 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 1896 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security = "C:\\Users\\Admin\\AppData\\Roaming\\Security\\security.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2032 set thread context of 1896 2032 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 26 PID 756 set thread context of 1632 756 security.exe 31 PID 756 set thread context of 1988 756 security.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe Token: SeDebugPrivilege 1632 security.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2032 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 1896 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 756 security.exe 1632 security.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1896 2032 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 26 PID 2032 wrote to memory of 1896 2032 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 26 PID 2032 wrote to memory of 1896 2032 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 26 PID 2032 wrote to memory of 1896 2032 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 26 PID 2032 wrote to memory of 1896 2032 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 26 PID 2032 wrote to memory of 1896 2032 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 26 PID 2032 wrote to memory of 1896 2032 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 26 PID 2032 wrote to memory of 1896 2032 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 26 PID 1896 wrote to memory of 1692 1896 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 27 PID 1896 wrote to memory of 1692 1896 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 27 PID 1896 wrote to memory of 1692 1896 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 27 PID 1896 wrote to memory of 1692 1896 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 27 PID 1692 wrote to memory of 2004 1692 cmd.exe 29 PID 1692 wrote to memory of 2004 1692 cmd.exe 29 PID 1692 wrote to memory of 2004 1692 cmd.exe 29 PID 1692 wrote to memory of 2004 1692 cmd.exe 29 PID 1896 wrote to memory of 756 1896 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 30 PID 1896 wrote to memory of 756 1896 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 30 PID 1896 wrote to memory of 756 1896 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 30 PID 1896 wrote to memory of 756 1896 583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe 30 PID 756 wrote to memory of 1632 756 security.exe 31 PID 756 wrote to memory of 1632 756 security.exe 31 PID 756 wrote to memory of 1632 756 security.exe 31 PID 756 wrote to memory of 1632 756 security.exe 31 PID 756 wrote to memory of 1632 756 security.exe 31 PID 756 wrote to memory of 1632 756 security.exe 31 PID 756 wrote to memory of 1632 756 security.exe 31 PID 756 wrote to memory of 1632 756 security.exe 31 PID 756 wrote to memory of 1988 756 security.exe 32 PID 756 wrote to memory of 1988 756 security.exe 32 PID 756 wrote to memory of 1988 756 security.exe 32 PID 756 wrote to memory of 1988 756 security.exe 32 PID 756 wrote to memory of 1988 756 security.exe 32 PID 756 wrote to memory of 1988 756 security.exe 32 PID 756 wrote to memory of 1988 756 security.exe 32 PID 756 wrote to memory of 1988 756 security.exe 32 PID 756 wrote to memory of 1988 756 security.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe"C:\Users\Admin\AppData\Local\Temp\583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe"C:\Users\Admin\AppData\Local\Temp\583e2ec8a62c433ad740b5c1a3c90a8ee2dd96c10d24f965e9d25e704d531a4a.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PFBXW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Security" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Security\security.exe" /f4⤵
- Adds Run key to start application
PID:2004
-
-
-
C:\Users\Admin\AppData\Roaming\Security\security.exe"C:\Users\Admin\AppData\Roaming\Security\security.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Roaming\Security\security.exe"C:\Users\Admin\AppData\Roaming\Security\security.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1632
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵PID:1988
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD56f473a1ba53e043362047f72e20b34f4
SHA1e8f121a589e1207ed950453376ee1d21b1223835
SHA2565fbce2c77a90ba9edbcf60be3851ab81633b7c10b1babb624d475c7be589de4b
SHA512b4976d40bc708ae6cddf367a5382cd532e4cf235b848cdaa4e4d317e06d9126e50745a7772591bc21dc7380689f4399e57501b0aa73cd231bce32e22d53b0818
-
Filesize
201KB
MD543daa5a2fcb3007ac0dc9dca551bb958
SHA166a6d3153479c656594ac8c29ac46f17cc19e3a2
SHA2561980887cb0f5a75880cbd4072780975efca9f7fb41b238cb8d39d4beef8c5258
SHA5126669b7aae8f96c82030ec4aa8b00062e6609fbadd98a85a11a1bc46f8bf35e958886a75ae56c5aef7ba6e8466165d3f47794b9171785269795bcfbb6f9722d21
-
Filesize
201KB
MD543daa5a2fcb3007ac0dc9dca551bb958
SHA166a6d3153479c656594ac8c29ac46f17cc19e3a2
SHA2561980887cb0f5a75880cbd4072780975efca9f7fb41b238cb8d39d4beef8c5258
SHA5126669b7aae8f96c82030ec4aa8b00062e6609fbadd98a85a11a1bc46f8bf35e958886a75ae56c5aef7ba6e8466165d3f47794b9171785269795bcfbb6f9722d21
-
Filesize
201KB
MD543daa5a2fcb3007ac0dc9dca551bb958
SHA166a6d3153479c656594ac8c29ac46f17cc19e3a2
SHA2561980887cb0f5a75880cbd4072780975efca9f7fb41b238cb8d39d4beef8c5258
SHA5126669b7aae8f96c82030ec4aa8b00062e6609fbadd98a85a11a1bc46f8bf35e958886a75ae56c5aef7ba6e8466165d3f47794b9171785269795bcfbb6f9722d21
-
Filesize
201KB
MD543daa5a2fcb3007ac0dc9dca551bb958
SHA166a6d3153479c656594ac8c29ac46f17cc19e3a2
SHA2561980887cb0f5a75880cbd4072780975efca9f7fb41b238cb8d39d4beef8c5258
SHA5126669b7aae8f96c82030ec4aa8b00062e6609fbadd98a85a11a1bc46f8bf35e958886a75ae56c5aef7ba6e8466165d3f47794b9171785269795bcfbb6f9722d21
-
Filesize
201KB
MD543daa5a2fcb3007ac0dc9dca551bb958
SHA166a6d3153479c656594ac8c29ac46f17cc19e3a2
SHA2561980887cb0f5a75880cbd4072780975efca9f7fb41b238cb8d39d4beef8c5258
SHA5126669b7aae8f96c82030ec4aa8b00062e6609fbadd98a85a11a1bc46f8bf35e958886a75ae56c5aef7ba6e8466165d3f47794b9171785269795bcfbb6f9722d21
-
Filesize
201KB
MD543daa5a2fcb3007ac0dc9dca551bb958
SHA166a6d3153479c656594ac8c29ac46f17cc19e3a2
SHA2561980887cb0f5a75880cbd4072780975efca9f7fb41b238cb8d39d4beef8c5258
SHA5126669b7aae8f96c82030ec4aa8b00062e6609fbadd98a85a11a1bc46f8bf35e958886a75ae56c5aef7ba6e8466165d3f47794b9171785269795bcfbb6f9722d21
-
Filesize
201KB
MD543daa5a2fcb3007ac0dc9dca551bb958
SHA166a6d3153479c656594ac8c29ac46f17cc19e3a2
SHA2561980887cb0f5a75880cbd4072780975efca9f7fb41b238cb8d39d4beef8c5258
SHA5126669b7aae8f96c82030ec4aa8b00062e6609fbadd98a85a11a1bc46f8bf35e958886a75ae56c5aef7ba6e8466165d3f47794b9171785269795bcfbb6f9722d21
-
Filesize
201KB
MD543daa5a2fcb3007ac0dc9dca551bb958
SHA166a6d3153479c656594ac8c29ac46f17cc19e3a2
SHA2561980887cb0f5a75880cbd4072780975efca9f7fb41b238cb8d39d4beef8c5258
SHA5126669b7aae8f96c82030ec4aa8b00062e6609fbadd98a85a11a1bc46f8bf35e958886a75ae56c5aef7ba6e8466165d3f47794b9171785269795bcfbb6f9722d21