Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 03:15
Behavioral task
behavioral1
Sample
8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe
Resource
win10v2004-20220812-en
General
-
Target
8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe
-
Size
203KB
-
MD5
6b3358be20fd33a50824a5ec91212879
-
SHA1
f384bf2e2f1c2a5ef5aad9b127483a75d4519a6b
-
SHA256
8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70
-
SHA512
12d9854b8c890797d17284bd289b29a97838eb0e927f60c109eb9d89aa70c2698b96ba16cb556556b4043023c1ff15e96d0b960779ff64f16265054d935f0113
-
SSDEEP
6144:E64DnLGwnvAlQKs8BbP2BfGP7SF9AuTCSh9Ewjw:TeFv0QK5P2BfGeX7Xrjw
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
ss.exe289.exesvchost.exepid process 1744 ss.exe 1712 289.exe 1732 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe svchost.exe -
Loads dropped DLL 3 IoCs
Processes:
8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe289.exepid process 2012 8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe 2012 8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe 1712 289.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
svchost.exepid process 1732 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1732 svchost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exess.exe289.exesvchost.exedescription pid process target process PID 2012 wrote to memory of 1744 2012 8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe ss.exe PID 2012 wrote to memory of 1744 2012 8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe ss.exe PID 2012 wrote to memory of 1744 2012 8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe ss.exe PID 2012 wrote to memory of 1744 2012 8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe ss.exe PID 1744 wrote to memory of 1712 1744 ss.exe 289.exe PID 1744 wrote to memory of 1712 1744 ss.exe 289.exe PID 1744 wrote to memory of 1712 1744 ss.exe 289.exe PID 1744 wrote to memory of 1712 1744 ss.exe 289.exe PID 1712 wrote to memory of 1732 1712 289.exe svchost.exe PID 1712 wrote to memory of 1732 1712 289.exe svchost.exe PID 1712 wrote to memory of 1732 1712 289.exe svchost.exe PID 1712 wrote to memory of 1732 1712 289.exe svchost.exe PID 1732 wrote to memory of 1152 1732 svchost.exe netsh.exe PID 1732 wrote to memory of 1152 1732 svchost.exe netsh.exe PID 1732 wrote to memory of 1152 1732 svchost.exe netsh.exe PID 1732 wrote to memory of 1152 1732 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe"C:\Users\Admin\AppData\Local\Temp\8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ss.exe"C:\Users\Admin\AppData\Local\Temp\ss.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\289.exeC:\Users\Admin\AppData\Local\Temp\289.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\289.exeFilesize
56KB
MD53242d5de505f25484b1809a9ee87d0dd
SHA139e363e493a338359afb83f04168821950862043
SHA25615eade85673e69785dad65bef8545c80b70d23d68740386e9545ba8f1bea742c
SHA51234e12aad92cd835386a1c8fca25da5747fca4833a7507a9255e8433af24eed64348d383791754d4946cfa5ef64c03a70d1dd2c5a203e5d6b101f01e3f2c4b785
-
C:\Users\Admin\AppData\Local\Temp\289.exeFilesize
56KB
MD53242d5de505f25484b1809a9ee87d0dd
SHA139e363e493a338359afb83f04168821950862043
SHA25615eade85673e69785dad65bef8545c80b70d23d68740386e9545ba8f1bea742c
SHA51234e12aad92cd835386a1c8fca25da5747fca4833a7507a9255e8433af24eed64348d383791754d4946cfa5ef64c03a70d1dd2c5a203e5d6b101f01e3f2c4b785
-
C:\Users\Admin\AppData\Local\Temp\ss.exeFilesize
193KB
MD523963d66fb8c79bb409e826ff473bb74
SHA18e42a270d251af191c267312143b23c5956fd910
SHA2569aed1caa06b45627f6d503197b9082f5a3f244b8b507b7faa7e647a90be64b03
SHA512b36fd10aa70bd1d3f0f5c819b2f2667c7b2259c96d74f84a6717d668ce5c55838cd9b180bf1d3cbe49ac7385473072933188926660daf7e6526c7c0d96e60779
-
C:\Users\Admin\AppData\Local\Temp\ss.exeFilesize
193KB
MD523963d66fb8c79bb409e826ff473bb74
SHA18e42a270d251af191c267312143b23c5956fd910
SHA2569aed1caa06b45627f6d503197b9082f5a3f244b8b507b7faa7e647a90be64b03
SHA512b36fd10aa70bd1d3f0f5c819b2f2667c7b2259c96d74f84a6717d668ce5c55838cd9b180bf1d3cbe49ac7385473072933188926660daf7e6526c7c0d96e60779
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
56KB
MD53242d5de505f25484b1809a9ee87d0dd
SHA139e363e493a338359afb83f04168821950862043
SHA25615eade85673e69785dad65bef8545c80b70d23d68740386e9545ba8f1bea742c
SHA51234e12aad92cd835386a1c8fca25da5747fca4833a7507a9255e8433af24eed64348d383791754d4946cfa5ef64c03a70d1dd2c5a203e5d6b101f01e3f2c4b785
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
56KB
MD53242d5de505f25484b1809a9ee87d0dd
SHA139e363e493a338359afb83f04168821950862043
SHA25615eade85673e69785dad65bef8545c80b70d23d68740386e9545ba8f1bea742c
SHA51234e12aad92cd835386a1c8fca25da5747fca4833a7507a9255e8433af24eed64348d383791754d4946cfa5ef64c03a70d1dd2c5a203e5d6b101f01e3f2c4b785
-
\Users\Admin\AppData\Local\Temp\ss.exeFilesize
193KB
MD523963d66fb8c79bb409e826ff473bb74
SHA18e42a270d251af191c267312143b23c5956fd910
SHA2569aed1caa06b45627f6d503197b9082f5a3f244b8b507b7faa7e647a90be64b03
SHA512b36fd10aa70bd1d3f0f5c819b2f2667c7b2259c96d74f84a6717d668ce5c55838cd9b180bf1d3cbe49ac7385473072933188926660daf7e6526c7c0d96e60779
-
\Users\Admin\AppData\Local\Temp\ss.exeFilesize
193KB
MD523963d66fb8c79bb409e826ff473bb74
SHA18e42a270d251af191c267312143b23c5956fd910
SHA2569aed1caa06b45627f6d503197b9082f5a3f244b8b507b7faa7e647a90be64b03
SHA512b36fd10aa70bd1d3f0f5c819b2f2667c7b2259c96d74f84a6717d668ce5c55838cd9b180bf1d3cbe49ac7385473072933188926660daf7e6526c7c0d96e60779
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
56KB
MD53242d5de505f25484b1809a9ee87d0dd
SHA139e363e493a338359afb83f04168821950862043
SHA25615eade85673e69785dad65bef8545c80b70d23d68740386e9545ba8f1bea742c
SHA51234e12aad92cd835386a1c8fca25da5747fca4833a7507a9255e8433af24eed64348d383791754d4946cfa5ef64c03a70d1dd2c5a203e5d6b101f01e3f2c4b785
-
memory/1152-70-0x0000000000000000-mapping.dmp
-
memory/1712-61-0x0000000000000000-mapping.dmp
-
memory/1712-71-0x00000000741A0000-0x000000007474B000-memory.dmpFilesize
5.7MB
-
memory/1732-66-0x0000000000000000-mapping.dmp
-
memory/1732-73-0x00000000741A0000-0x000000007474B000-memory.dmpFilesize
5.7MB
-
memory/1732-74-0x00000000741A0000-0x000000007474B000-memory.dmpFilesize
5.7MB
-
memory/1744-60-0x000007FEF33C0000-0x000007FEF3DE3000-memory.dmpFilesize
10.1MB
-
memory/1744-57-0x0000000000000000-mapping.dmp
-
memory/2012-54-0x0000000075281000-0x0000000075283000-memory.dmpFilesize
8KB