Analysis
-
max time kernel
103s -
max time network
101s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 04:51
Behavioral task
behavioral1
Sample
a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe
Resource
win7-20220812-en
General
-
Target
a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe
-
Size
811KB
-
MD5
17c23bc043edc7413d8f8e09fd7d322b
-
SHA1
eacb3548cb1f816334afb8889a68f007ca824f64
-
SHA256
a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8
-
SHA512
7fe6fa6cf2f6892d9b6c8b674dcba8e6dceb1c235ffc5929b909cc2a7c2cbeb8529044b3f66d7a7d07aa1654d1efc6748eec6decac12971ed8dd75ed2e79a16f
-
SSDEEP
24576:MwU/UwhWvVXZpSRSJo2xYU4+gd3EqmM4R:MZU8WPgSe+gd3u
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\Settings\\Default\\Defender.exe" Server.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Defender.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Defender.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Defender.exe -
Executes dropped EXE 3 IoCs
pid Process 1104 7za.exe 1072 Server.exe 1456 Defender.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 812 attrib.exe 720 attrib.exe -
resource yara_rule behavioral1/memory/1476-55-0x0000000000400000-0x0000000000494000-memory.dmp upx behavioral1/memory/1476-62-0x0000000000400000-0x0000000000494000-memory.dmp upx behavioral1/memory/1476-72-0x0000000000400000-0x0000000000494000-memory.dmp upx -
Loads dropped DLL 6 IoCs
pid Process 600 cmd.exe 600 cmd.exe 1476 a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe 1476 a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe 1072 Server.exe 1072 Server.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Defender.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Defender.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Windows\\Settings\\Default\\Defender.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Windows\\Settings\\Default\\Defender.exe" Defender.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Settings\Default\ Server.exe File created C:\Windows\Settings\Default\Defender.exe Server.exe File opened for modification C:\Windows\Settings\Default\Defender.exe Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1484 PING.EXE -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1072 Server.exe Token: SeSecurityPrivilege 1072 Server.exe Token: SeTakeOwnershipPrivilege 1072 Server.exe Token: SeLoadDriverPrivilege 1072 Server.exe Token: SeSystemProfilePrivilege 1072 Server.exe Token: SeSystemtimePrivilege 1072 Server.exe Token: SeProfSingleProcessPrivilege 1072 Server.exe Token: SeIncBasePriorityPrivilege 1072 Server.exe Token: SeCreatePagefilePrivilege 1072 Server.exe Token: SeBackupPrivilege 1072 Server.exe Token: SeRestorePrivilege 1072 Server.exe Token: SeShutdownPrivilege 1072 Server.exe Token: SeDebugPrivilege 1072 Server.exe Token: SeSystemEnvironmentPrivilege 1072 Server.exe Token: SeChangeNotifyPrivilege 1072 Server.exe Token: SeRemoteShutdownPrivilege 1072 Server.exe Token: SeUndockPrivilege 1072 Server.exe Token: SeManageVolumePrivilege 1072 Server.exe Token: SeImpersonatePrivilege 1072 Server.exe Token: SeCreateGlobalPrivilege 1072 Server.exe Token: 33 1072 Server.exe Token: 34 1072 Server.exe Token: 35 1072 Server.exe Token: SeIncreaseQuotaPrivilege 1456 Defender.exe Token: SeSecurityPrivilege 1456 Defender.exe Token: SeTakeOwnershipPrivilege 1456 Defender.exe Token: SeLoadDriverPrivilege 1456 Defender.exe Token: SeSystemProfilePrivilege 1456 Defender.exe Token: SeSystemtimePrivilege 1456 Defender.exe Token: SeProfSingleProcessPrivilege 1456 Defender.exe Token: SeIncBasePriorityPrivilege 1456 Defender.exe Token: SeCreatePagefilePrivilege 1456 Defender.exe Token: SeBackupPrivilege 1456 Defender.exe Token: SeRestorePrivilege 1456 Defender.exe Token: SeShutdownPrivilege 1456 Defender.exe Token: SeDebugPrivilege 1456 Defender.exe Token: SeSystemEnvironmentPrivilege 1456 Defender.exe Token: SeChangeNotifyPrivilege 1456 Defender.exe Token: SeRemoteShutdownPrivilege 1456 Defender.exe Token: SeUndockPrivilege 1456 Defender.exe Token: SeManageVolumePrivilege 1456 Defender.exe Token: SeImpersonatePrivilege 1456 Defender.exe Token: SeCreateGlobalPrivilege 1456 Defender.exe Token: 33 1456 Defender.exe Token: 34 1456 Defender.exe Token: 35 1456 Defender.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1456 Defender.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1476 wrote to memory of 600 1476 a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe 27 PID 1476 wrote to memory of 600 1476 a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe 27 PID 1476 wrote to memory of 600 1476 a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe 27 PID 1476 wrote to memory of 600 1476 a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe 27 PID 600 wrote to memory of 1104 600 cmd.exe 29 PID 600 wrote to memory of 1104 600 cmd.exe 29 PID 600 wrote to memory of 1104 600 cmd.exe 29 PID 600 wrote to memory of 1104 600 cmd.exe 29 PID 1476 wrote to memory of 1072 1476 a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe 30 PID 1476 wrote to memory of 1072 1476 a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe 30 PID 1476 wrote to memory of 1072 1476 a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe 30 PID 1476 wrote to memory of 1072 1476 a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe 30 PID 1072 wrote to memory of 644 1072 Server.exe 31 PID 1072 wrote to memory of 644 1072 Server.exe 31 PID 1072 wrote to memory of 644 1072 Server.exe 31 PID 1072 wrote to memory of 644 1072 Server.exe 31 PID 1072 wrote to memory of 1764 1072 Server.exe 33 PID 1072 wrote to memory of 1764 1072 Server.exe 33 PID 1072 wrote to memory of 1764 1072 Server.exe 33 PID 1072 wrote to memory of 1764 1072 Server.exe 33 PID 644 wrote to memory of 720 644 cmd.exe 36 PID 644 wrote to memory of 720 644 cmd.exe 36 PID 644 wrote to memory of 720 644 cmd.exe 36 PID 644 wrote to memory of 720 644 cmd.exe 36 PID 1764 wrote to memory of 812 1764 cmd.exe 35 PID 1764 wrote to memory of 812 1764 cmd.exe 35 PID 1764 wrote to memory of 812 1764 cmd.exe 35 PID 1764 wrote to memory of 812 1764 cmd.exe 35 PID 1072 wrote to memory of 1456 1072 Server.exe 37 PID 1072 wrote to memory of 1456 1072 Server.exe 37 PID 1072 wrote to memory of 1456 1072 Server.exe 37 PID 1072 wrote to memory of 1456 1072 Server.exe 37 PID 1072 wrote to memory of 2020 1072 Server.exe 39 PID 1072 wrote to memory of 2020 1072 Server.exe 39 PID 1072 wrote to memory of 2020 1072 Server.exe 39 PID 1072 wrote to memory of 2020 1072 Server.exe 39 PID 2020 wrote to memory of 1484 2020 cmd.exe 40 PID 2020 wrote to memory of 1484 2020 cmd.exe 40 PID 2020 wrote to memory of 1484 2020 cmd.exe 40 PID 2020 wrote to memory of 1484 2020 cmd.exe 40 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 812 attrib.exe 720 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe"C:\Users\Admin\AppData\Local\Temp\a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Roaming\7za.exe"C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"3⤵
- Executes dropped EXE
PID:1104
-
-
-
C:\Users\Admin\AppData\Roaming\Server.exeC:\Users\Admin\AppData\Roaming\Server.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Server.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Server.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:720
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:812
-
-
-
C:\Windows\Settings\Default\Defender.exe"C:\Windows\Settings\Default\Defender.exe"3⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1456
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Roaming\Server.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
PID:1484
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
324KB
MD595bd901b4f98d5a8808ea83ccc241f96
SHA134e717f505454e275724f1fe4eddf56603f6f5df
SHA2563c7648d4ea2e14ce7a58cded0add16c588a1e1e158fb230430c1c9d273d1fea6
SHA5126092d94dbb2053e0db74190302cc7317b4f6682a7ffc4b79c8a8af90526dbf7411b874cf582fab6d35d927d189bcf7d67e9ea1c2b2c36deb6febb0c0210ac849
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
240KB
MD561d5a8b12b8fe537fa48fe2952b685d5
SHA1a19742e04e216291b0023719be3fb7b66eed6ad6
SHA25660db39b6a9d10b00ab9e9b5557089db0b2ae9ec511d709285492a8d829c67de3
SHA5125141193b428b05ff09f5d20303029400c3689899c5a5cd8479757f4ee013af553ed134ac14c655c0491ed24d71531b61bca749dc9ed64cc3a19e6937cbec415c
-
Filesize
324KB
MD595bd901b4f98d5a8808ea83ccc241f96
SHA134e717f505454e275724f1fe4eddf56603f6f5df
SHA2563c7648d4ea2e14ce7a58cded0add16c588a1e1e158fb230430c1c9d273d1fea6
SHA5126092d94dbb2053e0db74190302cc7317b4f6682a7ffc4b79c8a8af90526dbf7411b874cf582fab6d35d927d189bcf7d67e9ea1c2b2c36deb6febb0c0210ac849
-
Filesize
324KB
MD595bd901b4f98d5a8808ea83ccc241f96
SHA134e717f505454e275724f1fe4eddf56603f6f5df
SHA2563c7648d4ea2e14ce7a58cded0add16c588a1e1e158fb230430c1c9d273d1fea6
SHA5126092d94dbb2053e0db74190302cc7317b4f6682a7ffc4b79c8a8af90526dbf7411b874cf582fab6d35d927d189bcf7d67e9ea1c2b2c36deb6febb0c0210ac849
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
324KB
MD595bd901b4f98d5a8808ea83ccc241f96
SHA134e717f505454e275724f1fe4eddf56603f6f5df
SHA2563c7648d4ea2e14ce7a58cded0add16c588a1e1e158fb230430c1c9d273d1fea6
SHA5126092d94dbb2053e0db74190302cc7317b4f6682a7ffc4b79c8a8af90526dbf7411b874cf582fab6d35d927d189bcf7d67e9ea1c2b2c36deb6febb0c0210ac849
-
Filesize
324KB
MD595bd901b4f98d5a8808ea83ccc241f96
SHA134e717f505454e275724f1fe4eddf56603f6f5df
SHA2563c7648d4ea2e14ce7a58cded0add16c588a1e1e158fb230430c1c9d273d1fea6
SHA5126092d94dbb2053e0db74190302cc7317b4f6682a7ffc4b79c8a8af90526dbf7411b874cf582fab6d35d927d189bcf7d67e9ea1c2b2c36deb6febb0c0210ac849
-
Filesize
324KB
MD595bd901b4f98d5a8808ea83ccc241f96
SHA134e717f505454e275724f1fe4eddf56603f6f5df
SHA2563c7648d4ea2e14ce7a58cded0add16c588a1e1e158fb230430c1c9d273d1fea6
SHA5126092d94dbb2053e0db74190302cc7317b4f6682a7ffc4b79c8a8af90526dbf7411b874cf582fab6d35d927d189bcf7d67e9ea1c2b2c36deb6febb0c0210ac849
-
Filesize
324KB
MD595bd901b4f98d5a8808ea83ccc241f96
SHA134e717f505454e275724f1fe4eddf56603f6f5df
SHA2563c7648d4ea2e14ce7a58cded0add16c588a1e1e158fb230430c1c9d273d1fea6
SHA5126092d94dbb2053e0db74190302cc7317b4f6682a7ffc4b79c8a8af90526dbf7411b874cf582fab6d35d927d189bcf7d67e9ea1c2b2c36deb6febb0c0210ac849