Analysis
-
max time kernel
159s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 04:51
Behavioral task
behavioral1
Sample
a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe
Resource
win7-20220812-en
General
-
Target
a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe
-
Size
811KB
-
MD5
17c23bc043edc7413d8f8e09fd7d322b
-
SHA1
eacb3548cb1f816334afb8889a68f007ca824f64
-
SHA256
a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8
-
SHA512
7fe6fa6cf2f6892d9b6c8b674dcba8e6dceb1c235ffc5929b909cc2a7c2cbeb8529044b3f66d7a7d07aa1654d1efc6748eec6decac12971ed8dd75ed2e79a16f
-
SSDEEP
24576:MwU/UwhWvVXZpSRSJo2xYU4+gd3EqmM4R:MZU8WPgSe+gd3u
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\Settings\\Default\\Defender.exe" Server.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Defender.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Defender.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Defender.exe -
Executes dropped EXE 3 IoCs
pid Process 1416 7za.exe 2908 Server.exe 2768 Defender.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4276 attrib.exe 1692 attrib.exe -
resource yara_rule behavioral2/memory/2256-132-0x0000000000400000-0x0000000000494000-memory.dmp upx behavioral2/memory/2256-133-0x0000000000400000-0x0000000000494000-memory.dmp upx behavioral2/memory/2256-144-0x0000000000400000-0x0000000000494000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Server.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Defender.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Defender.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Windows\\Settings\\Default\\Defender.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Windows\\Settings\\Default\\Defender.exe" Defender.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Settings\Default\Defender.exe Server.exe File opened for modification C:\Windows\Settings\Default\Defender.exe Server.exe File opened for modification C:\Windows\Settings\Default\ Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3988 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2768 Defender.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2908 Server.exe Token: SeSecurityPrivilege 2908 Server.exe Token: SeTakeOwnershipPrivilege 2908 Server.exe Token: SeLoadDriverPrivilege 2908 Server.exe Token: SeSystemProfilePrivilege 2908 Server.exe Token: SeSystemtimePrivilege 2908 Server.exe Token: SeProfSingleProcessPrivilege 2908 Server.exe Token: SeIncBasePriorityPrivilege 2908 Server.exe Token: SeCreatePagefilePrivilege 2908 Server.exe Token: SeBackupPrivilege 2908 Server.exe Token: SeRestorePrivilege 2908 Server.exe Token: SeShutdownPrivilege 2908 Server.exe Token: SeDebugPrivilege 2908 Server.exe Token: SeSystemEnvironmentPrivilege 2908 Server.exe Token: SeChangeNotifyPrivilege 2908 Server.exe Token: SeRemoteShutdownPrivilege 2908 Server.exe Token: SeUndockPrivilege 2908 Server.exe Token: SeManageVolumePrivilege 2908 Server.exe Token: SeImpersonatePrivilege 2908 Server.exe Token: SeCreateGlobalPrivilege 2908 Server.exe Token: 33 2908 Server.exe Token: 34 2908 Server.exe Token: 35 2908 Server.exe Token: 36 2908 Server.exe Token: SeIncreaseQuotaPrivilege 2768 Defender.exe Token: SeSecurityPrivilege 2768 Defender.exe Token: SeTakeOwnershipPrivilege 2768 Defender.exe Token: SeLoadDriverPrivilege 2768 Defender.exe Token: SeSystemProfilePrivilege 2768 Defender.exe Token: SeSystemtimePrivilege 2768 Defender.exe Token: SeProfSingleProcessPrivilege 2768 Defender.exe Token: SeIncBasePriorityPrivilege 2768 Defender.exe Token: SeCreatePagefilePrivilege 2768 Defender.exe Token: SeBackupPrivilege 2768 Defender.exe Token: SeRestorePrivilege 2768 Defender.exe Token: SeShutdownPrivilege 2768 Defender.exe Token: SeDebugPrivilege 2768 Defender.exe Token: SeSystemEnvironmentPrivilege 2768 Defender.exe Token: SeChangeNotifyPrivilege 2768 Defender.exe Token: SeRemoteShutdownPrivilege 2768 Defender.exe Token: SeUndockPrivilege 2768 Defender.exe Token: SeManageVolumePrivilege 2768 Defender.exe Token: SeImpersonatePrivilege 2768 Defender.exe Token: SeCreateGlobalPrivilege 2768 Defender.exe Token: 33 2768 Defender.exe Token: 34 2768 Defender.exe Token: 35 2768 Defender.exe Token: 36 2768 Defender.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2768 Defender.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2256 wrote to memory of 852 2256 a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe 83 PID 2256 wrote to memory of 852 2256 a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe 83 PID 2256 wrote to memory of 852 2256 a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe 83 PID 852 wrote to memory of 1416 852 cmd.exe 85 PID 852 wrote to memory of 1416 852 cmd.exe 85 PID 852 wrote to memory of 1416 852 cmd.exe 85 PID 2256 wrote to memory of 2908 2256 a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe 86 PID 2256 wrote to memory of 2908 2256 a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe 86 PID 2256 wrote to memory of 2908 2256 a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe 86 PID 2908 wrote to memory of 3768 2908 Server.exe 88 PID 2908 wrote to memory of 3768 2908 Server.exe 88 PID 2908 wrote to memory of 3768 2908 Server.exe 88 PID 2908 wrote to memory of 1392 2908 Server.exe 90 PID 2908 wrote to memory of 1392 2908 Server.exe 90 PID 2908 wrote to memory of 1392 2908 Server.exe 90 PID 1392 wrote to memory of 4276 1392 cmd.exe 92 PID 1392 wrote to memory of 4276 1392 cmd.exe 92 PID 1392 wrote to memory of 4276 1392 cmd.exe 92 PID 3768 wrote to memory of 1692 3768 cmd.exe 93 PID 3768 wrote to memory of 1692 3768 cmd.exe 93 PID 3768 wrote to memory of 1692 3768 cmd.exe 93 PID 2908 wrote to memory of 2768 2908 Server.exe 94 PID 2908 wrote to memory of 2768 2908 Server.exe 94 PID 2908 wrote to memory of 2768 2908 Server.exe 94 PID 2908 wrote to memory of 3284 2908 Server.exe 95 PID 2908 wrote to memory of 3284 2908 Server.exe 95 PID 2908 wrote to memory of 3284 2908 Server.exe 95 PID 3284 wrote to memory of 3988 3284 cmd.exe 97 PID 3284 wrote to memory of 3988 3284 cmd.exe 97 PID 3284 wrote to memory of 3988 3284 cmd.exe 97 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4276 attrib.exe 1692 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe"C:\Users\Admin\AppData\Local\Temp\a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""2⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\Admin\AppData\Roaming\7za.exe"C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"3⤵
- Executes dropped EXE
PID:1416
-
-
-
C:\Users\Admin\AppData\Roaming\Server.exeC:\Users\Admin\AppData\Roaming\Server.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Server.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Server.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1692
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4276
-
-
-
C:\Windows\Settings\Default\Defender.exe"C:\Windows\Settings\Default\Defender.exe"3⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Roaming\Server.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
PID:3988
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
324KB
MD595bd901b4f98d5a8808ea83ccc241f96
SHA134e717f505454e275724f1fe4eddf56603f6f5df
SHA2563c7648d4ea2e14ce7a58cded0add16c588a1e1e158fb230430c1c9d273d1fea6
SHA5126092d94dbb2053e0db74190302cc7317b4f6682a7ffc4b79c8a8af90526dbf7411b874cf582fab6d35d927d189bcf7d67e9ea1c2b2c36deb6febb0c0210ac849
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
240KB
MD561d5a8b12b8fe537fa48fe2952b685d5
SHA1a19742e04e216291b0023719be3fb7b66eed6ad6
SHA25660db39b6a9d10b00ab9e9b5557089db0b2ae9ec511d709285492a8d829c67de3
SHA5125141193b428b05ff09f5d20303029400c3689899c5a5cd8479757f4ee013af553ed134ac14c655c0491ed24d71531b61bca749dc9ed64cc3a19e6937cbec415c
-
Filesize
324KB
MD595bd901b4f98d5a8808ea83ccc241f96
SHA134e717f505454e275724f1fe4eddf56603f6f5df
SHA2563c7648d4ea2e14ce7a58cded0add16c588a1e1e158fb230430c1c9d273d1fea6
SHA5126092d94dbb2053e0db74190302cc7317b4f6682a7ffc4b79c8a8af90526dbf7411b874cf582fab6d35d927d189bcf7d67e9ea1c2b2c36deb6febb0c0210ac849
-
Filesize
324KB
MD595bd901b4f98d5a8808ea83ccc241f96
SHA134e717f505454e275724f1fe4eddf56603f6f5df
SHA2563c7648d4ea2e14ce7a58cded0add16c588a1e1e158fb230430c1c9d273d1fea6
SHA5126092d94dbb2053e0db74190302cc7317b4f6682a7ffc4b79c8a8af90526dbf7411b874cf582fab6d35d927d189bcf7d67e9ea1c2b2c36deb6febb0c0210ac849
-
Filesize
324KB
MD595bd901b4f98d5a8808ea83ccc241f96
SHA134e717f505454e275724f1fe4eddf56603f6f5df
SHA2563c7648d4ea2e14ce7a58cded0add16c588a1e1e158fb230430c1c9d273d1fea6
SHA5126092d94dbb2053e0db74190302cc7317b4f6682a7ffc4b79c8a8af90526dbf7411b874cf582fab6d35d927d189bcf7d67e9ea1c2b2c36deb6febb0c0210ac849