Analysis
-
max time kernel
150s -
max time network
66s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11-10-2022 17:38
Static task
static1
Behavioral task
behavioral1
Sample
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe
Resource
win10v2004-20220901-en
General
-
Target
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe
-
Size
277KB
-
MD5
6b18605075467a654300af5153d23a00
-
SHA1
8c97e30c945ccb0c4ab7981fc0fb1c78c7dc3f7b
-
SHA256
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64
-
SHA512
3272111f1b95f74c4a12c9eebe07d9de23a0281b9e3367bda21da87661b96c243d016d2c93bb49f56d9af1c1b9812b8f8dfa091db97874ae34881bdc6e31447b
-
SSDEEP
6144:1q5+zFvSFCiTGVnyA4sdQSCWYcowHIXky7i7bOjytTfLdhOctlrBm:1q45vLAGt3N2SuR7aOjytPOIrBm
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exepid process 1992 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1420 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exepid process 1676 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe 1676 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service Host Local Service (8) = "C:\\Users\\Admin\\AppData\\Local\\Service Host\\Svchost.exe" d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service Host Local Service (8) = "\\Service Host\\Svchost.exe" d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exepid process 1992 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exed30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exedescription pid process Token: SeDebugPrivilege 1676 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe Token: SeDebugPrivilege 1992 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exepid process 1992 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.execmd.exedescription pid process target process PID 1676 wrote to memory of 1992 1676 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe PID 1676 wrote to memory of 1992 1676 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe PID 1676 wrote to memory of 1992 1676 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe PID 1676 wrote to memory of 1992 1676 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe PID 1676 wrote to memory of 1420 1676 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe cmd.exe PID 1676 wrote to memory of 1420 1676 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe cmd.exe PID 1676 wrote to memory of 1420 1676 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe cmd.exe PID 1676 wrote to memory of 1420 1676 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe cmd.exe PID 1420 wrote to memory of 2012 1420 cmd.exe PING.EXE PID 1420 wrote to memory of 2012 1420 cmd.exe PING.EXE PID 1420 wrote to memory of 2012 1420 cmd.exe PING.EXE PID 1420 wrote to memory of 2012 1420 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe"C:\Users\Admin\AppData\Local\Temp\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe"C:\Users\Admin\AppData\Local\Temp\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1992
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:2012
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5d15aaa7c9be910a9898260767e2490e1
SHA12090c53f8d9fc3fbdbafd3a1e4dc25520eb74388
SHA256f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e
SHA5127e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD52ff5b1fd336ba050070e332d35f23b66
SHA171af5a4d95bf397713d4ce65e9757e3ec3886190
SHA25676109b2a5e86e23d14e0a3ff43387d78b8409b98204f598a9705e66d78f37167
SHA51260970dd15b0ebcc01dd3c9a852a42658b53179907832926751aafc1881f68318539d629209feae1d5311c1f90e0f86a1ead58ae44aba72340b313f9e46eb7dff
-
C:\Users\Admin\AppData\Local\Temp\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe
Filesize277KB
MD56b18605075467a654300af5153d23a00
SHA18c97e30c945ccb0c4ab7981fc0fb1c78c7dc3f7b
SHA256d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64
SHA5123272111f1b95f74c4a12c9eebe07d9de23a0281b9e3367bda21da87661b96c243d016d2c93bb49f56d9af1c1b9812b8f8dfa091db97874ae34881bdc6e31447b
-
C:\Users\Admin\AppData\Local\Temp\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe
Filesize277KB
MD56b18605075467a654300af5153d23a00
SHA18c97e30c945ccb0c4ab7981fc0fb1c78c7dc3f7b
SHA256d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64
SHA5123272111f1b95f74c4a12c9eebe07d9de23a0281b9e3367bda21da87661b96c243d016d2c93bb49f56d9af1c1b9812b8f8dfa091db97874ae34881bdc6e31447b
-
\Users\Admin\AppData\Local\Temp\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe
Filesize277KB
MD56b18605075467a654300af5153d23a00
SHA18c97e30c945ccb0c4ab7981fc0fb1c78c7dc3f7b
SHA256d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64
SHA5123272111f1b95f74c4a12c9eebe07d9de23a0281b9e3367bda21da87661b96c243d016d2c93bb49f56d9af1c1b9812b8f8dfa091db97874ae34881bdc6e31447b
-
\Users\Admin\AppData\Local\Temp\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe
Filesize277KB
MD56b18605075467a654300af5153d23a00
SHA18c97e30c945ccb0c4ab7981fc0fb1c78c7dc3f7b
SHA256d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64
SHA5123272111f1b95f74c4a12c9eebe07d9de23a0281b9e3367bda21da87661b96c243d016d2c93bb49f56d9af1c1b9812b8f8dfa091db97874ae34881bdc6e31447b