db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903

Analysis

max time kernel
13s
max time network
15s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 16:42

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903.exe
Size

76KB
MD5

6fee47db2a97269205a07d2679a6df32
SHA1

fc367ac7272845ef6669131eb52083f1a427f5c9
SHA256

db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903
SHA512

56591f4238d2b484c0e560f5409985a489013bbbf836afc728f9e54309eb4d6bb92aae58a0c561373127a9f17809d2876876758bb9dd8ee6a64ff4ef436d5358
SSDEEP

768:U6xSRbJevhW4ubRhe9ptU96V6NJvGyFU7bS08ZPzHNYM/rrNs/sHziglCkC5HVY6:aJev3S7erWoVi/GbT8LHNnrrqcVGHyP

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
856	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\1118331324 = "C:\\Users\\Admin\\1118331324.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1768	db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903.exe
Token: SeShutdownPrivilege	1668	shutdown.exe
Token: SeRemoteShutdownPrivilege	1668	shutdown.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1768	db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1252	1768	db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903.exe	27
PID 1768 wrote to memory of 1252	1768	db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903.exe	27
PID 1768 wrote to memory of 1252	1768	db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903.exe	27
PID 1768 wrote to memory of 1252	1768	db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903.exe	27
PID 1252 wrote to memory of 2040	1252	cmd.exe	29
PID 1252 wrote to memory of 2040	1252	cmd.exe	29
PID 1252 wrote to memory of 2040	1252	cmd.exe	29
PID 1252 wrote to memory of 2040	1252	cmd.exe	29
PID 1768 wrote to memory of 1668	1768	db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903.exe	30
PID 1768 wrote to memory of 1668	1768	db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903.exe	30
PID 1768 wrote to memory of 1668	1768	db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903.exe	30
PID 1768 wrote to memory of 1668	1768	db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903.exe	30
PID 1768 wrote to memory of 856	1768	db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903.exe	32
PID 1768 wrote to memory of 856	1768	db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903.exe	32
PID 1768 wrote to memory of 856	1768	db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903.exe	32
PID 1768 wrote to memory of 856	1768	db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903.exe	32

C:\Users\Admin\AppData\Local\Temp\db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903.exe
"C:\Users\Admin\AppData\Local\Temp\db6eb90fa6dd16cde934c4d2efd60d8dc17cf997ba3a8dc72b8e4bccf3837903.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 1118331324 /t REG_SZ /d "%userprofile%\1118331324.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 1118331324 /t REG_SZ /d "C:\Users\Admin\1118331324.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2040
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /f /t 3
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DB6EB9~1.EXE > nul
  2⤵
  - Deletes itself
  PID:856

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1644

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1644-61-0x000007FEFB621000-0x000007FEFB623000-memory.dmp

Filesize
8KB

Download
memory/1768-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1768-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1768-59-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download