Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19-10-2022 22:30
Static task
static1
Behavioral task
behavioral1
Sample
78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe
Resource
win10v2004-20220901-en
General
-
Target
78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe
-
Size
293KB
-
MD5
5090efbff6669644e61b70a6614e53b0
-
SHA1
eac8dc59f54f265fa2e71a265c42299f34378034
-
SHA256
78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157
-
SHA512
ed8dc4df183e89fadaf2691a74822ee225893891a413164a9539c50da1fbcfdfd3b3b3fe497d31830d09e8eaa3bad1ef21d275ab56fa47a374a1a784c4d8ae49
-
SSDEEP
6144:bpJXZO9tcfeMV8vOOrrN051yp2p6FEgN/hVvJy44ALvremUYDQctl:bP1feGIN054b5/vJyF0remUTI
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exepid process 668 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe -
Loads dropped DLL 2 IoCs
Processes:
78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exepid process 1324 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe 1324 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MsMpEng.exe" 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exepid process 668 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exepid process 668 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exedescription pid process Token: SeDebugPrivilege 1324 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe Token: SeDebugPrivilege 668 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe Token: SeDebugPrivilege 668 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exepid process 668 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.execmd.exedescription pid process target process PID 1324 wrote to memory of 668 1324 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe PID 1324 wrote to memory of 668 1324 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe PID 1324 wrote to memory of 668 1324 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe PID 1324 wrote to memory of 668 1324 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe PID 1324 wrote to memory of 2040 1324 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe cmd.exe PID 1324 wrote to memory of 2040 1324 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe cmd.exe PID 1324 wrote to memory of 2040 1324 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe cmd.exe PID 1324 wrote to memory of 2040 1324 78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe cmd.exe PID 2040 wrote to memory of 1224 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1224 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1224 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1224 2040 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe"C:\Users\Admin\AppData\Local\Temp\78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157\78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe"C:\Users\Admin\AppData\Local\Temp\78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157\78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:668
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:1224
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157\78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe
Filesize293KB
MD55090efbff6669644e61b70a6614e53b0
SHA1eac8dc59f54f265fa2e71a265c42299f34378034
SHA25678258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157
SHA512ed8dc4df183e89fadaf2691a74822ee225893891a413164a9539c50da1fbcfdfd3b3b3fe497d31830d09e8eaa3bad1ef21d275ab56fa47a374a1a784c4d8ae49
-
C:\Users\Admin\AppData\Local\Temp\78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157\78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe
Filesize293KB
MD55090efbff6669644e61b70a6614e53b0
SHA1eac8dc59f54f265fa2e71a265c42299f34378034
SHA25678258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157
SHA512ed8dc4df183e89fadaf2691a74822ee225893891a413164a9539c50da1fbcfdfd3b3b3fe497d31830d09e8eaa3bad1ef21d275ab56fa47a374a1a784c4d8ae49
-
\Users\Admin\AppData\Local\Temp\78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157\78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe
Filesize293KB
MD55090efbff6669644e61b70a6614e53b0
SHA1eac8dc59f54f265fa2e71a265c42299f34378034
SHA25678258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157
SHA512ed8dc4df183e89fadaf2691a74822ee225893891a413164a9539c50da1fbcfdfd3b3b3fe497d31830d09e8eaa3bad1ef21d275ab56fa47a374a1a784c4d8ae49
-
\Users\Admin\AppData\Local\Temp\78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157\78258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157.exe
Filesize293KB
MD55090efbff6669644e61b70a6614e53b0
SHA1eac8dc59f54f265fa2e71a265c42299f34378034
SHA25678258cd30bee8c94d94b4835d991c04c5a86b991eb6b25e38fb2835874010157
SHA512ed8dc4df183e89fadaf2691a74822ee225893891a413164a9539c50da1fbcfdfd3b3b3fe497d31830d09e8eaa3bad1ef21d275ab56fa47a374a1a784c4d8ae49