6a366b9f91181a8f506df3fef2f2278eb46c9eae6f2b4714b747bd6c4b2f3f94

Analysis

max time kernel
149s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 23:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

113KB
MD5

de9195488291dc32dcdf0ab004bd32ca
SHA1

dec8d8a77c0aa288312a6638e484cf783b74cf39
SHA256

3042045748f2ec882a9bde3cf45ccb789b666b3dc6a362d052fbc8e45a1325f2
SHA512

24d45709ba956253879e050030db92fd104440c93c2fc70a0426eb4e38253fac27f608968f264a080205fac2fc5f882ab8ed92b79f41a43a3372e2f50dfdd7eb
SSDEEP

3072:XGNMNOfWHJ9PKSUJHYpeKCbC868B3Ib8VBnfLjxdClmWCKV6gtol:XGNMN1p9PR0H2ejB68Bs8fnDSlyKVl

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2036	config.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1164	netsh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2036	config.exe
2036	config.exe
2036	config.exe
2036	config.exe
2036	config.exe
2036	config.exe
2036	config.exe
2036	config.exe
2036	config.exe
2036	config.exe
2036	config.exe
2036	config.exe
2036	config.exe
2036	config.exe
2036	config.exe
2036	config.exe
2036	config.exe
2036	config.exe
2036	config.exe
2036	config.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	config.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2036	1632	Server.exe	28
PID 1632 wrote to memory of 2036	1632	Server.exe	28
PID 1632 wrote to memory of 2036	1632	Server.exe	28
PID 2036 wrote to memory of 1164	2036	config.exe	29
PID 2036 wrote to memory of 1164	2036	config.exe	29
PID 2036 wrote to memory of 1164	2036	config.exe	29

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\ProgramData\config.exe
  "C:\ProgramData\config.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\system32\netsh.exe
    netsh firewall add allowedprogram "C:\ProgramData\config.exe" "config.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\config.exe

Filesize
113KB

MD5
de9195488291dc32dcdf0ab004bd32ca

SHA1
dec8d8a77c0aa288312a6638e484cf783b74cf39

SHA256
3042045748f2ec882a9bde3cf45ccb789b666b3dc6a362d052fbc8e45a1325f2

SHA512
24d45709ba956253879e050030db92fd104440c93c2fc70a0426eb4e38253fac27f608968f264a080205fac2fc5f882ab8ed92b79f41a43a3372e2f50dfdd7eb

Download Submit
C:\ProgramData\config.exe

Filesize
113KB

MD5
de9195488291dc32dcdf0ab004bd32ca

SHA1
dec8d8a77c0aa288312a6638e484cf783b74cf39

SHA256
3042045748f2ec882a9bde3cf45ccb789b666b3dc6a362d052fbc8e45a1325f2

SHA512
24d45709ba956253879e050030db92fd104440c93c2fc70a0426eb4e38253fac27f608968f264a080205fac2fc5f882ab8ed92b79f41a43a3372e2f50dfdd7eb

Download Submit
memory/1632-54-0x000007FEF4280000-0x000007FEF4CA3000-memory.dmp

Filesize
10.1MB

Download
memory/1632-56-0x000007FEEEC10000-0x000007FEEFCA6000-memory.dmp

Filesize
16.6MB

Download
memory/1632-57-0x000007FEFC611000-0x000007FEFC613000-memory.dmp

Filesize
8KB

Download
memory/2036-61-0x000007FEF5160000-0x000007FEF5B83000-memory.dmp

Filesize
10.1MB

Download
memory/2036-62-0x000007FEF66F0000-0x000007FEF6BB0000-memory.dmp

Filesize
4.8MB

Download
memory/2036-63-0x000007FEEDB70000-0x000007FEEEC06000-memory.dmp

Filesize
16.6MB

Download
memory/2036-66-0x0000000000566000-0x0000000000585000-memory.dmp

Filesize
124KB

Download
memory/2036-67-0x0000000000566000-0x0000000000585000-memory.dmp

Filesize
124KB

Download