Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2022 21:51
Behavioral task
behavioral1
Sample
3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Resource
win7-20220812-en
windows7-x64
6 signatures
150 seconds
General
-
Target
3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
-
Size
691KB
-
MD5
a0225368087bee96ce530d10cc9dc300
-
SHA1
89438fe4a2c079ec4fe5e0ca439d3dcec6926c55
-
SHA256
3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58
-
SHA512
2ea3c7ae1c20bff1b65736ccc8574333222bf2303fc27c9ad9b794e729361372daa0fa6e182ab0c255118b74b2dabe567f51659db9649ceeccb417029a2ef6e4
-
SSDEEP
12288:QXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Uq:2nAw2WWeFcfbP9VPSPMTSPL/rWvzq4J6
Malware Config
Signatures
-
Processes:
3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe -
Processes:
3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exedescription pid process Token: SeIncreaseQuotaPrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeSecurityPrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeTakeOwnershipPrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeLoadDriverPrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeSystemProfilePrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeSystemtimePrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeProfSingleProcessPrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeIncBasePriorityPrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeCreatePagefilePrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeBackupPrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeRestorePrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeShutdownPrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeDebugPrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeSystemEnvironmentPrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeChangeNotifyPrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeRemoteShutdownPrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeUndockPrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeManageVolumePrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeImpersonatePrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: SeCreateGlobalPrivilege 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: 33 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: 34 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: 35 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe Token: 36 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exepid process 1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe"C:\Users\Admin\AppData\Local\Temp\3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe"1⤵
- Windows security bypass
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx