Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
21-10-2022 03:46
Static task
static1
Behavioral task
behavioral1
Sample
533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe
Resource
win10v2004-20220901-en
General
-
Target
533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe
-
Size
201KB
-
MD5
579571d4c079fa8ae6a167eeb42eda30
-
SHA1
ce49d258e24df707fb9f0b9ccaff8d0de3fde193
-
SHA256
533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6
-
SHA512
c19db5a08613ed7e4b360d32f209c70cfa33bb7ba0c0e816bc854671998fa4e76f9e7bb081d6b7d3684deac980d3747e2fa58c8e958db85bdc0ced4566b90337
-
SSDEEP
6144:Hza2Nj+MLxwkcWTq/81DDiSTz9nqEja3TXU0xtFG:HqEjk7l7FG
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1756 security.exe 1440 security.exe -
resource yara_rule behavioral1/memory/1036-59-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1036-61-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1036-62-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1036-65-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1036-66-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1036-69-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1036-108-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1440-110-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1440-112-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Loads dropped DLL 5 IoCs
pid Process 1036 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 1036 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 1036 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 1036 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 1036 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security = "C:\\Users\\Admin\\AppData\\Roaming\\Security\\security.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1348 set thread context of 1036 1348 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 27 PID 1756 set thread context of 1440 1756 security.exe 32 PID 1756 set thread context of 1496 1756 security.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe Token: SeDebugPrivilege 1440 security.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1348 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 1036 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 1756 security.exe 1440 security.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1348 wrote to memory of 1036 1348 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 27 PID 1348 wrote to memory of 1036 1348 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 27 PID 1348 wrote to memory of 1036 1348 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 27 PID 1348 wrote to memory of 1036 1348 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 27 PID 1348 wrote to memory of 1036 1348 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 27 PID 1348 wrote to memory of 1036 1348 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 27 PID 1348 wrote to memory of 1036 1348 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 27 PID 1348 wrote to memory of 1036 1348 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 27 PID 1036 wrote to memory of 536 1036 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 28 PID 1036 wrote to memory of 536 1036 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 28 PID 1036 wrote to memory of 536 1036 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 28 PID 1036 wrote to memory of 536 1036 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 28 PID 536 wrote to memory of 560 536 cmd.exe 30 PID 536 wrote to memory of 560 536 cmd.exe 30 PID 536 wrote to memory of 560 536 cmd.exe 30 PID 536 wrote to memory of 560 536 cmd.exe 30 PID 1036 wrote to memory of 1756 1036 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 31 PID 1036 wrote to memory of 1756 1036 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 31 PID 1036 wrote to memory of 1756 1036 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 31 PID 1036 wrote to memory of 1756 1036 533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe 31 PID 1756 wrote to memory of 1440 1756 security.exe 32 PID 1756 wrote to memory of 1440 1756 security.exe 32 PID 1756 wrote to memory of 1440 1756 security.exe 32 PID 1756 wrote to memory of 1440 1756 security.exe 32 PID 1756 wrote to memory of 1440 1756 security.exe 32 PID 1756 wrote to memory of 1440 1756 security.exe 32 PID 1756 wrote to memory of 1440 1756 security.exe 32 PID 1756 wrote to memory of 1440 1756 security.exe 32 PID 1756 wrote to memory of 1496 1756 security.exe 33 PID 1756 wrote to memory of 1496 1756 security.exe 33 PID 1756 wrote to memory of 1496 1756 security.exe 33 PID 1756 wrote to memory of 1496 1756 security.exe 33 PID 1756 wrote to memory of 1496 1756 security.exe 33 PID 1756 wrote to memory of 1496 1756 security.exe 33 PID 1756 wrote to memory of 1496 1756 security.exe 33 PID 1756 wrote to memory of 1496 1756 security.exe 33 PID 1756 wrote to memory of 1496 1756 security.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe"C:\Users\Admin\AppData\Local\Temp\533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe"C:\Users\Admin\AppData\Local\Temp\533cb956f9fef6c4f31e98aff2f29e124bf87c14db4e76ae7bb3828a618bbee6.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\AWVMC.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Security" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Security\security.exe" /f4⤵
- Adds Run key to start application
PID:560
-
-
-
C:\Users\Admin\AppData\Roaming\Security\security.exe"C:\Users\Admin\AppData\Roaming\Security\security.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Roaming\Security\security.exe"C:\Users\Admin\AppData\Roaming\Security\security.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1440
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵PID:1496
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD56f473a1ba53e043362047f72e20b34f4
SHA1e8f121a589e1207ed950453376ee1d21b1223835
SHA2565fbce2c77a90ba9edbcf60be3851ab81633b7c10b1babb624d475c7be589de4b
SHA512b4976d40bc708ae6cddf367a5382cd532e4cf235b848cdaa4e4d317e06d9126e50745a7772591bc21dc7380689f4399e57501b0aa73cd231bce32e22d53b0818
-
Filesize
201KB
MD5919aa4c69ed5897ce9a5da3a2a6bcb91
SHA1baa1159451c70b8b293b1ef6834d5d5abaed6330
SHA256d3245c43bcf2831e084cc4cd697d03d6ca16586cb794e89ebbfa2e7bc33bc974
SHA512b686aca73700b5b6b10826c815fb05173b584686dc737336bb448090c9a22f88ae13305f25f955f09361177ef1c4ca23b3a4073396f9bd785f4093b1d9e6e17d
-
Filesize
201KB
MD5919aa4c69ed5897ce9a5da3a2a6bcb91
SHA1baa1159451c70b8b293b1ef6834d5d5abaed6330
SHA256d3245c43bcf2831e084cc4cd697d03d6ca16586cb794e89ebbfa2e7bc33bc974
SHA512b686aca73700b5b6b10826c815fb05173b584686dc737336bb448090c9a22f88ae13305f25f955f09361177ef1c4ca23b3a4073396f9bd785f4093b1d9e6e17d
-
Filesize
201KB
MD5919aa4c69ed5897ce9a5da3a2a6bcb91
SHA1baa1159451c70b8b293b1ef6834d5d5abaed6330
SHA256d3245c43bcf2831e084cc4cd697d03d6ca16586cb794e89ebbfa2e7bc33bc974
SHA512b686aca73700b5b6b10826c815fb05173b584686dc737336bb448090c9a22f88ae13305f25f955f09361177ef1c4ca23b3a4073396f9bd785f4093b1d9e6e17d
-
Filesize
201KB
MD5919aa4c69ed5897ce9a5da3a2a6bcb91
SHA1baa1159451c70b8b293b1ef6834d5d5abaed6330
SHA256d3245c43bcf2831e084cc4cd697d03d6ca16586cb794e89ebbfa2e7bc33bc974
SHA512b686aca73700b5b6b10826c815fb05173b584686dc737336bb448090c9a22f88ae13305f25f955f09361177ef1c4ca23b3a4073396f9bd785f4093b1d9e6e17d
-
Filesize
201KB
MD5919aa4c69ed5897ce9a5da3a2a6bcb91
SHA1baa1159451c70b8b293b1ef6834d5d5abaed6330
SHA256d3245c43bcf2831e084cc4cd697d03d6ca16586cb794e89ebbfa2e7bc33bc974
SHA512b686aca73700b5b6b10826c815fb05173b584686dc737336bb448090c9a22f88ae13305f25f955f09361177ef1c4ca23b3a4073396f9bd785f4093b1d9e6e17d
-
Filesize
201KB
MD5919aa4c69ed5897ce9a5da3a2a6bcb91
SHA1baa1159451c70b8b293b1ef6834d5d5abaed6330
SHA256d3245c43bcf2831e084cc4cd697d03d6ca16586cb794e89ebbfa2e7bc33bc974
SHA512b686aca73700b5b6b10826c815fb05173b584686dc737336bb448090c9a22f88ae13305f25f955f09361177ef1c4ca23b3a4073396f9bd785f4093b1d9e6e17d
-
Filesize
201KB
MD5919aa4c69ed5897ce9a5da3a2a6bcb91
SHA1baa1159451c70b8b293b1ef6834d5d5abaed6330
SHA256d3245c43bcf2831e084cc4cd697d03d6ca16586cb794e89ebbfa2e7bc33bc974
SHA512b686aca73700b5b6b10826c815fb05173b584686dc737336bb448090c9a22f88ae13305f25f955f09361177ef1c4ca23b3a4073396f9bd785f4093b1d9e6e17d
-
Filesize
201KB
MD5919aa4c69ed5897ce9a5da3a2a6bcb91
SHA1baa1159451c70b8b293b1ef6834d5d5abaed6330
SHA256d3245c43bcf2831e084cc4cd697d03d6ca16586cb794e89ebbfa2e7bc33bc974
SHA512b686aca73700b5b6b10826c815fb05173b584686dc737336bb448090c9a22f88ae13305f25f955f09361177ef1c4ca23b3a4073396f9bd785f4093b1d9e6e17d