Analysis
-
max time kernel
153s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 14:59
Static task
static1
Behavioral task
behavioral1
Sample
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe
Resource
win10v2004-20220901-en
General
-
Target
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe
-
Size
475KB
-
MD5
4473bc09f2f358973b05ab262aa80650
-
SHA1
1fcb71d2f5a3d8ac397827b1db17a9a24a0fac73
-
SHA256
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a
-
SHA512
b535af19233cf9553d08f1830959b6773dc3191865def29b5d814ae31831bc9da86d168d2b5459664aacea33945cdf53e8f192b8d7c7078df54962b2791e015f
-
SSDEEP
6144:HjmQ2sdoE4duLm3P2g5KYuxvWJH5ogtpLAKXDU89ZEs9UctljtdduYWfYXPLtMp:HjmQ2vSLy2NVwZogLLDB5UIjdnH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exepid process 948 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1568 cmd.exe -
Loads dropped DLL 4 IoCs
Processes:
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exea803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exepid process 828 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe 948 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe 948 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe 948 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate2 = "C:\\Users\\Admin\\AppData\\Roaming\\Critical Updates\\WindowsDefenderUpdater.exe" a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exepid process 948 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exea803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exedescription pid process Token: SeDebugPrivilege 828 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe Token: SeDebugPrivilege 948 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe Token: SeDebugPrivilege 948 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exepid process 948 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.execmd.exedescription pid process target process PID 828 wrote to memory of 948 828 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe PID 828 wrote to memory of 948 828 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe PID 828 wrote to memory of 948 828 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe PID 828 wrote to memory of 948 828 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe PID 828 wrote to memory of 948 828 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe PID 828 wrote to memory of 948 828 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe PID 828 wrote to memory of 948 828 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe PID 828 wrote to memory of 1568 828 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe cmd.exe PID 828 wrote to memory of 1568 828 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe cmd.exe PID 828 wrote to memory of 1568 828 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe cmd.exe PID 828 wrote to memory of 1568 828 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe cmd.exe PID 828 wrote to memory of 1568 828 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe cmd.exe PID 828 wrote to memory of 1568 828 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe cmd.exe PID 828 wrote to memory of 1568 828 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe cmd.exe PID 1568 wrote to memory of 1412 1568 cmd.exe PING.EXE PID 1568 wrote to memory of 1412 1568 cmd.exe PING.EXE PID 1568 wrote to memory of 1412 1568 cmd.exe PING.EXE PID 1568 wrote to memory of 1412 1568 cmd.exe PING.EXE PID 1568 wrote to memory of 1412 1568 cmd.exe PING.EXE PID 1568 wrote to memory of 1412 1568 cmd.exe PING.EXE PID 1568 wrote to memory of 1412 1568 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe"C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe"C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:1412
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe
Filesize475KB
MD54473bc09f2f358973b05ab262aa80650
SHA11fcb71d2f5a3d8ac397827b1db17a9a24a0fac73
SHA256a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a
SHA512b535af19233cf9553d08f1830959b6773dc3191865def29b5d814ae31831bc9da86d168d2b5459664aacea33945cdf53e8f192b8d7c7078df54962b2791e015f
-
C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe
Filesize475KB
MD54473bc09f2f358973b05ab262aa80650
SHA11fcb71d2f5a3d8ac397827b1db17a9a24a0fac73
SHA256a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a
SHA512b535af19233cf9553d08f1830959b6773dc3191865def29b5d814ae31831bc9da86d168d2b5459664aacea33945cdf53e8f192b8d7c7078df54962b2791e015f
-
\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe
Filesize475KB
MD54473bc09f2f358973b05ab262aa80650
SHA11fcb71d2f5a3d8ac397827b1db17a9a24a0fac73
SHA256a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a
SHA512b535af19233cf9553d08f1830959b6773dc3191865def29b5d814ae31831bc9da86d168d2b5459664aacea33945cdf53e8f192b8d7c7078df54962b2791e015f
-
\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe
Filesize475KB
MD54473bc09f2f358973b05ab262aa80650
SHA11fcb71d2f5a3d8ac397827b1db17a9a24a0fac73
SHA256a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a
SHA512b535af19233cf9553d08f1830959b6773dc3191865def29b5d814ae31831bc9da86d168d2b5459664aacea33945cdf53e8f192b8d7c7078df54962b2791e015f
-
\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe
Filesize475KB
MD54473bc09f2f358973b05ab262aa80650
SHA11fcb71d2f5a3d8ac397827b1db17a9a24a0fac73
SHA256a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a
SHA512b535af19233cf9553d08f1830959b6773dc3191865def29b5d814ae31831bc9da86d168d2b5459664aacea33945cdf53e8f192b8d7c7078df54962b2791e015f
-
\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe
Filesize475KB
MD54473bc09f2f358973b05ab262aa80650
SHA11fcb71d2f5a3d8ac397827b1db17a9a24a0fac73
SHA256a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a
SHA512b535af19233cf9553d08f1830959b6773dc3191865def29b5d814ae31831bc9da86d168d2b5459664aacea33945cdf53e8f192b8d7c7078df54962b2791e015f