3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e

Analysis

max time kernel
11s
max time network
12s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 13:12

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e.exe
Size

50KB
MD5

a30d40bc56e182ec4ff9496b8498b462
SHA1

ca2d78ac07089a31059b882e4c72396e56bc3a2d
SHA256

3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e
SHA512

79a0de91b7c722242605abe245634b0cc7f285d1827a18b168d7290ac58ab1a4214b101eaa0ab49f887c5b3e86e0736c1bb2e48cb4d5eec6833a5d7a22726132
SSDEEP

768:cA+d1z8BXAqxwJE9Lb+7RFpvLXuZr32BBaAriUFE0tFDvXCkC5HVYPCI:cAkEwJCGNFxLXKyBhXm0tFDv0HyPD

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
936	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\308694020 = "C:\\Users\\Admin\\308694020.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1092	3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e.exe
Token: SeShutdownPrivilege	1388	shutdown.exe
Token: SeRemoteShutdownPrivilege	1388	shutdown.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1092	3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1508	1092	3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e.exe	27
PID 1092 wrote to memory of 1508	1092	3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e.exe	27
PID 1092 wrote to memory of 1508	1092	3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e.exe	27
PID 1092 wrote to memory of 1508	1092	3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e.exe	27
PID 1508 wrote to memory of 1144	1508	cmd.exe	29
PID 1508 wrote to memory of 1144	1508	cmd.exe	29
PID 1508 wrote to memory of 1144	1508	cmd.exe	29
PID 1508 wrote to memory of 1144	1508	cmd.exe	29
PID 1092 wrote to memory of 1388	1092	3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e.exe	30
PID 1092 wrote to memory of 1388	1092	3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e.exe	30
PID 1092 wrote to memory of 1388	1092	3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e.exe	30
PID 1092 wrote to memory of 1388	1092	3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e.exe	30
PID 1092 wrote to memory of 936	1092	3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e.exe	32
PID 1092 wrote to memory of 936	1092	3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e.exe	32
PID 1092 wrote to memory of 936	1092	3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e.exe	32
PID 1092 wrote to memory of 936	1092	3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e.exe	32

C:\Users\Admin\AppData\Local\Temp\3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e.exe
"C:\Users\Admin\AppData\Local\Temp\3b911bca6c01e172b8d779e05da3eddc77367859b7b7b54b6cf3a56b7441104e.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 308694020 /t REG_SZ /d "%userprofile%\308694020.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 308694020 /t REG_SZ /d "C:\Users\Admin\308694020.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1144
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /f /t 3
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3B911B~1.EXE > nul
  2⤵
  - Deletes itself
  PID:936

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1780

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1092-59-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1092-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1780-61-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download