61524da8678a41fde173e317d1c638d8a775429550cee336f7e00122e9838319

Analysis

max time kernel
150s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Blocker.exe
Size

468KB
MD5

c02dd2d83fc74abccd43a8b01c91f083
SHA1

2e26a91a8c41e58bbc0adeb5b6fac0728fb5c6b9
SHA256

61524da8678a41fde173e317d1c638d8a775429550cee336f7e00122e9838319
SHA512

2232b20e3c8235a646886ba94a9bd9524b1f3b6a6c15292e2aa0d6c032a350c891f3bfd6f709b8d81e5c62f29b935e53b137fe7cbf4210cf62427d6ee807e29e
SSDEEP

12288:Ki8l1vGkvn6WIi9aDhoFPp37jtHslw7QF:f8dd6WIioDh+PzMlA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Trojan-Ransom.Win32.Blocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound = "C:\\Windows\\Sound.exe"	Trojan-Ransom.Win32.Blocker.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Sound.exe	Trojan-Ransom.Win32.Blocker.exe
File opened for modification	C:\Windows\Sound.exe	Trojan-Ransom.Win32.Blocker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe
1376	Trojan-Ransom.Win32.Blocker.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1372	explorer.exe

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1376

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1372-55-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download
memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download