Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07-11-2022 04:14
Static task
static1
Behavioral task
behavioral1
Sample
3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe
Resource
win10v2004-20220812-en
General
-
Target
3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe
-
Size
43KB
-
MD5
06948f3af0a772a23d20a46cac52fa60
-
SHA1
957ef61f9d4d3ea050a5c062ae12996febb91f3a
-
SHA256
3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520
-
SHA512
3096f57da95dc8364abef5cdd9ce9f352a0e678d9f2ef383154f356659648e2d6d3fb5395e96fec456c266e7980cddd4bd26131448dd85574bb3f9ce0956e0ef
-
SSDEEP
768:ruD/1865QbrS+eUfOrm9uTx22R581J6HqYjHn2qvtK18/E71bToNVGnsHCCjPkax:MKuchsvR21XobHCCrk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2040 سسس.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 948 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\626bab39ac7864f670f1f40dacc7bb84.exe سسس.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\626bab39ac7864f670f1f40dacc7bb84.exe سسس.exe -
Loads dropped DLL 1 IoCs
pid Process 812 3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\626bab39ac7864f670f1f40dacc7bb84 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\سسس.exe\" .." سسس.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\626bab39ac7864f670f1f40dacc7bb84 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\سسس.exe\" .." سسس.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2040 سسس.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2040 سسس.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 812 wrote to memory of 2040 812 3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe 27 PID 812 wrote to memory of 2040 812 3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe 27 PID 812 wrote to memory of 2040 812 3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe 27 PID 812 wrote to memory of 2040 812 3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe 27 PID 2040 wrote to memory of 948 2040 سسس.exe 28 PID 2040 wrote to memory of 948 2040 سسس.exe 28 PID 2040 wrote to memory of 948 2040 سسس.exe 28 PID 2040 wrote to memory of 948 2040 سسس.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe"C:\Users\Admin\AppData\Local\Temp\3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\سسس.exe"C:\Users\Admin\AppData\Local\Temp\سسس.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\سسس.exe" "سسس.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:948
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD506948f3af0a772a23d20a46cac52fa60
SHA1957ef61f9d4d3ea050a5c062ae12996febb91f3a
SHA2563b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520
SHA5123096f57da95dc8364abef5cdd9ce9f352a0e678d9f2ef383154f356659648e2d6d3fb5395e96fec456c266e7980cddd4bd26131448dd85574bb3f9ce0956e0ef
-
Filesize
43KB
MD506948f3af0a772a23d20a46cac52fa60
SHA1957ef61f9d4d3ea050a5c062ae12996febb91f3a
SHA2563b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520
SHA5123096f57da95dc8364abef5cdd9ce9f352a0e678d9f2ef383154f356659648e2d6d3fb5395e96fec456c266e7980cddd4bd26131448dd85574bb3f9ce0956e0ef
-
Filesize
43KB
MD506948f3af0a772a23d20a46cac52fa60
SHA1957ef61f9d4d3ea050a5c062ae12996febb91f3a
SHA2563b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520
SHA5123096f57da95dc8364abef5cdd9ce9f352a0e678d9f2ef383154f356659648e2d6d3fb5395e96fec456c266e7980cddd4bd26131448dd85574bb3f9ce0956e0ef