Analysis
-
max time kernel
154s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
19-11-2022 02:44
Static task
static1
Behavioral task
behavioral1
Sample
d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe
Resource
win10v2004-20221111-en
General
-
Target
d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe
-
Size
201KB
-
MD5
1950d17d4bb9a7fcb18926772b43efcd
-
SHA1
5cca2aa4285f439242494fe94e74c71fbd8ad195
-
SHA256
d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08
-
SHA512
ffc79f8311ff8e99a4c98d5382bc94bfdb413fc66fc8058230f94c32324cb38e071b6c8b7a003054afc022b7cc2bde17610c1705fbba74ca0bda0ef7eedd65b8
-
SSDEEP
6144:Hza2Nj+MLxwkcWTq/81DDiSTz9nqEja3TXU0xtFi:HqEjk7l7Fi
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 436 security.exe 1080 security.exe -
resource yara_rule behavioral1/memory/980-59-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/980-61-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/980-62-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/980-65-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/980-66-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/980-69-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/980-108-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1080-110-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1080-112-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Loads dropped DLL 5 IoCs
pid Process 980 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 980 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 980 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 980 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 980 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security = "C:\\Users\\Admin\\AppData\\Roaming\\Security\\security.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1504 set thread context of 980 1504 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 28 PID 436 set thread context of 1080 436 security.exe 33 PID 436 set thread context of 1316 436 security.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe Token: SeDebugPrivilege 1080 security.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1504 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 980 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 436 security.exe 1080 security.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1504 wrote to memory of 980 1504 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 28 PID 1504 wrote to memory of 980 1504 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 28 PID 1504 wrote to memory of 980 1504 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 28 PID 1504 wrote to memory of 980 1504 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 28 PID 1504 wrote to memory of 980 1504 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 28 PID 1504 wrote to memory of 980 1504 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 28 PID 1504 wrote to memory of 980 1504 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 28 PID 1504 wrote to memory of 980 1504 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 28 PID 980 wrote to memory of 1100 980 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 29 PID 980 wrote to memory of 1100 980 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 29 PID 980 wrote to memory of 1100 980 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 29 PID 980 wrote to memory of 1100 980 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 29 PID 1100 wrote to memory of 1176 1100 cmd.exe 31 PID 1100 wrote to memory of 1176 1100 cmd.exe 31 PID 1100 wrote to memory of 1176 1100 cmd.exe 31 PID 1100 wrote to memory of 1176 1100 cmd.exe 31 PID 980 wrote to memory of 436 980 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 32 PID 980 wrote to memory of 436 980 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 32 PID 980 wrote to memory of 436 980 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 32 PID 980 wrote to memory of 436 980 d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe 32 PID 436 wrote to memory of 1080 436 security.exe 33 PID 436 wrote to memory of 1080 436 security.exe 33 PID 436 wrote to memory of 1080 436 security.exe 33 PID 436 wrote to memory of 1080 436 security.exe 33 PID 436 wrote to memory of 1080 436 security.exe 33 PID 436 wrote to memory of 1080 436 security.exe 33 PID 436 wrote to memory of 1080 436 security.exe 33 PID 436 wrote to memory of 1080 436 security.exe 33 PID 436 wrote to memory of 1316 436 security.exe 34 PID 436 wrote to memory of 1316 436 security.exe 34 PID 436 wrote to memory of 1316 436 security.exe 34 PID 436 wrote to memory of 1316 436 security.exe 34 PID 436 wrote to memory of 1316 436 security.exe 34 PID 436 wrote to memory of 1316 436 security.exe 34 PID 436 wrote to memory of 1316 436 security.exe 34 PID 436 wrote to memory of 1316 436 security.exe 34 PID 436 wrote to memory of 1316 436 security.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe"C:\Users\Admin\AppData\Local\Temp\d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe"C:\Users\Admin\AppData\Local\Temp\d7f8fdd2d525dd9f5315138c9e893b60bcfca3d2b4058b0578fd57727a618c08.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SRVIM.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Security" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Security\security.exe" /f4⤵
- Adds Run key to start application
PID:1176
-
-
-
C:\Users\Admin\AppData\Roaming\Security\security.exe"C:\Users\Admin\AppData\Roaming\Security\security.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Roaming\Security\security.exe"C:\Users\Admin\AppData\Roaming\Security\security.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1080
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵PID:1316
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD56f473a1ba53e043362047f72e20b34f4
SHA1e8f121a589e1207ed950453376ee1d21b1223835
SHA2565fbce2c77a90ba9edbcf60be3851ab81633b7c10b1babb624d475c7be589de4b
SHA512b4976d40bc708ae6cddf367a5382cd532e4cf235b848cdaa4e4d317e06d9126e50745a7772591bc21dc7380689f4399e57501b0aa73cd231bce32e22d53b0818
-
Filesize
201KB
MD508fe772578607e854400582d50598a0d
SHA1665e9c2634b6257afc9dc43972b5dd055ba4b9fe
SHA25694932d85b93835bb84f68a65242fa393e899b071c3f10d84cece1f1160850530
SHA512ec284565e314b9c1634dd4edfe93473117309bcb173dbdcbb008f84449ccba34bd1bfd0490c0506b4e28650426d82ab5ca87b65000ea818745607f6c7046368b
-
Filesize
201KB
MD508fe772578607e854400582d50598a0d
SHA1665e9c2634b6257afc9dc43972b5dd055ba4b9fe
SHA25694932d85b93835bb84f68a65242fa393e899b071c3f10d84cece1f1160850530
SHA512ec284565e314b9c1634dd4edfe93473117309bcb173dbdcbb008f84449ccba34bd1bfd0490c0506b4e28650426d82ab5ca87b65000ea818745607f6c7046368b
-
Filesize
201KB
MD508fe772578607e854400582d50598a0d
SHA1665e9c2634b6257afc9dc43972b5dd055ba4b9fe
SHA25694932d85b93835bb84f68a65242fa393e899b071c3f10d84cece1f1160850530
SHA512ec284565e314b9c1634dd4edfe93473117309bcb173dbdcbb008f84449ccba34bd1bfd0490c0506b4e28650426d82ab5ca87b65000ea818745607f6c7046368b
-
Filesize
201KB
MD508fe772578607e854400582d50598a0d
SHA1665e9c2634b6257afc9dc43972b5dd055ba4b9fe
SHA25694932d85b93835bb84f68a65242fa393e899b071c3f10d84cece1f1160850530
SHA512ec284565e314b9c1634dd4edfe93473117309bcb173dbdcbb008f84449ccba34bd1bfd0490c0506b4e28650426d82ab5ca87b65000ea818745607f6c7046368b
-
Filesize
201KB
MD508fe772578607e854400582d50598a0d
SHA1665e9c2634b6257afc9dc43972b5dd055ba4b9fe
SHA25694932d85b93835bb84f68a65242fa393e899b071c3f10d84cece1f1160850530
SHA512ec284565e314b9c1634dd4edfe93473117309bcb173dbdcbb008f84449ccba34bd1bfd0490c0506b4e28650426d82ab5ca87b65000ea818745607f6c7046368b
-
Filesize
201KB
MD508fe772578607e854400582d50598a0d
SHA1665e9c2634b6257afc9dc43972b5dd055ba4b9fe
SHA25694932d85b93835bb84f68a65242fa393e899b071c3f10d84cece1f1160850530
SHA512ec284565e314b9c1634dd4edfe93473117309bcb173dbdcbb008f84449ccba34bd1bfd0490c0506b4e28650426d82ab5ca87b65000ea818745607f6c7046368b
-
Filesize
201KB
MD508fe772578607e854400582d50598a0d
SHA1665e9c2634b6257afc9dc43972b5dd055ba4b9fe
SHA25694932d85b93835bb84f68a65242fa393e899b071c3f10d84cece1f1160850530
SHA512ec284565e314b9c1634dd4edfe93473117309bcb173dbdcbb008f84449ccba34bd1bfd0490c0506b4e28650426d82ab5ca87b65000ea818745607f6c7046368b
-
Filesize
201KB
MD508fe772578607e854400582d50598a0d
SHA1665e9c2634b6257afc9dc43972b5dd055ba4b9fe
SHA25694932d85b93835bb84f68a65242fa393e899b071c3f10d84cece1f1160850530
SHA512ec284565e314b9c1634dd4edfe93473117309bcb173dbdcbb008f84449ccba34bd1bfd0490c0506b4e28650426d82ab5ca87b65000ea818745607f6c7046368b