218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae

Analysis

max time kernel
28s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe
Size

48KB
MD5

84ea4c27d6a6b66282137a65ee90f5c5
SHA1

baa0df3b5648393900d75b6116e1e957b1368cfd
SHA256

218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae
SHA512

00e9a9ac746b7d56cd065135acc546fcd99c8f9c84f3d28ac3e5a4994f1ac41b1c9bb7a1f48ea87fc735fce8ea44a5f64b6dd08292e196850e4eef08d6313247
SSDEEP

384:/TBTwPBM7hP6CTFovGMsqG81uF4R8l5HT+D9yNvhP6CTFLE:/d629ovhPgFjXzUMNRL

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\metro.exe = "D:\\metro.exe"	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\E:\autorun.inf	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe
File opened for modification	\??\F:\autorun.inf	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe
File opened for modification	\??\G:\autorun.inf	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe
File opened for modification	C:\autorun.inf	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe
File opened for modification	D:\autorun.inf	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 11 IoCs

evasion

pid	Process
1656	taskkill.exe
680	taskkill.exe
1080	taskkill.exe
1856	taskkill.exe
1920	taskkill.exe
1208	taskkill.exe
1544	taskkill.exe
1632	taskkill.exe
788	taskkill.exe
1120	taskkill.exe
1792	taskkill.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	680	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	1856	taskkill.exe
Token: SeDebugPrivilege	1120	taskkill.exe
Token: SeDebugPrivilege	1544	taskkill.exe
Token: SeDebugPrivilege	788	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1656	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	28
PID 1756 wrote to memory of 1656	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	28
PID 1756 wrote to memory of 1656	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	28
PID 1756 wrote to memory of 1656	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	28
PID 1756 wrote to memory of 680	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	30
PID 1756 wrote to memory of 680	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	30
PID 1756 wrote to memory of 680	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	30
PID 1756 wrote to memory of 680	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	30
PID 1756 wrote to memory of 1080	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	31
PID 1756 wrote to memory of 1080	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	31
PID 1756 wrote to memory of 1080	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	31
PID 1756 wrote to memory of 1080	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	31
PID 1756 wrote to memory of 1856	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	33
PID 1756 wrote to memory of 1856	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	33
PID 1756 wrote to memory of 1856	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	33
PID 1756 wrote to memory of 1856	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	33
PID 1756 wrote to memory of 788	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	35
PID 1756 wrote to memory of 788	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	35
PID 1756 wrote to memory of 788	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	35
PID 1756 wrote to memory of 788	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	35
PID 1756 wrote to memory of 1920	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	37
PID 1756 wrote to memory of 1920	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	37
PID 1756 wrote to memory of 1920	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	37
PID 1756 wrote to memory of 1920	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	37
PID 1756 wrote to memory of 1120	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	39
PID 1756 wrote to memory of 1120	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	39
PID 1756 wrote to memory of 1120	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	39
PID 1756 wrote to memory of 1120	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	39
PID 1756 wrote to memory of 1792	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	41
PID 1756 wrote to memory of 1792	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	41
PID 1756 wrote to memory of 1792	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	41
PID 1756 wrote to memory of 1792	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	41
PID 1756 wrote to memory of 1208	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	43
PID 1756 wrote to memory of 1208	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	43
PID 1756 wrote to memory of 1208	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	43
PID 1756 wrote to memory of 1208	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	43
PID 1756 wrote to memory of 1544	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	45
PID 1756 wrote to memory of 1544	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	45
PID 1756 wrote to memory of 1544	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	45
PID 1756 wrote to memory of 1544	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	45
PID 1756 wrote to memory of 1632	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	46
PID 1756 wrote to memory of 1632	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	46
PID 1756 wrote to memory of 1632	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	46
PID 1756 wrote to memory of 1632	1756	218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe	46

C:\Users\Admin\AppData\Local\Temp\218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe
"C:\Users\Admin\AppData\Local\Temp\218ff4587f608b2a402749989a41b204a556f9428aed3229915a985472b9cdae.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /t /im wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /t /im wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /t /im wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /t /im wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /t /im wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:788
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /t /im wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /t /im wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /t /im wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /t /im wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /t /im wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /t /im wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1756-56-0x0000000075F61000-0x0000000075F63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads