Analysis
-
max time kernel
26s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
22-11-2022 19:16
Static task
static1
Behavioral task
behavioral1
Sample
1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
Resource
win7-20221111-en
General
-
Target
1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
-
Size
30KB
-
MD5
7f832522934d3034af0fcd529b7e1595
-
SHA1
85d3e42a2e1ddca118d572e416c2e5f619ec69f7
-
SHA256
1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60
-
SHA512
3e56c0f98d0c04a9aeed6977ae908d04c19c2b945cfe301b619ddeae93879a8d084a0a6cfcaa5565b51c3e33d9cd4e1b98b74bf2c4ebc93b7c702abf1b1178d0
-
SSDEEP
768:WKHHTyxuINi6TqHIZfC917xi3+Meo0Nbw4lUubXkD:WkVkDG0fCnNqluplUkX
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 296 cmd.exe -
Drops file in System32 directory 5 IoCs
Processes:
1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exedescription ioc process File opened for modification C:\Windows\SysWOW64\1232723.tmp 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe File created C:\Windows\SysWOW64\sxload.tmp 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe File created C:\Windows\System32\1232454.tmp 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe File opened for modification C:\Windows\SysWOW64\1232454.tmp 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe File created C:\Windows\System32\1232723.tmp 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe -
Drops file in Program Files directory 1 IoCs
Processes:
1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exedescription ioc process File created C:\Program Files (x86)\Common Files\sxlzg.tmp 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1708 taskkill.exe 684 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1160 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe Token: SeDebugPrivilege 1708 taskkill.exe Token: SeDebugPrivilege 684 taskkill.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exepid process 1160 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe 1160 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exedescription pid process target process PID 1160 wrote to memory of 1708 1160 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe taskkill.exe PID 1160 wrote to memory of 1708 1160 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe taskkill.exe PID 1160 wrote to memory of 1708 1160 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe taskkill.exe PID 1160 wrote to memory of 1708 1160 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe taskkill.exe PID 1160 wrote to memory of 684 1160 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe taskkill.exe PID 1160 wrote to memory of 684 1160 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe taskkill.exe PID 1160 wrote to memory of 684 1160 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe taskkill.exe PID 1160 wrote to memory of 684 1160 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe taskkill.exe PID 1160 wrote to memory of 296 1160 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe cmd.exe PID 1160 wrote to memory of 296 1160 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe cmd.exe PID 1160 wrote to memory of 296 1160 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe cmd.exe PID 1160 wrote to memory of 296 1160 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe"C:\Users\Admin\AppData\Local\Temp\1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "DragonNest.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "sdologin.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c 1.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.batFilesize
253B
MD5b74f188b2d82efe793a3090383a132d3
SHA103a95e0afcfb9d857dbf9027eed31b3edb88c45e
SHA25637ad1799c78e1153d76d2c9d3e256866649e4e5d33233982f99b72fd77e974ce
SHA512af0f8230187d4727a6bb4a177888ea489613e05063befabc68740f5a39bc20fb8e4790317be489fcb7aa5695e5b182c85b88ba20abdb36e599af20b66a1f44fb
-
memory/296-58-0x0000000000000000-mapping.dmp
-
memory/684-57-0x0000000000000000-mapping.dmp
-
memory/1160-54-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/1160-55-0x00000000744B1000-0x00000000744B3000-memory.dmpFilesize
8KB
-
memory/1708-56-0x0000000000000000-mapping.dmp