Analysis
-
max time kernel
151s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 09:46
Static task
static1
Behavioral task
behavioral1
Sample
1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe
Resource
win10v2004-20220812-en
General
-
Target
1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe
-
Size
172KB
-
MD5
d8b3807c730d493ba974c13c83621dd8
-
SHA1
8f4f7519e1c86bd3b123130f60100d7da7a2e53d
-
SHA256
1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b
-
SHA512
9814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e
-
SSDEEP
3072:mJ0A2KvUXh9O5P908zsStvqeSwCKx83lUICxsqcAeSa:O0A2auu10usSJbuKxAlicbS
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 1516 svchost.exe 1684 svchost.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1824 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exepid process 1456 1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe 1456 1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Config svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Config\ = e6070b00030017000a0001003200f401 svchost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
svchost.exepid process 1684 svchost.exe 1684 svchost.exe 1684 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exedescription pid process Token: SeBackupPrivilege 1684 svchost.exe Token: SeRestorePrivilege 1684 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exedescription pid process target process PID 1456 wrote to memory of 1516 1456 1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe svchost.exe PID 1456 wrote to memory of 1516 1456 1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe svchost.exe PID 1456 wrote to memory of 1516 1456 1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe svchost.exe PID 1456 wrote to memory of 1516 1456 1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe svchost.exe PID 1456 wrote to memory of 1824 1456 1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe cmd.exe PID 1456 wrote to memory of 1824 1456 1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe cmd.exe PID 1456 wrote to memory of 1824 1456 1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe cmd.exe PID 1456 wrote to memory of 1824 1456 1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe"C:\Users\Admin\AppData\Local\Temp\1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\temp\svchost.exe"C:\Windows\temp\svchost.exe" -install2⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\~0.bat" "2⤵
- Deletes itself
PID:1824
-
C:\Windows\temp\svchost.exeC:\Windows\temp\svchost.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258B
MD53ec406bfaf2fc1383813314972975c84
SHA1eb38d2a107129c86a910492f5b66fb9002dd9576
SHA2569fafc27e02c57454749b7a5ecfa45024c5813760b21ca571855f0ebb623e032d
SHA512de3e524d92abc4354735f35c88c7f7c972dd4d85d9dab93df91dd6f1c56c0046f27956512a3f66a1b3b1ca82bd127ea7c0c596aec95b1bb3b81037728ac92173
-
Filesize
172KB
MD5d8b3807c730d493ba974c13c83621dd8
SHA18f4f7519e1c86bd3b123130f60100d7da7a2e53d
SHA2561276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b
SHA5129814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e
-
Filesize
172KB
MD5d8b3807c730d493ba974c13c83621dd8
SHA18f4f7519e1c86bd3b123130f60100d7da7a2e53d
SHA2561276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b
SHA5129814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e
-
Filesize
172KB
MD5d8b3807c730d493ba974c13c83621dd8
SHA18f4f7519e1c86bd3b123130f60100d7da7a2e53d
SHA2561276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b
SHA5129814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e
-
Filesize
172KB
MD5d8b3807c730d493ba974c13c83621dd8
SHA18f4f7519e1c86bd3b123130f60100d7da7a2e53d
SHA2561276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b
SHA5129814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e
-
Filesize
172KB
MD5d8b3807c730d493ba974c13c83621dd8
SHA18f4f7519e1c86bd3b123130f60100d7da7a2e53d
SHA2561276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b
SHA5129814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e