7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62

General

Target

7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe
Size

286KB
MD5

f72d15d6b4acf8078292d53c1dd3755a
SHA1

3fd52da27e28b5e3d09743c09a72b58689508288
SHA256

7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62
SHA512

9ab7f0a1db7ab35d8d936a5ab1c8398c9350a2f9eadc76c7e88834b0e9488ebff9da3fb008a0c591eaa23faed6c04e9ad325c795164f35b4abb4f20219686a6a
SSDEEP

6144:B0Ejt/wbJlcp8J0Ya1AUM1VrtNjVsF9cMSVv5gRd6:BLtWeg051BM1NtrswMSB5y

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

780 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

864 netsh.exe

pid	process
780	server.exe

pid	process
864	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\212683d986fb740ad6a40184df48e604 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\212683d986fb740ad6a40184df48e604 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	1360	7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe
Token: 33	1360	7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe
Token: SeIncBasePriorityPrivilege	1360	7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe
Token: SeDebugPrivilege	780	server.exe
Token: 33	780	server.exe
Token: SeIncBasePriorityPrivilege	780	server.exe
Token: 33	780	server.exe
Token: SeIncBasePriorityPrivilege	780	server.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exeserver.exe

description	pid	process	target process
PID 1360 wrote to memory of 780	1360	7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe	server.exe
PID 1360 wrote to memory of 780	1360	7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe	server.exe
PID 1360 wrote to memory of 780	1360	7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe	server.exe
PID 780 wrote to memory of 864	780	server.exe	netsh.exe
PID 780 wrote to memory of 864	780	server.exe	netsh.exe
PID 780 wrote to memory of 864	780	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe
"C:\Users\Admin\AppData\Local\Temp\7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
286KB

MD5
f72d15d6b4acf8078292d53c1dd3755a

SHA1
3fd52da27e28b5e3d09743c09a72b58689508288

SHA256
7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62

SHA512
9ab7f0a1db7ab35d8d936a5ab1c8398c9350a2f9eadc76c7e88834b0e9488ebff9da3fb008a0c591eaa23faed6c04e9ad325c795164f35b4abb4f20219686a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
286KB

MD5
f72d15d6b4acf8078292d53c1dd3755a

SHA1
3fd52da27e28b5e3d09743c09a72b58689508288

SHA256
7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62

SHA512
9ab7f0a1db7ab35d8d936a5ab1c8398c9350a2f9eadc76c7e88834b0e9488ebff9da3fb008a0c591eaa23faed6c04e9ad325c795164f35b4abb4f20219686a6a

Download Submit
memory/780-63-0x000007FEF20B0000-0x000007FEF3146000-memory.dmp

Filesize
16.6MB

Download
memory/780-58-0x0000000000000000-mapping.dmp

Download
memory/780-61-0x000007FEF3150000-0x000007FEF3B73000-memory.dmp

Filesize
10.1MB

Download
memory/780-62-0x000007FEF40F0000-0x000007FEF45B0000-memory.dmp

Filesize
4.8MB

Download
memory/780-66-0x0000000000B58000-0x0000000000B5D000-memory.dmp

Filesize
20KB

Download
memory/780-67-0x0000000000B58000-0x0000000000B5D000-memory.dmp

Filesize
20KB

Download
memory/864-64-0x0000000000000000-mapping.dmp

Download
memory/1360-57-0x000007FEFB541000-0x000007FEFB543000-memory.dmp

Filesize
8KB

Download
memory/1360-56-0x000007FEF2620000-0x000007FEF36B6000-memory.dmp

Filesize
16.6MB

Download
memory/1360-55-0x000007FEF36C0000-0x000007FEF3B80000-memory.dmp

Filesize
4.8MB

Download
memory/1360-54-0x000007FEF3B80000-0x000007FEF45A3000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads