Analysis
-
max time kernel
7s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 10:36
Static task
static1
Behavioral task
behavioral1
Sample
db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe
Resource
win10v2004-20220812-en
General
-
Target
db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe
-
Size
909KB
-
MD5
823c825e4a48d4d54a611242b54b789c
-
SHA1
1632bba7b691bf586b4897e4b4908196194d00f9
-
SHA256
db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7
-
SHA512
4556b4e2c4f932440baa6faa7bfcc695dac8fc997dcdf964befbc34ca06815ed228244d95fd45cef32de7f29a8240dcaee29be17251889e17e7c5a9cf5a58581
-
SSDEEP
24576:3MMMMMMMMMMMMMMMMMMMMMMghvhNGdGeGkpBFywcB7tZDDMxj82+arl4YaP:3MMMMMMMMMMMMMMMMMMMMMMghvS8eGkE
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
server.exeCliente.exepid process 1704 server.exe 912 Cliente.exe -
Processes:
resource yara_rule behavioral1/memory/1704-66-0x0000000000330000-0x0000000000341000-memory.dmp upx behavioral1/memory/1704-69-0x0000000000350000-0x0000000000388000-memory.dmp upx behavioral1/memory/1704-70-0x0000000000330000-0x0000000000341000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
server.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe -
Loads dropped DLL 3 IoCs
Processes:
db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exepid process 1760 db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe 1760 db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe 1760 db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
server.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
server.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exepid process 1760 db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exedescription pid process target process PID 1760 wrote to memory of 1704 1760 db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe server.exe PID 1760 wrote to memory of 1704 1760 db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe server.exe PID 1760 wrote to memory of 1704 1760 db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe server.exe PID 1760 wrote to memory of 1704 1760 db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe server.exe PID 1760 wrote to memory of 912 1760 db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe Cliente.exe PID 1760 wrote to memory of 912 1760 db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe Cliente.exe PID 1760 wrote to memory of 912 1760 db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe Cliente.exe PID 1760 wrote to memory of 912 1760 db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe Cliente.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe"C:\Users\Admin\AppData\Local\Temp\db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\Cliente.exe"C:\Users\Admin\AppData\Local\Temp\Cliente.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Cliente.exeFilesize
60KB
MD5d75e2c45d1199c426e10764eb4459388
SHA1958f62457918f8f4d93f9ae238ec0702af17265c
SHA2566080e155120c657785d233b6892dcb3ba263d05690bbe3561640e4ac03ed6de7
SHA51276548bc64a8abbf83e240199924d132553fc6f275ea212e5e29a2facc5d7d4f7f447d049e8380089bc9a683d784b88a8d35edc12343f5caee19f3e519e0f735f
-
C:\Users\Admin\AppData\Local\Temp\Cliente.exeFilesize
60KB
MD5d75e2c45d1199c426e10764eb4459388
SHA1958f62457918f8f4d93f9ae238ec0702af17265c
SHA2566080e155120c657785d233b6892dcb3ba263d05690bbe3561640e4ac03ed6de7
SHA51276548bc64a8abbf83e240199924d132553fc6f275ea212e5e29a2facc5d7d4f7f447d049e8380089bc9a683d784b88a8d35edc12343f5caee19f3e519e0f735f
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
800KB
MD53d64416a3a7e50a60aefbee9a667f91d
SHA1b780f0c551cbb973a628a17de10bd3a81ae364e4
SHA2561a1bc9bd9314d09fa7c187beb9b1fc07fe836e98e1ac183d480c15b2da85cc98
SHA5127db765a68b1fb72bd175d5e9ce9998bcad5205536cd900199c2d0e4f3e4471fe92fc4965806eae23a9d63c81ffa9f5ed359cacaf1910eee44071c88fd7cc4b2c
-
\Users\Admin\AppData\Local\Temp\Cliente.exeFilesize
60KB
MD5d75e2c45d1199c426e10764eb4459388
SHA1958f62457918f8f4d93f9ae238ec0702af17265c
SHA2566080e155120c657785d233b6892dcb3ba263d05690bbe3561640e4ac03ed6de7
SHA51276548bc64a8abbf83e240199924d132553fc6f275ea212e5e29a2facc5d7d4f7f447d049e8380089bc9a683d784b88a8d35edc12343f5caee19f3e519e0f735f
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
800KB
MD53d64416a3a7e50a60aefbee9a667f91d
SHA1b780f0c551cbb973a628a17de10bd3a81ae364e4
SHA2561a1bc9bd9314d09fa7c187beb9b1fc07fe836e98e1ac183d480c15b2da85cc98
SHA5127db765a68b1fb72bd175d5e9ce9998bcad5205536cd900199c2d0e4f3e4471fe92fc4965806eae23a9d63c81ffa9f5ed359cacaf1910eee44071c88fd7cc4b2c
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
800KB
MD53d64416a3a7e50a60aefbee9a667f91d
SHA1b780f0c551cbb973a628a17de10bd3a81ae364e4
SHA2561a1bc9bd9314d09fa7c187beb9b1fc07fe836e98e1ac183d480c15b2da85cc98
SHA5127db765a68b1fb72bd175d5e9ce9998bcad5205536cd900199c2d0e4f3e4471fe92fc4965806eae23a9d63c81ffa9f5ed359cacaf1910eee44071c88fd7cc4b2c
-
memory/912-62-0x0000000000000000-mapping.dmp
-
memory/912-68-0x000007FEF3DA0000-0x000007FEF47C3000-memory.dmpFilesize
10.1MB
-
memory/1704-59-0x0000000000000000-mapping.dmp
-
memory/1704-66-0x0000000000330000-0x0000000000341000-memory.dmpFilesize
68KB
-
memory/1704-67-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1704-69-0x0000000000350000-0x0000000000388000-memory.dmpFilesize
224KB
-
memory/1704-70-0x0000000000330000-0x0000000000341000-memory.dmpFilesize
68KB
-
memory/1760-56-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB