Analysis
-
max time kernel
69s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 14:10
Static task
static1
Behavioral task
behavioral1
Sample
61677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
61677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5.exe
Resource
win10v2004-20220812-en
General
-
Target
61677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5.exe
-
Size
222KB
-
MD5
aea07e98196f4582a458322f673416ea
-
SHA1
28f4475dab7a61c9170a41a5dcc193f3e7b4cd49
-
SHA256
61677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5
-
SHA512
893e6d984438b407f48000e81096a909d7a9562966b0557679a772983b2c07b7b8c3f6639d8b33bbc8de75f5e666cf465a56499acab7fa3f0554cf2655e14d53
-
SSDEEP
3072:PkYe6Wvtzjm2bYZoHlDJFExx1roCNvpJ32GhNvHTvoYucP0:PkYe6Wvtzjm2bsc141roCTZ2GhNfu
Malware Config
Signatures
-
.NET Reactor proctector 4 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\exertup.exe net_reactor \Users\Admin\AppData\Local\Temp\exertup.exe net_reactor C:\Users\Admin\AppData\Local\Temp\exertup.exe net_reactor C:\Users\Admin\AppData\Local\Temp\exertup.exe net_reactor -
Executes dropped EXE 1 IoCs
Processes:
exertup.exepid process 1988 exertup.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
exertup.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0541e9f86982f557b46669d188cd98d3.exe exertup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0541e9f86982f557b46669d188cd98d3.exe exertup.exe -
Loads dropped DLL 2 IoCs
Processes:
61677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5.exepid process 1620 61677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5.exe 1620 61677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
exertup.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0541e9f86982f557b46669d188cd98d3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\exertup.exe\" .." exertup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\0541e9f86982f557b46669d188cd98d3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\exertup.exe\" .." exertup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
exertup.exepid process 1988 exertup.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
exertup.exedescription pid process Token: SeDebugPrivilege 1988 exertup.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
61677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5.exeexertup.exedescription pid process target process PID 1620 wrote to memory of 1988 1620 61677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5.exe exertup.exe PID 1620 wrote to memory of 1988 1620 61677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5.exe exertup.exe PID 1620 wrote to memory of 1988 1620 61677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5.exe exertup.exe PID 1620 wrote to memory of 1988 1620 61677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5.exe exertup.exe PID 1988 wrote to memory of 1992 1988 exertup.exe netsh.exe PID 1988 wrote to memory of 1992 1988 exertup.exe netsh.exe PID 1988 wrote to memory of 1992 1988 exertup.exe netsh.exe PID 1988 wrote to memory of 1992 1988 exertup.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\61677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5.exe"C:\Users\Admin\AppData\Local\Temp\61677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\exertup.exe"C:\Users\Admin\AppData\Local\Temp\exertup.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\exertup.exe" "exertup.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1992
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222KB
MD5aea07e98196f4582a458322f673416ea
SHA128f4475dab7a61c9170a41a5dcc193f3e7b4cd49
SHA25661677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5
SHA512893e6d984438b407f48000e81096a909d7a9562966b0557679a772983b2c07b7b8c3f6639d8b33bbc8de75f5e666cf465a56499acab7fa3f0554cf2655e14d53
-
Filesize
222KB
MD5aea07e98196f4582a458322f673416ea
SHA128f4475dab7a61c9170a41a5dcc193f3e7b4cd49
SHA25661677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5
SHA512893e6d984438b407f48000e81096a909d7a9562966b0557679a772983b2c07b7b8c3f6639d8b33bbc8de75f5e666cf465a56499acab7fa3f0554cf2655e14d53
-
Filesize
222KB
MD5aea07e98196f4582a458322f673416ea
SHA128f4475dab7a61c9170a41a5dcc193f3e7b4cd49
SHA25661677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5
SHA512893e6d984438b407f48000e81096a909d7a9562966b0557679a772983b2c07b7b8c3f6639d8b33bbc8de75f5e666cf465a56499acab7fa3f0554cf2655e14d53
-
Filesize
222KB
MD5aea07e98196f4582a458322f673416ea
SHA128f4475dab7a61c9170a41a5dcc193f3e7b4cd49
SHA25661677ce68d9c39ff81442ff9aa41a27a7763a06764499a4f1a7ffed361df61d5
SHA512893e6d984438b407f48000e81096a909d7a9562966b0557679a772983b2c07b7b8c3f6639d8b33bbc8de75f5e666cf465a56499acab7fa3f0554cf2655e14d53