4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36

Analysis

max time kernel
22s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe
Size

387KB
MD5

f464cd126dae09b6751309bf78acd60f
SHA1

7ec235f2ec791b6aab8b83dcb4563bb6820f7113
SHA256

4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36
SHA512

611aac78388fecf43e47e31c48023837841aa1a01bde9ad0111b30653b6ac83117fead727b21de1ca4a2f773ba90f82addb0cd304e520aa48cacdfeacfda99f4
SSDEEP

6144:MXYkVV/WGs7OIIa0knuD0sPOh+8iu5tLjJoxGq6IE55weRdaKZt:MXYmV/oZtnuIgOh+8iu5BFYGq613X

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1596 server.exe
Loads dropped DLL 1 IoCs

Processes:

4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe

pid process

2036 4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

server.exe

pid process

1596 server.exe
1596 server.exe

pid	process
1596	server.exe

pid	process
2036	4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe

pid	process
1596	server.exe
1596	server.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exeserver.exe

description	pid	process
Token: 33	2036	4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe
Token: SeIncBasePriorityPrivilege	2036	4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe
Token: 33	2036	4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe
Token: SeIncBasePriorityPrivilege	2036	4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe
Token: 33	2036	4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe
Token: SeIncBasePriorityPrivilege	2036	4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe
Token: 33	2036	4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe
Token: SeIncBasePriorityPrivilege	2036	4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe
Token: 33	1596	server.exe
Token: SeIncBasePriorityPrivilege	1596	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exeserver.exe

description	pid	process	target process
PID 2036 wrote to memory of 1596	2036	4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe	server.exe
PID 2036 wrote to memory of 1596	2036	4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe	server.exe
PID 2036 wrote to memory of 1596	2036	4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe	server.exe
PID 2036 wrote to memory of 1596	2036	4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe	server.exe
PID 1596 wrote to memory of 1272	1596	server.exe	Explorer.EXE
PID 1596 wrote to memory of 1272	1596	server.exe	Explorer.EXE
PID 1596 wrote to memory of 1272	1596	server.exe	Explorer.EXE
PID 1596 wrote to memory of 1272	1596	server.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe
  "C:\Users\Admin\AppData\Local\Temp\4678bc8a28276a01d148b132e815ded5b66f9c6f7100b8cf3e00ae8ba880dd36.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2009.07.26T05.49\Virtual\STUBEXE\@APPDATALOCAL@\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2009.07.26T05.49\Virtual\STUBEXE\@APPDATALOCAL@\Temp\server.exe

Filesize
17KB

MD5
4927ddbb60db41b4b6fe90540c5ae7bb

SHA1
3626a815c0c8039361baf12a6d4fc3a1d06676df

SHA256
f17dcb91e79f9d879a66ad7ff536da5261f6d57af58fb455e903c2920d6fc018

SHA512
5bf3cc72eb8cbe92f90ecc761ac59e14a30baa60f79343d3ce576155d6e490be09c92fe13c3567b813997a2c1e2354f3c0abbc500217590e0a422ca8b4fdb32c

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2009.07.26T05.49\Virtual\STUBEXE\@APPDATALOCAL@\Temp\server.exe

Filesize
17KB

MD5
4927ddbb60db41b4b6fe90540c5ae7bb

SHA1
3626a815c0c8039361baf12a6d4fc3a1d06676df

SHA256
f17dcb91e79f9d879a66ad7ff536da5261f6d57af58fb455e903c2920d6fc018

SHA512
5bf3cc72eb8cbe92f90ecc761ac59e14a30baa60f79343d3ce576155d6e490be09c92fe13c3567b813997a2c1e2354f3c0abbc500217590e0a422ca8b4fdb32c

Download Submit
memory/1596-681-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1596-680-0x0000000000410000-0x000000000047C000-memory.dmp

Filesize
432KB

Download
memory/1596-679-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1596-674-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1596-673-0x000000000045B000-0x000000000045D000-memory.dmp

Filesize
8KB

Download
memory/1596-672-0x0000000000410000-0x000000000047C000-memory.dmp

Filesize
432KB

Download
memory/1596-365-0x0000000000000000-mapping.dmp

Download
memory/2036-99-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-109-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-77-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-73-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-79-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-81-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-83-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-85-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-87-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-89-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-91-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-93-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-95-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-55-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-101-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-103-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-105-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-107-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-111-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-75-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-113-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-117-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-115-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-97-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-170-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-363-0x00000000003BB000-0x00000000003BD000-memory.dmp

Filesize
8KB

Download
memory/2036-69-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-71-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-67-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-65-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-63-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-61-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-675-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-59-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-57-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-54-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2036-682-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download