8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3

Analysis

max time kernel
42s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe
Size

358KB
MD5

2aaa67964b4e20b25ee2c8a124d1bc8e
SHA1

2c02c42d085d2b384d1d3d15a954606d9c157976
SHA256

8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3
SHA512

4db2e5b4bc8384b26177a665c5f4d3a2481e9f090bfad66a0803ec3a554831fc9ae919033c2a366a410a29503612451d75395a6ec157edc7eee2df053a4ed7b9
SSDEEP

6144:wXY1jqepIGuWZ+I2igbFdvywrZcZV7LjJoxGq6IE55wxg:wXY1jqe6Gj2hFdvyGcZ1FYGq61Gg

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1764 server.exe
Loads dropped DLL 1 IoCs

Processes:

8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe

pid process

1220 8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

server.exe

pid process

1764 server.exe
1764 server.exe

pid	process
1764	server.exe

pid	process
1220	8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe

pid	process
1764	server.exe
1764	server.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exeserver.exe

description	pid	process
Token: 33	1220	8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe
Token: SeIncBasePriorityPrivilege	1220	8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe
Token: 33	1220	8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe
Token: SeIncBasePriorityPrivilege	1220	8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe
Token: 33	1220	8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe
Token: SeIncBasePriorityPrivilege	1220	8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe
Token: 33	1220	8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe
Token: SeIncBasePriorityPrivilege	1220	8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe
Token: 33	1764	server.exe
Token: SeIncBasePriorityPrivilege	1764	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exeserver.exe

description	pid	process	target process
PID 1220 wrote to memory of 1764	1220	8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe	server.exe
PID 1220 wrote to memory of 1764	1220	8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe	server.exe
PID 1220 wrote to memory of 1764	1220	8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe	server.exe
PID 1220 wrote to memory of 1764	1220	8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe	server.exe
PID 1764 wrote to memory of 1224	1764	server.exe	Explorer.EXE
PID 1764 wrote to memory of 1224	1764	server.exe	Explorer.EXE
PID 1764 wrote to memory of 1224	1764	server.exe	Explorer.EXE
PID 1764 wrote to memory of 1224	1764	server.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe
  "C:\Users\Admin\AppData\Local\Temp\8957f9e68f7d05522e9f0044931e184e0f919e2405924a945700d143eb010cc3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\1430.08.04T04.07\Virtual\STUBEXE\@APPDATALOCAL@\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\1430.08.04T04.07\Virtual\STUBEXE\@APPDATALOCAL@\Temp\server.exe

Filesize
17KB

MD5
4927ddbb60db41b4b6fe90540c5ae7bb

SHA1
3626a815c0c8039361baf12a6d4fc3a1d06676df

SHA256
f17dcb91e79f9d879a66ad7ff536da5261f6d57af58fb455e903c2920d6fc018

SHA512
5bf3cc72eb8cbe92f90ecc761ac59e14a30baa60f79343d3ce576155d6e490be09c92fe13c3567b813997a2c1e2354f3c0abbc500217590e0a422ca8b4fdb32c

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\1430.08.04T04.07\Virtual\STUBEXE\@APPDATALOCAL@\Temp\server.exe

Filesize
17KB

MD5
4927ddbb60db41b4b6fe90540c5ae7bb

SHA1
3626a815c0c8039361baf12a6d4fc3a1d06676df

SHA256
f17dcb91e79f9d879a66ad7ff536da5261f6d57af58fb455e903c2920d6fc018

SHA512
5bf3cc72eb8cbe92f90ecc761ac59e14a30baa60f79343d3ce576155d6e490be09c92fe13c3567b813997a2c1e2354f3c0abbc500217590e0a422ca8b4fdb32c

Download Submit
memory/1220-98-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-69-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-61-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-100-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-65-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-104-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-71-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-96-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-75-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-67-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-82-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-80-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-78-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-84-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-86-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-88-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-90-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-92-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-54-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-102-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-63-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-59-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-73-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-108-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-106-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-110-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-94-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-112-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-114-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-118-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-116-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-337-0x00000000003CB000-0x00000000003CD000-memory.dmp

Filesize
8KB

Download
memory/1220-57-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-680-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1220-55-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1764-672-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1764-673-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1764-677-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1764-678-0x0000000000380000-0x00000000003EC000-memory.dmp

Filesize
432KB

Download
memory/1764-679-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1764-365-0x0000000000000000-mapping.dmp

Download