Analysis
-
max time kernel
78s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
23-11-2022 19:10
General
-
Target
0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe
-
Size
96KB
-
MD5
44263a40c05bd699278669879bc48400
-
SHA1
ad63fbe8a0574618fe054ad5af736c0e1f307d57
-
SHA256
0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9
-
SHA512
3606aae76d1f9a6957f5abbdcecf0c20371297af5276163cb90759eb1e5d4942ff910d6f852ab6e9fe967af4f3dce54db0706c7644095f152489fcb96db534f3
-
SSDEEP
1536:eLHM8BA4FC1uuo3pRGtqcyNl9kJw0w0WxIC98m4v0Omt7clhPiacslt35GWNps:x8/3pYaNMJw0JWxIC9Y7Pcslt35HN6
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 2 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe"C:\Users\Admin\AppData\Local\Temp\0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer Phishing Filter
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -f -t 6002⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
Filesize
8KB