adc330db21deb991339f4448ba8e2a7db493ab866a9929958507e339f23b8f84

Analysis

max time kernel
149s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adc330db21deb991339f4448ba8e2a7db493ab866a9929958507e339f23b8f84.exe
Size

280KB
MD5

389051ca33b4a3a4a9b11658cad9a2fb
SHA1

07700bc298e0137be832ab74b0790922969a1e85
SHA256

adc330db21deb991339f4448ba8e2a7db493ab866a9929958507e339f23b8f84
SHA512

f56b84c191f03fdf31759888a9538dca0bdb0ef40dd34ce9d1be930eba2c814ae6fde60ae5bb10af19740a1466ad2caaae4bdb744157cb58565b16b8a9d99852
SSDEEP

6144:TTZU1YEcpDmP1YJEr8YMfGNSl4t0xkQ8GU8:vLANYeA9GNq4t4kQ4

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1304 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

568 netsh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1304	server.exe

pid	process
568	netsh.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	1304	server.exe
Token: 33	1304	server.exe
Token: SeIncBasePriorityPrivilege	1304	server.exe
Token: 33	1304	server.exe
Token: SeIncBasePriorityPrivilege	1304	server.exe
Token: 33	1304	server.exe
Token: SeIncBasePriorityPrivilege	1304	server.exe
Token: 33	1304	server.exe
Token: SeIncBasePriorityPrivilege	1304	server.exe
Token: 33	1304	server.exe
Token: SeIncBasePriorityPrivilege	1304	server.exe
Token: 33	1304	server.exe
Token: SeIncBasePriorityPrivilege	1304	server.exe
Token: 33	1304	server.exe
Token: SeIncBasePriorityPrivilege	1304	server.exe
Token: 33	1304	server.exe
Token: SeIncBasePriorityPrivilege	1304	server.exe
Token: 33	1304	server.exe
Token: SeIncBasePriorityPrivilege	1304	server.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

adc330db21deb991339f4448ba8e2a7db493ab866a9929958507e339f23b8f84.exeserver.exe

description	pid	process	target process
PID 1324 wrote to memory of 1304	1324	adc330db21deb991339f4448ba8e2a7db493ab866a9929958507e339f23b8f84.exe	server.exe
PID 1324 wrote to memory of 1304	1324	adc330db21deb991339f4448ba8e2a7db493ab866a9929958507e339f23b8f84.exe	server.exe
PID 1324 wrote to memory of 1304	1324	adc330db21deb991339f4448ba8e2a7db493ab866a9929958507e339f23b8f84.exe	server.exe
PID 1304 wrote to memory of 568	1304	server.exe	netsh.exe
PID 1304 wrote to memory of 568	1304	server.exe	netsh.exe
PID 1304 wrote to memory of 568	1304	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\adc330db21deb991339f4448ba8e2a7db493ab866a9929958507e339f23b8f84.exe
"C:\Users\Admin\AppData\Local\Temp\adc330db21deb991339f4448ba8e2a7db493ab866a9929958507e339f23b8f84.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
280KB

MD5
389051ca33b4a3a4a9b11658cad9a2fb

SHA1
07700bc298e0137be832ab74b0790922969a1e85

SHA256
adc330db21deb991339f4448ba8e2a7db493ab866a9929958507e339f23b8f84

SHA512
f56b84c191f03fdf31759888a9538dca0bdb0ef40dd34ce9d1be930eba2c814ae6fde60ae5bb10af19740a1466ad2caaae4bdb744157cb58565b16b8a9d99852

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
280KB

MD5
389051ca33b4a3a4a9b11658cad9a2fb

SHA1
07700bc298e0137be832ab74b0790922969a1e85

SHA256
adc330db21deb991339f4448ba8e2a7db493ab866a9929958507e339f23b8f84

SHA512
f56b84c191f03fdf31759888a9538dca0bdb0ef40dd34ce9d1be930eba2c814ae6fde60ae5bb10af19740a1466ad2caaae4bdb744157cb58565b16b8a9d99852

Download Submit
memory/568-62-0x0000000000000000-mapping.dmp

Download
memory/1304-57-0x0000000000000000-mapping.dmp

Download
memory/1304-60-0x000007FEF46C0000-0x000007FEF50E3000-memory.dmp

Filesize
10.1MB

Download
memory/1304-61-0x000007FEF2290000-0x000007FEF3326000-memory.dmp

Filesize
16.6MB

Download
memory/1324-54-0x000007FEF37E0000-0x000007FEF4203000-memory.dmp

Filesize
10.1MB

Download
memory/1324-55-0x000007FEF2740000-0x000007FEF37D6000-memory.dmp

Filesize
16.6MB

Download
memory/1324-56-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

Filesize
8KB

Download