Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 02:13

General

  • Target

    9e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f.exe

  • Size

    102KB

  • MD5

    fc91619e31c1627c4e3261f43db676e4

  • SHA1

    dc43debca4ecb7e92365f7ab099c3e061d6d76b5

  • SHA256

    9e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f

  • SHA512

    29ce672a30b0c01ef1f569339fb4f1736588568a6a6cd3fd014ba7c6bf5d8f8609dfcfa949026c53ab8958d290f4943fa4213ef85726f77946322cedbcb2c1d7

  • SSDEEP

    1536:DbEJ0TThIy/q4f5bvqJbLAb7U/VMBSAJ93m+nD+pf47jzH:HEJ0HhIy/Bs0UNSJ93vDkQ7H

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f.exe
    "C:\Users\Admin\AppData\Local\Temp\9e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Users\Admin\AppData\Roaming\taskmgrr.exe
      "C:\Users\Admin\AppData\Roaming\taskmgrr.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Windows\system32\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\taskmgrr.exe" "taskmgrr.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:1040

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\taskmgrr.exe

    Filesize

    102KB

    MD5

    fc91619e31c1627c4e3261f43db676e4

    SHA1

    dc43debca4ecb7e92365f7ab099c3e061d6d76b5

    SHA256

    9e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f

    SHA512

    29ce672a30b0c01ef1f569339fb4f1736588568a6a6cd3fd014ba7c6bf5d8f8609dfcfa949026c53ab8958d290f4943fa4213ef85726f77946322cedbcb2c1d7

  • C:\Users\Admin\AppData\Roaming\taskmgrr.exe

    Filesize

    102KB

    MD5

    fc91619e31c1627c4e3261f43db676e4

    SHA1

    dc43debca4ecb7e92365f7ab099c3e061d6d76b5

    SHA256

    9e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f

    SHA512

    29ce672a30b0c01ef1f569339fb4f1736588568a6a6cd3fd014ba7c6bf5d8f8609dfcfa949026c53ab8958d290f4943fa4213ef85726f77946322cedbcb2c1d7

  • memory/904-57-0x0000000000000000-mapping.dmp

  • memory/904-60-0x000007FEF3C50000-0x000007FEF4673000-memory.dmp

    Filesize

    10.1MB

  • memory/904-61-0x000007FEF2730000-0x000007FEF37C6000-memory.dmp

    Filesize

    16.6MB

  • memory/904-64-0x00000000009C6000-0x00000000009E5000-memory.dmp

    Filesize

    124KB

  • memory/904-65-0x00000000009C6000-0x00000000009E5000-memory.dmp

    Filesize

    124KB

  • memory/1040-62-0x0000000000000000-mapping.dmp

  • memory/1184-54-0x000007FEF3C50000-0x000007FEF4673000-memory.dmp

    Filesize

    10.1MB

  • memory/1184-55-0x000007FEF2970000-0x000007FEF3A06000-memory.dmp

    Filesize

    16.6MB

  • memory/1184-56-0x000007FEFB631000-0x000007FEFB633000-memory.dmp

    Filesize

    8KB