Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 02:13
Static task
static1
Behavioral task
behavioral1
Sample
9e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f.exe
Resource
win10v2004-20221111-en
General
-
Target
9e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f.exe
-
Size
102KB
-
MD5
fc91619e31c1627c4e3261f43db676e4
-
SHA1
dc43debca4ecb7e92365f7ab099c3e061d6d76b5
-
SHA256
9e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f
-
SHA512
29ce672a30b0c01ef1f569339fb4f1736588568a6a6cd3fd014ba7c6bf5d8f8609dfcfa949026c53ab8958d290f4943fa4213ef85726f77946322cedbcb2c1d7
-
SSDEEP
1536:DbEJ0TThIy/q4f5bvqJbLAb7U/VMBSAJ93m+nD+pf47jzH:HEJ0HhIy/Bs0UNSJ93vDkQ7H
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
taskmgrr.exepid process 904 taskmgrr.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
taskmgrr.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a0bc401081d90e3f0239a9569ef29e1.exe taskmgrr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a0bc401081d90e3f0239a9569ef29e1.exe taskmgrr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
taskmgrr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\5a0bc401081d90e3f0239a9569ef29e1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\taskmgrr.exe\" .." taskmgrr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5a0bc401081d90e3f0239a9569ef29e1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\taskmgrr.exe\" .." taskmgrr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
taskmgrr.exedescription pid process Token: SeDebugPrivilege 904 taskmgrr.exe Token: 33 904 taskmgrr.exe Token: SeIncBasePriorityPrivilege 904 taskmgrr.exe Token: 33 904 taskmgrr.exe Token: SeIncBasePriorityPrivilege 904 taskmgrr.exe Token: 33 904 taskmgrr.exe Token: SeIncBasePriorityPrivilege 904 taskmgrr.exe Token: 33 904 taskmgrr.exe Token: SeIncBasePriorityPrivilege 904 taskmgrr.exe Token: 33 904 taskmgrr.exe Token: SeIncBasePriorityPrivilege 904 taskmgrr.exe Token: 33 904 taskmgrr.exe Token: SeIncBasePriorityPrivilege 904 taskmgrr.exe Token: 33 904 taskmgrr.exe Token: SeIncBasePriorityPrivilege 904 taskmgrr.exe Token: 33 904 taskmgrr.exe Token: SeIncBasePriorityPrivilege 904 taskmgrr.exe Token: 33 904 taskmgrr.exe Token: SeIncBasePriorityPrivilege 904 taskmgrr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f.exetaskmgrr.exedescription pid process target process PID 1184 wrote to memory of 904 1184 9e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f.exe taskmgrr.exe PID 1184 wrote to memory of 904 1184 9e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f.exe taskmgrr.exe PID 1184 wrote to memory of 904 1184 9e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f.exe taskmgrr.exe PID 904 wrote to memory of 1040 904 taskmgrr.exe netsh.exe PID 904 wrote to memory of 1040 904 taskmgrr.exe netsh.exe PID 904 wrote to memory of 1040 904 taskmgrr.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f.exe"C:\Users\Admin\AppData\Local\Temp\9e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Roaming\taskmgrr.exe"C:\Users\Admin\AppData\Roaming\taskmgrr.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\taskmgrr.exe" "taskmgrr.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102KB
MD5fc91619e31c1627c4e3261f43db676e4
SHA1dc43debca4ecb7e92365f7ab099c3e061d6d76b5
SHA2569e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f
SHA51229ce672a30b0c01ef1f569339fb4f1736588568a6a6cd3fd014ba7c6bf5d8f8609dfcfa949026c53ab8958d290f4943fa4213ef85726f77946322cedbcb2c1d7
-
Filesize
102KB
MD5fc91619e31c1627c4e3261f43db676e4
SHA1dc43debca4ecb7e92365f7ab099c3e061d6d76b5
SHA2569e932098717a08b3df7960b94283465b5741a79a6aea9f67b65da759db64cd6f
SHA51229ce672a30b0c01ef1f569339fb4f1736588568a6a6cd3fd014ba7c6bf5d8f8609dfcfa949026c53ab8958d290f4943fa4213ef85726f77946322cedbcb2c1d7