Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 04:22
Static task
static1
Behavioral task
behavioral1
Sample
8202bf15241572d97e69284a49e93f767b9a4e3353dad0ca8229e96970342ded.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8202bf15241572d97e69284a49e93f767b9a4e3353dad0ca8229e96970342ded.exe
Resource
win10v2004-20220901-en
General
-
Target
8202bf15241572d97e69284a49e93f767b9a4e3353dad0ca8229e96970342ded.exe
-
Size
63KB
-
MD5
f4d951691263d76bba6b791af761487a
-
SHA1
5ba092de55213130d45453ce70569b6d8f67e65e
-
SHA256
8202bf15241572d97e69284a49e93f767b9a4e3353dad0ca8229e96970342ded
-
SHA512
f3d330788086ba96bf65bbc1498bf3cb83cb79f9088fa1ebd6c3a140b7a98192bc7c821c7207fcebb47c7dbdba00a062c84039239ed4a5ae1e37d19db3453e15
-
SSDEEP
1536:8dDFXXwqEcPpa+54aNEIaYnmGN6eyA37VXy:8dDFXXwWhaU4aGxYpN6HALVXy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1916 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c89c5661f15916f1fe92e1e20c377061.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c89c5661f15916f1fe92e1e20c377061.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\c89c5661f15916f1fe92e1e20c377061 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c89c5661f15916f1fe92e1e20c377061 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Drops file in Windows directory 2 IoCs
Processes:
8202bf15241572d97e69284a49e93f767b9a4e3353dad0ca8229e96970342ded.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new 8202bf15241572d97e69284a49e93f767b9a4e3353dad0ca8229e96970342ded.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new 8202bf15241572d97e69284a49e93f767b9a4e3353dad0ca8229e96970342ded.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1916 server.exe Token: 33 1916 server.exe Token: SeIncBasePriorityPrivilege 1916 server.exe Token: 33 1916 server.exe Token: SeIncBasePriorityPrivilege 1916 server.exe Token: 33 1916 server.exe Token: SeIncBasePriorityPrivilege 1916 server.exe Token: 33 1916 server.exe Token: SeIncBasePriorityPrivilege 1916 server.exe Token: 33 1916 server.exe Token: SeIncBasePriorityPrivilege 1916 server.exe Token: 33 1916 server.exe Token: SeIncBasePriorityPrivilege 1916 server.exe Token: 33 1916 server.exe Token: SeIncBasePriorityPrivilege 1916 server.exe Token: 33 1916 server.exe Token: SeIncBasePriorityPrivilege 1916 server.exe Token: 33 1916 server.exe Token: SeIncBasePriorityPrivilege 1916 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8202bf15241572d97e69284a49e93f767b9a4e3353dad0ca8229e96970342ded.exeserver.exedescription pid process target process PID 2020 wrote to memory of 1916 2020 8202bf15241572d97e69284a49e93f767b9a4e3353dad0ca8229e96970342ded.exe server.exe PID 2020 wrote to memory of 1916 2020 8202bf15241572d97e69284a49e93f767b9a4e3353dad0ca8229e96970342ded.exe server.exe PID 2020 wrote to memory of 1916 2020 8202bf15241572d97e69284a49e93f767b9a4e3353dad0ca8229e96970342ded.exe server.exe PID 1916 wrote to memory of 1192 1916 server.exe netsh.exe PID 1916 wrote to memory of 1192 1916 server.exe netsh.exe PID 1916 wrote to memory of 1192 1916 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8202bf15241572d97e69284a49e93f767b9a4e3353dad0ca8229e96970342ded.exe"C:\Users\Admin\AppData\Local\Temp\8202bf15241572d97e69284a49e93f767b9a4e3353dad0ca8229e96970342ded.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
63KB
MD5f4d951691263d76bba6b791af761487a
SHA15ba092de55213130d45453ce70569b6d8f67e65e
SHA2568202bf15241572d97e69284a49e93f767b9a4e3353dad0ca8229e96970342ded
SHA512f3d330788086ba96bf65bbc1498bf3cb83cb79f9088fa1ebd6c3a140b7a98192bc7c821c7207fcebb47c7dbdba00a062c84039239ed4a5ae1e37d19db3453e15
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
63KB
MD5f4d951691263d76bba6b791af761487a
SHA15ba092de55213130d45453ce70569b6d8f67e65e
SHA2568202bf15241572d97e69284a49e93f767b9a4e3353dad0ca8229e96970342ded
SHA512f3d330788086ba96bf65bbc1498bf3cb83cb79f9088fa1ebd6c3a140b7a98192bc7c821c7207fcebb47c7dbdba00a062c84039239ed4a5ae1e37d19db3453e15
-
memory/1192-62-0x0000000000000000-mapping.dmp
-
memory/1916-57-0x0000000000000000-mapping.dmp
-
memory/1916-60-0x000007FEF3F40000-0x000007FEF4963000-memory.dmpFilesize
10.1MB
-
memory/1916-61-0x000007FEF2EA0000-0x000007FEF3F36000-memory.dmpFilesize
16.6MB
-
memory/1916-64-0x0000000000C76000-0x0000000000C95000-memory.dmpFilesize
124KB
-
memory/1916-65-0x0000000000C76000-0x0000000000C95000-memory.dmpFilesize
124KB
-
memory/2020-54-0x000007FEF3F40000-0x000007FEF4963000-memory.dmpFilesize
10.1MB
-
memory/2020-55-0x000007FEF2EA0000-0x000007FEF3F36000-memory.dmpFilesize
16.6MB
-
memory/2020-56-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmpFilesize
8KB