Analysis
-
max time kernel
187s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 10:08
Static task
static1
Behavioral task
behavioral1
Sample
b08aa1d63497dc690d0cd2baab0770457f6e28267a454a4fb860540979d6158a.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b08aa1d63497dc690d0cd2baab0770457f6e28267a454a4fb860540979d6158a.exe
Resource
win10v2004-20221111-en
General
-
Target
b08aa1d63497dc690d0cd2baab0770457f6e28267a454a4fb860540979d6158a.exe
-
Size
43KB
-
MD5
75afc3968269546056e089311e6a6e25
-
SHA1
17df0b061d5c744de710300ae8c2e7fbbca89d7e
-
SHA256
b08aa1d63497dc690d0cd2baab0770457f6e28267a454a4fb860540979d6158a
-
SHA512
2907f103fd0cfc0ef0d1476ea636dc0056ebe02f1af38e1ebd23cadab1d7776e438281ab1da23a4bfc869ca3c743c01833b50c9b2aca16b27086503c903e5133
-
SSDEEP
768:5S3DZ8y9MHnS6SgfSre9WTZ2S15M1N6HUjHPSqvtK1YrMr1PTENpaXsHCCjPkaE6:m6WEpo81W1bEjHCCrk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
thebest.exepid process 1012 thebest.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
thebest.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\24894a08d6e12e0cd8ac5badace326b3.exe thebest.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\24894a08d6e12e0cd8ac5badace326b3.exe thebest.exe -
Loads dropped DLL 1 IoCs
Processes:
b08aa1d63497dc690d0cd2baab0770457f6e28267a454a4fb860540979d6158a.exepid process 2012 b08aa1d63497dc690d0cd2baab0770457f6e28267a454a4fb860540979d6158a.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
thebest.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\24894a08d6e12e0cd8ac5badace326b3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\thebest.exe\" .." thebest.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\24894a08d6e12e0cd8ac5badace326b3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\thebest.exe\" .." thebest.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
thebest.exepid process 1012 thebest.exe 1012 thebest.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
thebest.exedescription pid process Token: SeDebugPrivilege 1012 thebest.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b08aa1d63497dc690d0cd2baab0770457f6e28267a454a4fb860540979d6158a.exethebest.exedescription pid process target process PID 2012 wrote to memory of 1012 2012 b08aa1d63497dc690d0cd2baab0770457f6e28267a454a4fb860540979d6158a.exe thebest.exe PID 2012 wrote to memory of 1012 2012 b08aa1d63497dc690d0cd2baab0770457f6e28267a454a4fb860540979d6158a.exe thebest.exe PID 2012 wrote to memory of 1012 2012 b08aa1d63497dc690d0cd2baab0770457f6e28267a454a4fb860540979d6158a.exe thebest.exe PID 2012 wrote to memory of 1012 2012 b08aa1d63497dc690d0cd2baab0770457f6e28267a454a4fb860540979d6158a.exe thebest.exe PID 1012 wrote to memory of 584 1012 thebest.exe netsh.exe PID 1012 wrote to memory of 584 1012 thebest.exe netsh.exe PID 1012 wrote to memory of 584 1012 thebest.exe netsh.exe PID 1012 wrote to memory of 584 1012 thebest.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b08aa1d63497dc690d0cd2baab0770457f6e28267a454a4fb860540979d6158a.exe"C:\Users\Admin\AppData\Local\Temp\b08aa1d63497dc690d0cd2baab0770457f6e28267a454a4fb860540979d6158a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\thebest.exe"C:\Users\Admin\AppData\Local\Temp\thebest.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\thebest.exe" "thebest.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\thebest.exeFilesize
43KB
MD575afc3968269546056e089311e6a6e25
SHA117df0b061d5c744de710300ae8c2e7fbbca89d7e
SHA256b08aa1d63497dc690d0cd2baab0770457f6e28267a454a4fb860540979d6158a
SHA5122907f103fd0cfc0ef0d1476ea636dc0056ebe02f1af38e1ebd23cadab1d7776e438281ab1da23a4bfc869ca3c743c01833b50c9b2aca16b27086503c903e5133
-
C:\Users\Admin\AppData\Local\Temp\thebest.exeFilesize
43KB
MD575afc3968269546056e089311e6a6e25
SHA117df0b061d5c744de710300ae8c2e7fbbca89d7e
SHA256b08aa1d63497dc690d0cd2baab0770457f6e28267a454a4fb860540979d6158a
SHA5122907f103fd0cfc0ef0d1476ea636dc0056ebe02f1af38e1ebd23cadab1d7776e438281ab1da23a4bfc869ca3c743c01833b50c9b2aca16b27086503c903e5133
-
\Users\Admin\AppData\Local\Temp\thebest.exeFilesize
43KB
MD575afc3968269546056e089311e6a6e25
SHA117df0b061d5c744de710300ae8c2e7fbbca89d7e
SHA256b08aa1d63497dc690d0cd2baab0770457f6e28267a454a4fb860540979d6158a
SHA5122907f103fd0cfc0ef0d1476ea636dc0056ebe02f1af38e1ebd23cadab1d7776e438281ab1da23a4bfc869ca3c743c01833b50c9b2aca16b27086503c903e5133
-
memory/584-60-0x0000000000000000-mapping.dmp
-
memory/1012-56-0x0000000000000000-mapping.dmp
-
memory/1012-62-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/1012-64-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/2012-54-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB
-
memory/2012-61-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB