Analysis
-
max time kernel
40s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 11:59
Static task
static1
Behavioral task
behavioral1
Sample
5fc654741cc610a02251d82dee0b3333373586d9646f1c2a4b0dd411cf026d66.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5fc654741cc610a02251d82dee0b3333373586d9646f1c2a4b0dd411cf026d66.exe
Resource
win10v2004-20221111-en
General
-
Target
5fc654741cc610a02251d82dee0b3333373586d9646f1c2a4b0dd411cf026d66.exe
-
Size
63KB
-
MD5
9b10c6bc67c04086df0dfd3e22f3c0d5
-
SHA1
0da23d032cca16ad80ade0fa15dffa52de09ea0b
-
SHA256
5fc654741cc610a02251d82dee0b3333373586d9646f1c2a4b0dd411cf026d66
-
SHA512
90c912eddfe8949aedd343494f9403cc0ebe74d9a8e5c1e786227edff73d1cb171729f4213bfffa5f76efff5a80328ddcfdbfc8c2d13a9d2760835cfe17adc8b
-
SSDEEP
768:tUxXVIbD41kpZf9G9laDgKsTvFZG4OPkpE9EgJLPWmrrlPsXg6F0P4YnBgBLm9Cd:emQS2INSC4ekunRrr+ELBghm94ck1
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Tempserver.exewindows.exepid process 112 Tempserver.exe 1392 windows.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
windows.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\225659c6fa2732024934dc96358cf4cb.exe windows.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\225659c6fa2732024934dc96358cf4cb.exe windows.exe -
Loads dropped DLL 1 IoCs
Processes:
Tempserver.exepid process 112 Tempserver.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
windows.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\225659c6fa2732024934dc96358cf4cb = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows.exe\" .." windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\225659c6fa2732024934dc96358cf4cb = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows.exe\" .." windows.exe -
Drops file in Windows directory 2 IoCs
Processes:
5fc654741cc610a02251d82dee0b3333373586d9646f1c2a4b0dd411cf026d66.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new 5fc654741cc610a02251d82dee0b3333373586d9646f1c2a4b0dd411cf026d66.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new 5fc654741cc610a02251d82dee0b3333373586d9646f1c2a4b0dd411cf026d66.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
windows.exepid process 1392 windows.exe 1392 windows.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
windows.exedescription pid process Token: SeDebugPrivilege 1392 windows.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5fc654741cc610a02251d82dee0b3333373586d9646f1c2a4b0dd411cf026d66.exeTempserver.exewindows.exedescription pid process target process PID 2044 wrote to memory of 112 2044 5fc654741cc610a02251d82dee0b3333373586d9646f1c2a4b0dd411cf026d66.exe Tempserver.exe PID 2044 wrote to memory of 112 2044 5fc654741cc610a02251d82dee0b3333373586d9646f1c2a4b0dd411cf026d66.exe Tempserver.exe PID 2044 wrote to memory of 112 2044 5fc654741cc610a02251d82dee0b3333373586d9646f1c2a4b0dd411cf026d66.exe Tempserver.exe PID 2044 wrote to memory of 112 2044 5fc654741cc610a02251d82dee0b3333373586d9646f1c2a4b0dd411cf026d66.exe Tempserver.exe PID 112 wrote to memory of 1392 112 Tempserver.exe windows.exe PID 112 wrote to memory of 1392 112 Tempserver.exe windows.exe PID 112 wrote to memory of 1392 112 Tempserver.exe windows.exe PID 112 wrote to memory of 1392 112 Tempserver.exe windows.exe PID 1392 wrote to memory of 1440 1392 windows.exe netsh.exe PID 1392 wrote to memory of 1440 1392 windows.exe netsh.exe PID 1392 wrote to memory of 1440 1392 windows.exe netsh.exe PID 1392 wrote to memory of 1440 1392 windows.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fc654741cc610a02251d82dee0b3333373586d9646f1c2a4b0dd411cf026d66.exe"C:\Users\Admin\AppData\Local\Temp\5fc654741cc610a02251d82dee0b3333373586d9646f1c2a4b0dd411cf026d66.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\windows.exe"C:\Users\Admin\AppData\Roaming\windows.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\windows.exe" "windows.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Tempserver.exeFilesize
43KB
MD59e282b319fc10cfc8b80777285aef4f6
SHA1d2cf5ab312686f0378d9d64a9e65ecefdc1e5a88
SHA2561476d634e65bb912f9245576294633e20c7c74fbd1574bcaf1cfa11716ae3e34
SHA512c7a86b7e4a38a670ee3d095f93a7920224fa8bc076d4ee068c36cda0198029e602e785cb542d97deae798c0750dbbbef2cc02ebf3d3386c3599202ff98345641
-
C:\Users\Admin\AppData\Local\Tempserver.exeFilesize
43KB
MD59e282b319fc10cfc8b80777285aef4f6
SHA1d2cf5ab312686f0378d9d64a9e65ecefdc1e5a88
SHA2561476d634e65bb912f9245576294633e20c7c74fbd1574bcaf1cfa11716ae3e34
SHA512c7a86b7e4a38a670ee3d095f93a7920224fa8bc076d4ee068c36cda0198029e602e785cb542d97deae798c0750dbbbef2cc02ebf3d3386c3599202ff98345641
-
C:\Users\Admin\AppData\Roaming\windows.exeFilesize
43KB
MD59e282b319fc10cfc8b80777285aef4f6
SHA1d2cf5ab312686f0378d9d64a9e65ecefdc1e5a88
SHA2561476d634e65bb912f9245576294633e20c7c74fbd1574bcaf1cfa11716ae3e34
SHA512c7a86b7e4a38a670ee3d095f93a7920224fa8bc076d4ee068c36cda0198029e602e785cb542d97deae798c0750dbbbef2cc02ebf3d3386c3599202ff98345641
-
C:\Users\Admin\AppData\Roaming\windows.exeFilesize
43KB
MD59e282b319fc10cfc8b80777285aef4f6
SHA1d2cf5ab312686f0378d9d64a9e65ecefdc1e5a88
SHA2561476d634e65bb912f9245576294633e20c7c74fbd1574bcaf1cfa11716ae3e34
SHA512c7a86b7e4a38a670ee3d095f93a7920224fa8bc076d4ee068c36cda0198029e602e785cb542d97deae798c0750dbbbef2cc02ebf3d3386c3599202ff98345641
-
\Users\Admin\AppData\Roaming\windows.exeFilesize
43KB
MD59e282b319fc10cfc8b80777285aef4f6
SHA1d2cf5ab312686f0378d9d64a9e65ecefdc1e5a88
SHA2561476d634e65bb912f9245576294633e20c7c74fbd1574bcaf1cfa11716ae3e34
SHA512c7a86b7e4a38a670ee3d095f93a7920224fa8bc076d4ee068c36cda0198029e602e785cb542d97deae798c0750dbbbef2cc02ebf3d3386c3599202ff98345641
-
memory/112-59-0x0000000075F81000-0x0000000075F83000-memory.dmpFilesize
8KB
-
memory/112-61-0x0000000074CB0000-0x000000007525B000-memory.dmpFilesize
5.7MB
-
memory/112-56-0x0000000000000000-mapping.dmp
-
memory/112-67-0x0000000074CB0000-0x000000007525B000-memory.dmpFilesize
5.7MB
-
memory/1392-63-0x0000000000000000-mapping.dmp
-
memory/1392-69-0x0000000074CB0000-0x000000007525B000-memory.dmpFilesize
5.7MB
-
memory/1392-71-0x0000000074CB0000-0x000000007525B000-memory.dmpFilesize
5.7MB
-
memory/1440-68-0x0000000000000000-mapping.dmp
-
memory/2044-60-0x0000000000B26000-0x0000000000B45000-memory.dmpFilesize
124KB
-
memory/2044-54-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmpFilesize
10.1MB
-
memory/2044-55-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmpFilesize
16.6MB