Analysis
-
max time kernel
150s -
max time network
65s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 17:52
Static task
static1
Behavioral task
behavioral1
Sample
e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff.exe
Resource
win10v2004-20220901-en
General
-
Target
e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff.exe
-
Size
437KB
-
MD5
59eb868655ab6477207fe0bd758e5016
-
SHA1
13298ce8af1c2e0af32a063031e1125daf20a735
-
SHA256
e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff
-
SHA512
6f7e06caa9f0a12cbda6f49d3904aeaadcfad3b5efb04621503a70a0efdf0b206d27b09e7c6b2b699ee17d0f759c9cd5cc3389a61aa07b07c60e75030cc0b3e3
-
SSDEEP
3072:YyWxqcCafgZUDnDKLQ0P9vDgsxW871xibx6ujQvUGKg/ApLRVfrQb85N8QgQ858K:YBqcxfO8GLpZD3s8RUcujQvbqz
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1268 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff.exepid process 1716 e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff.exe 1716 e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
svchost.exepid process 1268 svchost.exe 1268 svchost.exe 1268 svchost.exe 1268 svchost.exe 1268 svchost.exe 1268 svchost.exe 1268 svchost.exe 1268 svchost.exe 1268 svchost.exe 1268 svchost.exe 1268 svchost.exe 1268 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1268 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff.exesvchost.exedescription pid process target process PID 1716 wrote to memory of 1268 1716 e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff.exe svchost.exe PID 1716 wrote to memory of 1268 1716 e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff.exe svchost.exe PID 1716 wrote to memory of 1268 1716 e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff.exe svchost.exe PID 1716 wrote to memory of 1268 1716 e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff.exe svchost.exe PID 1268 wrote to memory of 1492 1268 svchost.exe netsh.exe PID 1268 wrote to memory of 1492 1268 svchost.exe netsh.exe PID 1268 wrote to memory of 1492 1268 svchost.exe netsh.exe PID 1268 wrote to memory of 1492 1268 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff.exe"C:\Users\Admin\AppData\Local\Temp\e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1492
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
437KB
MD559eb868655ab6477207fe0bd758e5016
SHA113298ce8af1c2e0af32a063031e1125daf20a735
SHA256e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff
SHA5126f7e06caa9f0a12cbda6f49d3904aeaadcfad3b5efb04621503a70a0efdf0b206d27b09e7c6b2b699ee17d0f759c9cd5cc3389a61aa07b07c60e75030cc0b3e3
-
Filesize
437KB
MD559eb868655ab6477207fe0bd758e5016
SHA113298ce8af1c2e0af32a063031e1125daf20a735
SHA256e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff
SHA5126f7e06caa9f0a12cbda6f49d3904aeaadcfad3b5efb04621503a70a0efdf0b206d27b09e7c6b2b699ee17d0f759c9cd5cc3389a61aa07b07c60e75030cc0b3e3
-
Filesize
437KB
MD559eb868655ab6477207fe0bd758e5016
SHA113298ce8af1c2e0af32a063031e1125daf20a735
SHA256e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff
SHA5126f7e06caa9f0a12cbda6f49d3904aeaadcfad3b5efb04621503a70a0efdf0b206d27b09e7c6b2b699ee17d0f759c9cd5cc3389a61aa07b07c60e75030cc0b3e3
-
Filesize
437KB
MD559eb868655ab6477207fe0bd758e5016
SHA113298ce8af1c2e0af32a063031e1125daf20a735
SHA256e3818b610a911626f803d2ae5efeb3f54e4c5954be52d9f9dc3ef206511aedff
SHA5126f7e06caa9f0a12cbda6f49d3904aeaadcfad3b5efb04621503a70a0efdf0b206d27b09e7c6b2b699ee17d0f759c9cd5cc3389a61aa07b07c60e75030cc0b3e3