Analysis
-
max time kernel
206s -
max time network
75s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exe
Resource
win10v2004-20221111-en
General
-
Target
c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exe
-
Size
207KB
-
MD5
1dd570fecefd5c56cb21ed7ee72c8b41
-
SHA1
0fb3a84783f1342cc68afa053961f16d1280ea6e
-
SHA256
c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96
-
SHA512
ff9ebebb8bb2e8ee414477dff5a95542dc5d8ba25c63c1c2c45adac6ecfd9bfbe08e8bf32c564fa30601a2e4ae02f6f017ae0491383740a11d778e4d3e2a3589
-
SSDEEP
3072:m9Va9YHpRXusg+nNAxL70OUizr1QtrXvtQo+r+D2fL5rC63Q77NOmYZAWkdJqxLu:Hf9dQ7JQ3kdM/9ikg/8KJnz8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 588 explorer.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08f4dc96bbb7af09d1a37fe35c75a42f.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08f4dc96bbb7af09d1a37fe35c75a42f.exe explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\08f4dc96bbb7af09d1a37fe35c75a42f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .." explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\08f4dc96bbb7af09d1a37fe35c75a42f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .." explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
explorer.exepid process 588 explorer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
explorer.exedescription pid process Token: SeDebugPrivilege 588 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exeexplorer.exedescription pid process target process PID 516 wrote to memory of 588 516 c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exe explorer.exe PID 516 wrote to memory of 588 516 c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exe explorer.exe PID 516 wrote to memory of 588 516 c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exe explorer.exe PID 588 wrote to memory of 568 588 explorer.exe netsh.exe PID 588 wrote to memory of 568 588 explorer.exe netsh.exe PID 588 wrote to memory of 568 588 explorer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exe"C:\Users\Admin\AppData\Local\Temp\c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.exe" "explorer.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
207KB
MD51dd570fecefd5c56cb21ed7ee72c8b41
SHA10fb3a84783f1342cc68afa053961f16d1280ea6e
SHA256c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96
SHA512ff9ebebb8bb2e8ee414477dff5a95542dc5d8ba25c63c1c2c45adac6ecfd9bfbe08e8bf32c564fa30601a2e4ae02f6f017ae0491383740a11d778e4d3e2a3589
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
207KB
MD51dd570fecefd5c56cb21ed7ee72c8b41
SHA10fb3a84783f1342cc68afa053961f16d1280ea6e
SHA256c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96
SHA512ff9ebebb8bb2e8ee414477dff5a95542dc5d8ba25c63c1c2c45adac6ecfd9bfbe08e8bf32c564fa30601a2e4ae02f6f017ae0491383740a11d778e4d3e2a3589
-
memory/516-54-0x000007FEF3290000-0x000007FEF3CB3000-memory.dmpFilesize
10.1MB
-
memory/516-55-0x000007FEF15D0000-0x000007FEF2666000-memory.dmpFilesize
16.6MB
-
memory/516-56-0x000007FEFB641000-0x000007FEFB643000-memory.dmpFilesize
8KB
-
memory/568-62-0x0000000000000000-mapping.dmp
-
memory/588-57-0x0000000000000000-mapping.dmp
-
memory/588-60-0x000007FEF3290000-0x000007FEF3CB3000-memory.dmpFilesize
10.1MB
-
memory/588-61-0x000007FEF15D0000-0x000007FEF2666000-memory.dmpFilesize
16.6MB