Analysis
-
max time kernel
143s -
max time network
179s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 21:18
Static task
static1
Behavioral task
behavioral1
Sample
ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe
Resource
win10v2004-20221111-en
General
-
Target
ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe
-
Size
2.4MB
-
MD5
998f77aeeafe948afd2332dc3813b0d0
-
SHA1
873ca6cb898f720a41315f42c359a5b3755116c5
-
SHA256
ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2
-
SHA512
12fae2c27b87d4e22b965fac8bd75b425fc2d0c803dfd2f006957a30ddb4e20edd6fc5024269cbe076005497e307cc8f7a1a60d0e2a76fc3341db94277c61ec0
-
SSDEEP
24576:lMOO6fBzJuMiuaU6hhkX54k5nvVeBeCQiqElvMQKVNsDr+ClG82Zkw3BOTvEeEZx:Cn6xnvVeBKSMnVNqlG6VTceWrQA
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
empty.exepid process 1936 empty.exe -
Drops file in Windows directory 1 IoCs
Processes:
ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exedescription ioc process File created C:\Windows\empty.exe ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\it1686.com\Total = "126" ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126" ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\it1686.com\NumberOfSubdomains = "1" ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.it1686.com\ = "126" ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.it1686.com ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.it1686.com\ = "63" ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\it1686.com\Total = "63" ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\it1686.com ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exeempty.exedescription pid process Token: 1 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeCreateTokenPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeAssignPrimaryTokenPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeLockMemoryPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeIncreaseQuotaPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeMachineAccountPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeTcbPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeSecurityPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeTakeOwnershipPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeLoadDriverPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeSystemProfilePrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeSystemtimePrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeProfSingleProcessPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeIncBasePriorityPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeCreatePagefilePrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeCreatePermanentPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeBackupPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeRestorePrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeShutdownPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeDebugPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeAuditPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeSystemEnvironmentPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeChangeNotifyPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeRemoteShutdownPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeUndockPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeSyncAgentPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeEnableDelegationPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeManageVolumePrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeImpersonatePrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeCreateGlobalPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: 31 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: 32 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: 33 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: 34 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: 35 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeDebugPrivilege 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe Token: SeDebugPrivilege 1936 empty.exe Token: 33 1936 empty.exe Token: SeIncBasePriorityPrivilege 1936 empty.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exepid process 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exedescription pid process target process PID 1368 wrote to memory of 1936 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe empty.exe PID 1368 wrote to memory of 1936 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe empty.exe PID 1368 wrote to memory of 1936 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe empty.exe PID 1368 wrote to memory of 1936 1368 ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe empty.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe"C:\Users\Admin\AppData\Local\Temp\ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2.exe"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\empty.exeC:\Windows\empty.exe 13682⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\empty.exeFilesize
9KB
MD5523d5c39f9d8d2375c3df68251fa2249
SHA1d4ed365c44bec9246fc1a65a32a7791792647a10
SHA25620e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4
-
memory/1368-54-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/1936-57-0x0000000000000000-mapping.dmp