Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 22:51
Static task
static1
Behavioral task
behavioral1
Sample
0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe
Resource
win10v2004-20221111-en
General
-
Target
0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe
-
Size
542KB
-
MD5
71cdb19d4759e7e0a29701c6b4049eab
-
SHA1
f68856c3daf7456f9d9de83c41f1d7cbed7bfb88
-
SHA256
0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b
-
SHA512
782c5ea2063c3554b09d7a5649100cbe508b57a8012bb8e74b2bcf8d59c1ad372414303c1e5fbb13a6749e0154099adf5b992c9f36a24bba7e0a41c3d83a2bcf
-
SSDEEP
12288:Qmcfuqg3FMvRQ0u9AxObQWES0uRLOQ2NYgTM9kHqHxRK7ldV/G:iSMvqAQbQWWQSnjaWln
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
7763.tmpExplorer.EXEpid process 1760 7763.tmp 1372 Explorer.EXE -
Loads dropped DLL 1 IoCs
Processes:
0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exepid process 1648 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ reg.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe\" /s /n /i:U shell32.dll" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exepid process 1648 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
cmd.exepid process 1484 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7763.tmpdescription pid process Token: SeDebugPrivilege 1760 7763.tmp -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE 1372 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE 1372 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.execmd.exe7763.tmpdescription pid process target process PID 1648 wrote to memory of 1484 1648 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe cmd.exe PID 1648 wrote to memory of 1484 1648 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe cmd.exe PID 1648 wrote to memory of 1484 1648 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe cmd.exe PID 1648 wrote to memory of 1484 1648 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe cmd.exe PID 1648 wrote to memory of 1484 1648 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe cmd.exe PID 1648 wrote to memory of 1484 1648 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe cmd.exe PID 1648 wrote to memory of 1484 1648 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe cmd.exe PID 1484 wrote to memory of 864 1484 cmd.exe reg.exe PID 1484 wrote to memory of 864 1484 cmd.exe reg.exe PID 1484 wrote to memory of 864 1484 cmd.exe reg.exe PID 1484 wrote to memory of 864 1484 cmd.exe reg.exe PID 1484 wrote to memory of 624 1484 cmd.exe reg.exe PID 1484 wrote to memory of 624 1484 cmd.exe reg.exe PID 1484 wrote to memory of 624 1484 cmd.exe reg.exe PID 1484 wrote to memory of 624 1484 cmd.exe reg.exe PID 1648 wrote to memory of 1760 1648 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe 7763.tmp PID 1648 wrote to memory of 1760 1648 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe 7763.tmp PID 1648 wrote to memory of 1760 1648 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe 7763.tmp PID 1648 wrote to memory of 1760 1648 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe 7763.tmp PID 1760 wrote to memory of 1372 1760 7763.tmp Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe"C:\Users\Admin\AppData\Local\Temp\0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "3⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v AdobeUpdate /d "\"C:\Users\Admin\AppData\Roaming\Microsoft\0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe\" /s /n /i:U shell32.dll"4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\7763.tmp"C:\Users\Admin\AppData\Local\Temp\7763.tmp" 1372 "C:\Users\Admin\AppData\Roaming\Microsoft\mnplays.dll"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7763.tmpFilesize
40KB
MD5f653b520294fb0a739d38c0e85b2aae2
SHA1a29ef1f7b39736ee7afd3c7f3a66526c070ea12e
SHA25666f518ccecb8e07867e7f0df5c27acaa7ab0f1b7df4f320d441fbe9247eeb27f
SHA5129a47594d42ea63e1dc2395e021b34fb36f73aff2441c92afa8f034e1d7bf6336a2ddfc6ef4308ebece656868174f2e31394570977ebdc9b3c0ee468c9971fad4
-
C:\Users\Admin\AppData\Local\Temp\update.batFilesize
697B
MD580eed3f72464a050a3ce772013c136cc
SHA1ed1a534fd5e6428e1b26f4ae6e04594c79cff93d
SHA256997fcefd41f125dd389dc9dee0843141e759ae5f733c2d6edb25f9f4faebff06
SHA51234bf9db75770892e05e4c5d6f096da5f6930939b3e9dc1215506c3581c0cb6b57da2fca8b729396eef3befa1ec22124e832095436e16cf30644c2d289a7e06d5
-
C:\Users\Admin\AppData\Roaming\Microsoft\mnplays.dllFilesize
317KB
MD5804a3c86c538352064eefca3429a1381
SHA17ddf2774b89e73bd9e45fd4e00e3691d94a43571
SHA256e4769ba677e6b93eadf449587a2914649f5125cc258571de1f6941a12b9ae5dc
SHA51254d4e266cd5f680b55589aaa2fbc16196e65dda6612e0ec4fbdc3c55ad0a27634d49471bba49bc6b108b4440c7fd6da284774f934bde97a8f98edc75ed8b029d
-
\Users\Admin\AppData\Local\Temp\7763.tmpFilesize
40KB
MD5f653b520294fb0a739d38c0e85b2aae2
SHA1a29ef1f7b39736ee7afd3c7f3a66526c070ea12e
SHA25666f518ccecb8e07867e7f0df5c27acaa7ab0f1b7df4f320d441fbe9247eeb27f
SHA5129a47594d42ea63e1dc2395e021b34fb36f73aff2441c92afa8f034e1d7bf6336a2ddfc6ef4308ebece656868174f2e31394570977ebdc9b3c0ee468c9971fad4
-
\Users\Admin\AppData\Roaming\Microsoft\mnplays.dllFilesize
317KB
MD5804a3c86c538352064eefca3429a1381
SHA17ddf2774b89e73bd9e45fd4e00e3691d94a43571
SHA256e4769ba677e6b93eadf449587a2914649f5125cc258571de1f6941a12b9ae5dc
SHA51254d4e266cd5f680b55589aaa2fbc16196e65dda6612e0ec4fbdc3c55ad0a27634d49471bba49bc6b108b4440c7fd6da284774f934bde97a8f98edc75ed8b029d
-
memory/624-58-0x0000000000000000-mapping.dmp
-
memory/864-57-0x0000000000000000-mapping.dmp
-
memory/1484-55-0x0000000000000000-mapping.dmp
-
memory/1648-54-0x0000000075811000-0x0000000075813000-memory.dmpFilesize
8KB
-
memory/1760-60-0x0000000000000000-mapping.dmp