Analysis
-
max time kernel
151s -
max time network
190s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 05:09
Static task
static1
Behavioral task
behavioral1
Sample
0acc20365b1d66008cd1ea125c681d0d7d7cd3714dc7fc22b260a8c74ffb6538.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
0acc20365b1d66008cd1ea125c681d0d7d7cd3714dc7fc22b260a8c74ffb6538.exe
Resource
win10v2004-20221111-en
General
-
Target
0acc20365b1d66008cd1ea125c681d0d7d7cd3714dc7fc22b260a8c74ffb6538.exe
-
Size
1.1MB
-
MD5
d631ca3c1d6970635ecee6f6ccf087fa
-
SHA1
db6cc11cea99f16e79b5c2944928d882316a37a6
-
SHA256
0acc20365b1d66008cd1ea125c681d0d7d7cd3714dc7fc22b260a8c74ffb6538
-
SHA512
798f599ff0a13dc681aaa490e0f1337c463176b8ef34cf5dc8d74fb54fab185087e53fd825c57a20d9c823a889d260e727709c2e88c581573dd724000bcf140b
-
SSDEEP
24576:29tcBbHxQawkkAv/DEW7Mu0ikNyc+ccSO+Q5en0Ff54K+eJaw:ocBbRQaw/Av/oW7DL8kccMQ5en0FB44J
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 1312 explorer.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08f4dc96bbb7af09d1a37fe35c75a42f.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08f4dc96bbb7af09d1a37fe35c75a42f.exe explorer.exe -
Loads dropped DLL 1 IoCs
Processes:
0acc20365b1d66008cd1ea125c681d0d7d7cd3714dc7fc22b260a8c74ffb6538.exepid process 2040 0acc20365b1d66008cd1ea125c681d0d7d7cd3714dc7fc22b260a8c74ffb6538.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\08f4dc96bbb7af09d1a37fe35c75a42f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .." explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\08f4dc96bbb7af09d1a37fe35c75a42f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .." explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
explorer.exepid process 1312 explorer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
explorer.exedescription pid process Token: SeDebugPrivilege 1312 explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0acc20365b1d66008cd1ea125c681d0d7d7cd3714dc7fc22b260a8c74ffb6538.exeexplorer.exedescription pid process target process PID 2040 wrote to memory of 1312 2040 0acc20365b1d66008cd1ea125c681d0d7d7cd3714dc7fc22b260a8c74ffb6538.exe explorer.exe PID 2040 wrote to memory of 1312 2040 0acc20365b1d66008cd1ea125c681d0d7d7cd3714dc7fc22b260a8c74ffb6538.exe explorer.exe PID 2040 wrote to memory of 1312 2040 0acc20365b1d66008cd1ea125c681d0d7d7cd3714dc7fc22b260a8c74ffb6538.exe explorer.exe PID 2040 wrote to memory of 1312 2040 0acc20365b1d66008cd1ea125c681d0d7d7cd3714dc7fc22b260a8c74ffb6538.exe explorer.exe PID 1312 wrote to memory of 572 1312 explorer.exe netsh.exe PID 1312 wrote to memory of 572 1312 explorer.exe netsh.exe PID 1312 wrote to memory of 572 1312 explorer.exe netsh.exe PID 1312 wrote to memory of 572 1312 explorer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0acc20365b1d66008cd1ea125c681d0d7d7cd3714dc7fc22b260a8c74ffb6538.exe"C:\Users\Admin\AppData\Local\Temp\0acc20365b1d66008cd1ea125c681d0d7d7cd3714dc7fc22b260a8c74ffb6538.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.exe" "explorer.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
1.1MB
MD5d631ca3c1d6970635ecee6f6ccf087fa
SHA1db6cc11cea99f16e79b5c2944928d882316a37a6
SHA2560acc20365b1d66008cd1ea125c681d0d7d7cd3714dc7fc22b260a8c74ffb6538
SHA512798f599ff0a13dc681aaa490e0f1337c463176b8ef34cf5dc8d74fb54fab185087e53fd825c57a20d9c823a889d260e727709c2e88c581573dd724000bcf140b
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
1.1MB
MD5d631ca3c1d6970635ecee6f6ccf087fa
SHA1db6cc11cea99f16e79b5c2944928d882316a37a6
SHA2560acc20365b1d66008cd1ea125c681d0d7d7cd3714dc7fc22b260a8c74ffb6538
SHA512798f599ff0a13dc681aaa490e0f1337c463176b8ef34cf5dc8d74fb54fab185087e53fd825c57a20d9c823a889d260e727709c2e88c581573dd724000bcf140b
-
\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
1.1MB
MD5d631ca3c1d6970635ecee6f6ccf087fa
SHA1db6cc11cea99f16e79b5c2944928d882316a37a6
SHA2560acc20365b1d66008cd1ea125c681d0d7d7cd3714dc7fc22b260a8c74ffb6538
SHA512798f599ff0a13dc681aaa490e0f1337c463176b8ef34cf5dc8d74fb54fab185087e53fd825c57a20d9c823a889d260e727709c2e88c581573dd724000bcf140b
-
memory/572-68-0x0000000000000000-mapping.dmp
-
memory/1312-61-0x0000000000000000-mapping.dmp
-
memory/1312-64-0x0000000001080000-0x00000000011AA000-memory.dmpFilesize
1.2MB
-
memory/1312-67-0x00000000005B0000-0x00000000005C2000-memory.dmpFilesize
72KB
-
memory/2040-54-0x0000000001220000-0x000000000134A000-memory.dmpFilesize
1.2MB
-
memory/2040-55-0x00000000761E1000-0x00000000761E3000-memory.dmpFilesize
8KB
-
memory/2040-57-0x0000000000A50000-0x0000000000AF2000-memory.dmpFilesize
648KB
-
memory/2040-58-0x00000000002C0000-0x00000000002C8000-memory.dmpFilesize
32KB
-
memory/2040-59-0x0000000000490000-0x00000000004A2000-memory.dmpFilesize
72KB