Analysis
-
max time kernel
153s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:19
Static task
static1
Behavioral task
behavioral1
Sample
a4e810d15491dd0d381e6846ef18d89d41d351b3995d8ddc9bc68b68d739506e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a4e810d15491dd0d381e6846ef18d89d41d351b3995d8ddc9bc68b68d739506e.exe
Resource
win10v2004-20221111-en
General
-
Target
a4e810d15491dd0d381e6846ef18d89d41d351b3995d8ddc9bc68b68d739506e.exe
-
Size
443KB
-
MD5
21b7aa9ee2bf500e086236044c072e95
-
SHA1
f2f6e913df46609733c6b60e1b463a729c4d5a14
-
SHA256
a4e810d15491dd0d381e6846ef18d89d41d351b3995d8ddc9bc68b68d739506e
-
SHA512
ce038c09e26d10dbbecdb4e09f84450ae55794e9b1fb0cf113106c8a3cb420ed3983baed9b35384f0fba09842416230515bdcabbe4b7cbf0891b9a377faf5984
-
SSDEEP
6144:iybSKuA7VgHTXmFvmrDJR+fueWf6z7JlEaX7UL7kz:iybSOWHTgIIWf6zXbU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1464 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e54ea5bda0ba3d62cae87c94228e53f6.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e54ea5bda0ba3d62cae87c94228e53f6.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\e54ea5bda0ba3d62cae87c94228e53f6 = "\"C:\\ProgramData\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e54ea5bda0ba3d62cae87c94228e53f6 = "\"C:\\ProgramData\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
a4e810d15491dd0d381e6846ef18d89d41d351b3995d8ddc9bc68b68d739506e.exeserver.exedescription pid process Token: SeDebugPrivilege 1584 a4e810d15491dd0d381e6846ef18d89d41d351b3995d8ddc9bc68b68d739506e.exe Token: 33 1584 a4e810d15491dd0d381e6846ef18d89d41d351b3995d8ddc9bc68b68d739506e.exe Token: SeIncBasePriorityPrivilege 1584 a4e810d15491dd0d381e6846ef18d89d41d351b3995d8ddc9bc68b68d739506e.exe Token: SeDebugPrivilege 1464 server.exe Token: 33 1464 server.exe Token: SeIncBasePriorityPrivilege 1464 server.exe Token: 33 1464 server.exe Token: SeIncBasePriorityPrivilege 1464 server.exe Token: 33 1464 server.exe Token: SeIncBasePriorityPrivilege 1464 server.exe Token: 33 1464 server.exe Token: SeIncBasePriorityPrivilege 1464 server.exe Token: 33 1464 server.exe Token: SeIncBasePriorityPrivilege 1464 server.exe Token: 33 1464 server.exe Token: SeIncBasePriorityPrivilege 1464 server.exe Token: 33 1464 server.exe Token: SeIncBasePriorityPrivilege 1464 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a4e810d15491dd0d381e6846ef18d89d41d351b3995d8ddc9bc68b68d739506e.exeserver.exedescription pid process target process PID 1584 wrote to memory of 1464 1584 a4e810d15491dd0d381e6846ef18d89d41d351b3995d8ddc9bc68b68d739506e.exe server.exe PID 1584 wrote to memory of 1464 1584 a4e810d15491dd0d381e6846ef18d89d41d351b3995d8ddc9bc68b68d739506e.exe server.exe PID 1584 wrote to memory of 1464 1584 a4e810d15491dd0d381e6846ef18d89d41d351b3995d8ddc9bc68b68d739506e.exe server.exe PID 1464 wrote to memory of 1460 1464 server.exe netsh.exe PID 1464 wrote to memory of 1460 1464 server.exe netsh.exe PID 1464 wrote to memory of 1460 1464 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4e810d15491dd0d381e6846ef18d89d41d351b3995d8ddc9bc68b68d739506e.exe"C:\Users\Admin\AppData\Local\Temp\a4e810d15491dd0d381e6846ef18d89d41d351b3995d8ddc9bc68b68d739506e.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\server.exe"C:\ProgramData\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\server.exeFilesize
443KB
MD521b7aa9ee2bf500e086236044c072e95
SHA1f2f6e913df46609733c6b60e1b463a729c4d5a14
SHA256a4e810d15491dd0d381e6846ef18d89d41d351b3995d8ddc9bc68b68d739506e
SHA512ce038c09e26d10dbbecdb4e09f84450ae55794e9b1fb0cf113106c8a3cb420ed3983baed9b35384f0fba09842416230515bdcabbe4b7cbf0891b9a377faf5984
-
C:\ProgramData\server.exeFilesize
443KB
MD521b7aa9ee2bf500e086236044c072e95
SHA1f2f6e913df46609733c6b60e1b463a729c4d5a14
SHA256a4e810d15491dd0d381e6846ef18d89d41d351b3995d8ddc9bc68b68d739506e
SHA512ce038c09e26d10dbbecdb4e09f84450ae55794e9b1fb0cf113106c8a3cb420ed3983baed9b35384f0fba09842416230515bdcabbe4b7cbf0891b9a377faf5984
-
memory/1460-62-0x0000000000000000-mapping.dmp
-
memory/1464-57-0x0000000000000000-mapping.dmp
-
memory/1464-60-0x000007FEF3340000-0x000007FEF3D63000-memory.dmpFilesize
10.1MB
-
memory/1464-61-0x000007FEF1740000-0x000007FEF27D6000-memory.dmpFilesize
16.6MB
-
memory/1464-64-0x0000000001FC6000-0x0000000001FE5000-memory.dmpFilesize
124KB
-
memory/1464-65-0x0000000001FC6000-0x0000000001FE5000-memory.dmpFilesize
124KB
-
memory/1584-54-0x000007FEF3340000-0x000007FEF3D63000-memory.dmpFilesize
10.1MB
-
memory/1584-55-0x000007FEF1740000-0x000007FEF27D6000-memory.dmpFilesize
16.6MB
-
memory/1584-56-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmpFilesize
8KB