Analysis
-
max time kernel
205s -
max time network
97s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:25
Behavioral task
behavioral1
Sample
963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe
Resource
win10v2004-20220812-en
General
-
Target
963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe
-
Size
2.6MB
-
MD5
05d5981642e6cd89a646b1854be683e6
-
SHA1
0d987ced733fbf76a4623176c503802d2cfe3932
-
SHA256
963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63
-
SHA512
1c3250c03d1e88db47cc5fe07eab550dfb2598b89945f5e6754413f7a26b5949d996cd5ef4f616bb2c5a78e1c95f46eda1eec000e8ac40e16490281503baa7b5
-
SSDEEP
49152:9RQi1iyA3ePyFmITaqZ4juFqR0axwwed/TPY/7N/1Xx2Wp+:wF93cQmjA4aI0aSfOPXx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
1.exepid process 1380 1.exe -
Processes:
resource yara_rule behavioral1/memory/1816-55-0x0000000000400000-0x00000000008FE000-memory.dmp vmprotect behavioral1/memory/1816-60-0x0000000000400000-0x00000000008FE000-memory.dmp vmprotect -
Loads dropped DLL 1 IoCs
Processes:
963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exepid process 1816 963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
1.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main 1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe1.exepid process 1816 963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe 1380 1.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1320 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1320 AUDIODG.EXE Token: 33 1320 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1320 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
1.exepid process 1380 1.exe 1380 1.exe 1380 1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exedescription pid process target process PID 1816 wrote to memory of 1380 1816 963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe 1.exe PID 1816 wrote to memory of 1380 1816 963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe 1.exe PID 1816 wrote to memory of 1380 1816 963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe 1.exe PID 1816 wrote to memory of 1380 1816 963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe 1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe"C:\Users\Admin\AppData\Local\Temp\963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5601⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.exeFilesize
1.7MB
MD5726a11b7025866b24c2797b1b3355e1c
SHA1b54c54a1f26feec9f3078584789f00b7c5f57ea0
SHA256435e36cfe4b8bf8efeb70753db014a966ff42faeea48decb258ebf8afeb61a5a
SHA5122196fbc857bbfe6b4522c475a4dc0405ed2883ab214abd4f1ad05e3b6c5042c2cc59baf0dd0eab9c655531614c3e25238d0e41eced640eea0e486113204e1b85
-
C:\Users\Admin\AppData\Local\Temp\1.exeFilesize
1.7MB
MD5726a11b7025866b24c2797b1b3355e1c
SHA1b54c54a1f26feec9f3078584789f00b7c5f57ea0
SHA256435e36cfe4b8bf8efeb70753db014a966ff42faeea48decb258ebf8afeb61a5a
SHA5122196fbc857bbfe6b4522c475a4dc0405ed2883ab214abd4f1ad05e3b6c5042c2cc59baf0dd0eab9c655531614c3e25238d0e41eced640eea0e486113204e1b85
-
\Users\Admin\AppData\Local\Temp\1.exeFilesize
1.7MB
MD5726a11b7025866b24c2797b1b3355e1c
SHA1b54c54a1f26feec9f3078584789f00b7c5f57ea0
SHA256435e36cfe4b8bf8efeb70753db014a966ff42faeea48decb258ebf8afeb61a5a
SHA5122196fbc857bbfe6b4522c475a4dc0405ed2883ab214abd4f1ad05e3b6c5042c2cc59baf0dd0eab9c655531614c3e25238d0e41eced640eea0e486113204e1b85
-
memory/1380-57-0x0000000000000000-mapping.dmp
-
memory/1816-54-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/1816-55-0x0000000000400000-0x00000000008FE000-memory.dmpFilesize
5.0MB
-
memory/1816-60-0x0000000000400000-0x00000000008FE000-memory.dmpFilesize
5.0MB