Analysis
-
max time kernel
183s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 06:54
Static task
static1
Behavioral task
behavioral1
Sample
e20f75bfb83ae1a5aef8cdf18c3632912d3c4ac084bb52cbc9e101694ca5ef5b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e20f75bfb83ae1a5aef8cdf18c3632912d3c4ac084bb52cbc9e101694ca5ef5b.exe
Resource
win10v2004-20221111-en
General
-
Target
e20f75bfb83ae1a5aef8cdf18c3632912d3c4ac084bb52cbc9e101694ca5ef5b.exe
-
Size
401KB
-
MD5
edf31f5ba38d360965382562cdb82f6e
-
SHA1
2ff732f572b594306746048a35e56513caadf027
-
SHA256
e20f75bfb83ae1a5aef8cdf18c3632912d3c4ac084bb52cbc9e101694ca5ef5b
-
SHA512
7394708ac94558d86b7fd1f5090809c01aa80f8949f8927aaa41a907c47b0171762438549fd3876866f4682ef3506a841b84fadfc72beb059e4cbf8c113126c3
-
SSDEEP
6144:0Ij7TnH53TiBWzvzR0OJJwdyVOYZRIPqwH0l25/txA:zr53HZwdyVOYZRIPqW5/t
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
taskmgr.exepid process 268 taskmgr.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\474f9ee99987783596d882856491c4a8.exe taskmgr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\474f9ee99987783596d882856491c4a8.exe taskmgr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
taskmgr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\474f9ee99987783596d882856491c4a8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\taskmgr.exe\" .." taskmgr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\474f9ee99987783596d882856491c4a8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\taskmgr.exe\" .." taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 268 taskmgr.exe Token: 33 268 taskmgr.exe Token: SeIncBasePriorityPrivilege 268 taskmgr.exe Token: 33 268 taskmgr.exe Token: SeIncBasePriorityPrivilege 268 taskmgr.exe Token: 33 268 taskmgr.exe Token: SeIncBasePriorityPrivilege 268 taskmgr.exe Token: 33 268 taskmgr.exe Token: SeIncBasePriorityPrivilege 268 taskmgr.exe Token: 33 268 taskmgr.exe Token: SeIncBasePriorityPrivilege 268 taskmgr.exe Token: 33 268 taskmgr.exe Token: SeIncBasePriorityPrivilege 268 taskmgr.exe Token: 33 268 taskmgr.exe Token: SeIncBasePriorityPrivilege 268 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e20f75bfb83ae1a5aef8cdf18c3632912d3c4ac084bb52cbc9e101694ca5ef5b.exetaskmgr.exedescription pid process target process PID 2012 wrote to memory of 268 2012 e20f75bfb83ae1a5aef8cdf18c3632912d3c4ac084bb52cbc9e101694ca5ef5b.exe taskmgr.exe PID 2012 wrote to memory of 268 2012 e20f75bfb83ae1a5aef8cdf18c3632912d3c4ac084bb52cbc9e101694ca5ef5b.exe taskmgr.exe PID 2012 wrote to memory of 268 2012 e20f75bfb83ae1a5aef8cdf18c3632912d3c4ac084bb52cbc9e101694ca5ef5b.exe taskmgr.exe PID 268 wrote to memory of 1388 268 taskmgr.exe netsh.exe PID 268 wrote to memory of 1388 268 taskmgr.exe netsh.exe PID 268 wrote to memory of 1388 268 taskmgr.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e20f75bfb83ae1a5aef8cdf18c3632912d3c4ac084bb52cbc9e101694ca5ef5b.exe"C:\Users\Admin\AppData\Local\Temp\e20f75bfb83ae1a5aef8cdf18c3632912d3c4ac084bb52cbc9e101694ca5ef5b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskmgr.exe" "taskmgr.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\taskmgr.exeFilesize
401KB
MD5edf31f5ba38d360965382562cdb82f6e
SHA12ff732f572b594306746048a35e56513caadf027
SHA256e20f75bfb83ae1a5aef8cdf18c3632912d3c4ac084bb52cbc9e101694ca5ef5b
SHA5127394708ac94558d86b7fd1f5090809c01aa80f8949f8927aaa41a907c47b0171762438549fd3876866f4682ef3506a841b84fadfc72beb059e4cbf8c113126c3
-
C:\Users\Admin\AppData\Local\Temp\taskmgr.exeFilesize
401KB
MD5edf31f5ba38d360965382562cdb82f6e
SHA12ff732f572b594306746048a35e56513caadf027
SHA256e20f75bfb83ae1a5aef8cdf18c3632912d3c4ac084bb52cbc9e101694ca5ef5b
SHA5127394708ac94558d86b7fd1f5090809c01aa80f8949f8927aaa41a907c47b0171762438549fd3876866f4682ef3506a841b84fadfc72beb059e4cbf8c113126c3
-
memory/268-64-0x0000000000A16000-0x0000000000A35000-memory.dmpFilesize
124KB
-
memory/268-67-0x0000000000A16000-0x0000000000A35000-memory.dmpFilesize
124KB
-
memory/268-58-0x0000000000000000-mapping.dmp
-
memory/268-61-0x000007FEF4500000-0x000007FEF4F23000-memory.dmpFilesize
10.1MB
-
memory/268-62-0x000007FEF3460000-0x000007FEF44F6000-memory.dmpFilesize
16.6MB
-
memory/1388-66-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmpFilesize
8KB
-
memory/1388-65-0x0000000000000000-mapping.dmp
-
memory/2012-57-0x0000000001FF6000-0x0000000002015000-memory.dmpFilesize
124KB
-
memory/2012-63-0x0000000001FF6000-0x0000000002015000-memory.dmpFilesize
124KB
-
memory/2012-54-0x000007FEF4500000-0x000007FEF4F23000-memory.dmpFilesize
10.1MB
-
memory/2012-56-0x0000000001FF6000-0x0000000002015000-memory.dmpFilesize
124KB
-
memory/2012-55-0x000007FEF3460000-0x000007FEF44F6000-memory.dmpFilesize
16.6MB