Analysis
-
max time kernel
151s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 06:58
Behavioral task
behavioral1
Sample
d94cab204804e6bcbd70f2ef71ad57cf01f9d15d16ed2c73efb46d3725f7a264.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d94cab204804e6bcbd70f2ef71ad57cf01f9d15d16ed2c73efb46d3725f7a264.exe
Resource
win10v2004-20220812-en
General
-
Target
d94cab204804e6bcbd70f2ef71ad57cf01f9d15d16ed2c73efb46d3725f7a264.exe
-
Size
112KB
-
MD5
3119a3e493cf879b4fb602e14e86f043
-
SHA1
ada806fbb5f0d8705fdc51b483b17b854131ddfb
-
SHA256
d94cab204804e6bcbd70f2ef71ad57cf01f9d15d16ed2c73efb46d3725f7a264
-
SHA512
15ba4326731121e4f56e259a29210be6a8537839439a4f6b57e73d6ac369a6dfbe1e6027406532e1ca430381542fd5f572342bb1ad905c0f3d5f4bc3597ceaf8
-
SSDEEP
1536:PInhq8KPbgshva5udpsr3Xgr9p8Xzmv2YhAz3:r8KPbgwva5mpE3XgUQo
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
PES 2014 - Download.exepid process 1452 PES 2014 - Download.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
PES 2014 - Download.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\10fa6a22e100e1aec443fa0a88b30f96.exe PES 2014 - Download.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\10fa6a22e100e1aec443fa0a88b30f96.exe PES 2014 - Download.exe -
Loads dropped DLL 1 IoCs
Processes:
d94cab204804e6bcbd70f2ef71ad57cf01f9d15d16ed2c73efb46d3725f7a264.exepid process 1932 d94cab204804e6bcbd70f2ef71ad57cf01f9d15d16ed2c73efb46d3725f7a264.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
PES 2014 - Download.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\10fa6a22e100e1aec443fa0a88b30f96 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\PES 2014 - Download.exe\" .." PES 2014 - Download.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\10fa6a22e100e1aec443fa0a88b30f96 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\PES 2014 - Download.exe\" .." PES 2014 - Download.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
PES 2014 - Download.exepid process 1452 PES 2014 - Download.exe 1452 PES 2014 - Download.exe 1452 PES 2014 - Download.exe 1452 PES 2014 - Download.exe 1452 PES 2014 - Download.exe 1452 PES 2014 - Download.exe 1452 PES 2014 - Download.exe 1452 PES 2014 - Download.exe 1452 PES 2014 - Download.exe 1452 PES 2014 - Download.exe 1452 PES 2014 - Download.exe 1452 PES 2014 - Download.exe 1452 PES 2014 - Download.exe 1452 PES 2014 - Download.exe 1452 PES 2014 - Download.exe 1452 PES 2014 - Download.exe 1452 PES 2014 - Download.exe 1452 PES 2014 - Download.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PES 2014 - Download.exedescription pid process Token: SeDebugPrivilege 1452 PES 2014 - Download.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d94cab204804e6bcbd70f2ef71ad57cf01f9d15d16ed2c73efb46d3725f7a264.exePES 2014 - Download.exedescription pid process target process PID 1932 wrote to memory of 1452 1932 d94cab204804e6bcbd70f2ef71ad57cf01f9d15d16ed2c73efb46d3725f7a264.exe PES 2014 - Download.exe PID 1932 wrote to memory of 1452 1932 d94cab204804e6bcbd70f2ef71ad57cf01f9d15d16ed2c73efb46d3725f7a264.exe PES 2014 - Download.exe PID 1932 wrote to memory of 1452 1932 d94cab204804e6bcbd70f2ef71ad57cf01f9d15d16ed2c73efb46d3725f7a264.exe PES 2014 - Download.exe PID 1932 wrote to memory of 1452 1932 d94cab204804e6bcbd70f2ef71ad57cf01f9d15d16ed2c73efb46d3725f7a264.exe PES 2014 - Download.exe PID 1452 wrote to memory of 852 1452 PES 2014 - Download.exe netsh.exe PID 1452 wrote to memory of 852 1452 PES 2014 - Download.exe netsh.exe PID 1452 wrote to memory of 852 1452 PES 2014 - Download.exe netsh.exe PID 1452 wrote to memory of 852 1452 PES 2014 - Download.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d94cab204804e6bcbd70f2ef71ad57cf01f9d15d16ed2c73efb46d3725f7a264.exe"C:\Users\Admin\AppData\Local\Temp\d94cab204804e6bcbd70f2ef71ad57cf01f9d15d16ed2c73efb46d3725f7a264.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PES 2014 - Download.exe"C:\Users\Admin\AppData\Local\Temp\PES 2014 - Download.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\PES 2014 - Download.exe" "PES 2014 - Download.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PES 2014 - Download.exeFilesize
112KB
MD53119a3e493cf879b4fb602e14e86f043
SHA1ada806fbb5f0d8705fdc51b483b17b854131ddfb
SHA256d94cab204804e6bcbd70f2ef71ad57cf01f9d15d16ed2c73efb46d3725f7a264
SHA51215ba4326731121e4f56e259a29210be6a8537839439a4f6b57e73d6ac369a6dfbe1e6027406532e1ca430381542fd5f572342bb1ad905c0f3d5f4bc3597ceaf8
-
C:\Users\Admin\AppData\Local\Temp\PES 2014 - Download.exeFilesize
112KB
MD53119a3e493cf879b4fb602e14e86f043
SHA1ada806fbb5f0d8705fdc51b483b17b854131ddfb
SHA256d94cab204804e6bcbd70f2ef71ad57cf01f9d15d16ed2c73efb46d3725f7a264
SHA51215ba4326731121e4f56e259a29210be6a8537839439a4f6b57e73d6ac369a6dfbe1e6027406532e1ca430381542fd5f572342bb1ad905c0f3d5f4bc3597ceaf8
-
\Users\Admin\AppData\Local\Temp\PES 2014 - Download.exeFilesize
112KB
MD53119a3e493cf879b4fb602e14e86f043
SHA1ada806fbb5f0d8705fdc51b483b17b854131ddfb
SHA256d94cab204804e6bcbd70f2ef71ad57cf01f9d15d16ed2c73efb46d3725f7a264
SHA51215ba4326731121e4f56e259a29210be6a8537839439a4f6b57e73d6ac369a6dfbe1e6027406532e1ca430381542fd5f572342bb1ad905c0f3d5f4bc3597ceaf8
-
memory/852-62-0x0000000000000000-mapping.dmp
-
memory/1452-57-0x0000000000000000-mapping.dmp
-
memory/1452-64-0x0000000074FB0000-0x000000007555B000-memory.dmpFilesize
5.7MB
-
memory/1452-65-0x0000000074FB0000-0x000000007555B000-memory.dmpFilesize
5.7MB
-
memory/1932-54-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB
-
memory/1932-55-0x0000000074FB0000-0x000000007555B000-memory.dmpFilesize
5.7MB
-
memory/1932-61-0x0000000074FB0000-0x000000007555B000-memory.dmpFilesize
5.7MB