Analysis
-
max time kernel
152s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:29
Behavioral task
behavioral1
Sample
8e6b3452de87a478edce02dd060e27d0585952e805760679047e46b5b0f3f0d0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8e6b3452de87a478edce02dd060e27d0585952e805760679047e46b5b0f3f0d0.exe
Resource
win10v2004-20220812-en
General
-
Target
8e6b3452de87a478edce02dd060e27d0585952e805760679047e46b5b0f3f0d0.exe
-
Size
30KB
-
MD5
59b10f7a80bcb2cc268ba0fac88c682e
-
SHA1
d9be5948fb0ed3352555de13b9db700f406fd464
-
SHA256
8e6b3452de87a478edce02dd060e27d0585952e805760679047e46b5b0f3f0d0
-
SHA512
70a2a2139bedbad6b7099611d0cefde37a6cc8f58f617843c67a2de6b1d645b1f579e8e7f0548fc394a12c20a4b3c81ec3d5dfa5b61ceb04f38cf4935aca2920
-
SSDEEP
384:30LO+j0GtaS/lwxWP+JbNurJX8LqXwC7+wlME2RsqG/28bilvxwX+caGviCsMJVK:3MrtajQ+fur63CMHfe28bHaGaF
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 1932 svhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b5857819bb096c04134249d6f4e71934.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b5857819bb096c04134249d6f4e71934.exe svhost.exe -
Loads dropped DLL 1 IoCs
Processes:
8e6b3452de87a478edce02dd060e27d0585952e805760679047e46b5b0f3f0d0.exepid process 1832 8e6b3452de87a478edce02dd060e27d0585952e805760679047e46b5b0f3f0d0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\b5857819bb096c04134249d6f4e71934 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b5857819bb096c04134249d6f4e71934 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
svhost.exepid process 1932 svhost.exe 1932 svhost.exe 1932 svhost.exe 1932 svhost.exe 1932 svhost.exe 1932 svhost.exe 1932 svhost.exe 1932 svhost.exe 1932 svhost.exe 1932 svhost.exe 1932 svhost.exe 1932 svhost.exe 1932 svhost.exe 1932 svhost.exe 1932 svhost.exe 1932 svhost.exe 1932 svhost.exe 1932 svhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svhost.exedescription pid process Token: SeDebugPrivilege 1932 svhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8e6b3452de87a478edce02dd060e27d0585952e805760679047e46b5b0f3f0d0.exesvhost.exedescription pid process target process PID 1832 wrote to memory of 1932 1832 8e6b3452de87a478edce02dd060e27d0585952e805760679047e46b5b0f3f0d0.exe svhost.exe PID 1832 wrote to memory of 1932 1832 8e6b3452de87a478edce02dd060e27d0585952e805760679047e46b5b0f3f0d0.exe svhost.exe PID 1832 wrote to memory of 1932 1832 8e6b3452de87a478edce02dd060e27d0585952e805760679047e46b5b0f3f0d0.exe svhost.exe PID 1832 wrote to memory of 1932 1832 8e6b3452de87a478edce02dd060e27d0585952e805760679047e46b5b0f3f0d0.exe svhost.exe PID 1932 wrote to memory of 1108 1932 svhost.exe netsh.exe PID 1932 wrote to memory of 1108 1932 svhost.exe netsh.exe PID 1932 wrote to memory of 1108 1932 svhost.exe netsh.exe PID 1932 wrote to memory of 1108 1932 svhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e6b3452de87a478edce02dd060e27d0585952e805760679047e46b5b0f3f0d0.exe"C:\Users\Admin\AppData\Local\Temp\8e6b3452de87a478edce02dd060e27d0585952e805760679047e46b5b0f3f0d0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
30KB
MD559b10f7a80bcb2cc268ba0fac88c682e
SHA1d9be5948fb0ed3352555de13b9db700f406fd464
SHA2568e6b3452de87a478edce02dd060e27d0585952e805760679047e46b5b0f3f0d0
SHA51270a2a2139bedbad6b7099611d0cefde37a6cc8f58f617843c67a2de6b1d645b1f579e8e7f0548fc394a12c20a4b3c81ec3d5dfa5b61ceb04f38cf4935aca2920
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
30KB
MD559b10f7a80bcb2cc268ba0fac88c682e
SHA1d9be5948fb0ed3352555de13b9db700f406fd464
SHA2568e6b3452de87a478edce02dd060e27d0585952e805760679047e46b5b0f3f0d0
SHA51270a2a2139bedbad6b7099611d0cefde37a6cc8f58f617843c67a2de6b1d645b1f579e8e7f0548fc394a12c20a4b3c81ec3d5dfa5b61ceb04f38cf4935aca2920
-
\Users\Admin\AppData\Roaming\svhost.exeFilesize
30KB
MD559b10f7a80bcb2cc268ba0fac88c682e
SHA1d9be5948fb0ed3352555de13b9db700f406fd464
SHA2568e6b3452de87a478edce02dd060e27d0585952e805760679047e46b5b0f3f0d0
SHA51270a2a2139bedbad6b7099611d0cefde37a6cc8f58f617843c67a2de6b1d645b1f579e8e7f0548fc394a12c20a4b3c81ec3d5dfa5b61ceb04f38cf4935aca2920
-
memory/1108-62-0x0000000000000000-mapping.dmp
-
memory/1832-54-0x0000000076401000-0x0000000076403000-memory.dmpFilesize
8KB
-
memory/1832-55-0x0000000074EA0000-0x000000007544B000-memory.dmpFilesize
5.7MB
-
memory/1832-61-0x0000000074EA0000-0x000000007544B000-memory.dmpFilesize
5.7MB
-
memory/1932-57-0x0000000000000000-mapping.dmp
-
memory/1932-64-0x0000000074EA0000-0x000000007544B000-memory.dmpFilesize
5.7MB
-
memory/1932-65-0x0000000074EA0000-0x000000007544B000-memory.dmpFilesize
5.7MB