Analysis
-
max time kernel
150s -
max time network
70s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:32
Static task
static1
Behavioral task
behavioral1
Sample
87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe
Resource
win10v2004-20221111-en
General
-
Target
87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe
-
Size
329KB
-
MD5
288a4b7588e9a76eb5c5ebfeda862246
-
SHA1
978f19856a3498c4bf47a39698d90c3e4d2baa4c
-
SHA256
87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7
-
SHA512
86b626f2f1d7f0b68d25d1a91f6f1569630f0c7d354b5fef32640224bdc6a50ee0049c2c1fad7aed9a5d1638d346bc9e5853b22c8d6fc78cc40afe9b9588fe94
-
SSDEEP
6144:3xTM7GKkAvRgt5fD2ywM9r6o/AT59zMXd:NBYyfD2A9mS859YXd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1780 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\87173d0078b7305a3dec8884347c9601 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\87173d0078b7305a3dec8884347c9601 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exeserver.exedescription pid process Token: SeDebugPrivilege 1380 87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe Token: 33 1380 87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe Token: SeIncBasePriorityPrivilege 1380 87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe Token: SeDebugPrivilege 1780 server.exe Token: 33 1780 server.exe Token: SeIncBasePriorityPrivilege 1780 server.exe Token: 33 1780 server.exe Token: SeIncBasePriorityPrivilege 1780 server.exe Token: 33 1780 server.exe Token: SeIncBasePriorityPrivilege 1780 server.exe Token: 33 1780 server.exe Token: SeIncBasePriorityPrivilege 1780 server.exe Token: 33 1780 server.exe Token: SeIncBasePriorityPrivilege 1780 server.exe Token: 33 1780 server.exe Token: SeIncBasePriorityPrivilege 1780 server.exe Token: 33 1780 server.exe Token: SeIncBasePriorityPrivilege 1780 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exeserver.exedescription pid process target process PID 1380 wrote to memory of 1780 1380 87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe server.exe PID 1380 wrote to memory of 1780 1380 87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe server.exe PID 1380 wrote to memory of 1780 1380 87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe server.exe PID 1780 wrote to memory of 1556 1780 server.exe netsh.exe PID 1780 wrote to memory of 1556 1780 server.exe netsh.exe PID 1780 wrote to memory of 1556 1780 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe"C:\Users\Admin\AppData\Local\Temp\87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
329KB
MD5288a4b7588e9a76eb5c5ebfeda862246
SHA1978f19856a3498c4bf47a39698d90c3e4d2baa4c
SHA25687d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7
SHA51286b626f2f1d7f0b68d25d1a91f6f1569630f0c7d354b5fef32640224bdc6a50ee0049c2c1fad7aed9a5d1638d346bc9e5853b22c8d6fc78cc40afe9b9588fe94
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
329KB
MD5288a4b7588e9a76eb5c5ebfeda862246
SHA1978f19856a3498c4bf47a39698d90c3e4d2baa4c
SHA25687d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7
SHA51286b626f2f1d7f0b68d25d1a91f6f1569630f0c7d354b5fef32640224bdc6a50ee0049c2c1fad7aed9a5d1638d346bc9e5853b22c8d6fc78cc40afe9b9588fe94
-
memory/1380-54-0x000007FEF4680000-0x000007FEF50A3000-memory.dmpFilesize
10.1MB
-
memory/1380-55-0x000007FEF41C0000-0x000007FEF4680000-memory.dmpFilesize
4.8MB
-
memory/1380-56-0x000007FEF3120000-0x000007FEF41B6000-memory.dmpFilesize
16.6MB
-
memory/1380-57-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmpFilesize
8KB
-
memory/1556-64-0x0000000000000000-mapping.dmp
-
memory/1780-58-0x0000000000000000-mapping.dmp
-
memory/1780-61-0x000007FEF3C50000-0x000007FEF4673000-memory.dmpFilesize
10.1MB
-
memory/1780-62-0x000007FEF4BF0000-0x000007FEF50B0000-memory.dmpFilesize
4.8MB
-
memory/1780-63-0x000007FEF2BB0000-0x000007FEF3C46000-memory.dmpFilesize
16.6MB