Analysis
-
max time kernel
152s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 08:00
Behavioral task
behavioral1
Sample
3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe
Resource
win10v2004-20221111-en
General
-
Target
3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe
-
Size
131KB
-
MD5
7172970c5f7feaeefea7dce05c77ec99
-
SHA1
d54ab0a54b0eea89ab205f4eefa3455129a3fcd9
-
SHA256
3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03
-
SHA512
2140f2fe551c1ec6409d6ccf292e9db02f89ac927d3f706925ed7143df73fe04c3e4ab0759125fd22702e62b1b46b0827168ed4716371b873a9ed2176898ff34
-
SSDEEP
1536:0ypZ/A6HjKnbI66LazSel7tRW03TU4+DW8U2qdbsAqO+064RPT515KE6:bqjnbI7OBYwT+DWZsD0bTT
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Download Counter Strike 1.6.0.exepid process 1868 Download Counter Strike 1.6.0.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Download Counter Strike 1.6.0.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\952ab70ddf0342a102f09a13e6367596.exe Download Counter Strike 1.6.0.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\952ab70ddf0342a102f09a13e6367596.exe Download Counter Strike 1.6.0.exe -
Loads dropped DLL 1 IoCs
Processes:
3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exepid process 1720 3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Download Counter Strike 1.6.0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\952ab70ddf0342a102f09a13e6367596 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Download Counter Strike 1.6.0.exe\" .." Download Counter Strike 1.6.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\952ab70ddf0342a102f09a13e6367596 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Download Counter Strike 1.6.0.exe\" .." Download Counter Strike 1.6.0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
Download Counter Strike 1.6.0.exepid process 1868 Download Counter Strike 1.6.0.exe 1868 Download Counter Strike 1.6.0.exe 1868 Download Counter Strike 1.6.0.exe 1868 Download Counter Strike 1.6.0.exe 1868 Download Counter Strike 1.6.0.exe 1868 Download Counter Strike 1.6.0.exe 1868 Download Counter Strike 1.6.0.exe 1868 Download Counter Strike 1.6.0.exe 1868 Download Counter Strike 1.6.0.exe 1868 Download Counter Strike 1.6.0.exe 1868 Download Counter Strike 1.6.0.exe 1868 Download Counter Strike 1.6.0.exe 1868 Download Counter Strike 1.6.0.exe 1868 Download Counter Strike 1.6.0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Download Counter Strike 1.6.0.exedescription pid process Token: SeDebugPrivilege 1868 Download Counter Strike 1.6.0.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exeDownload Counter Strike 1.6.0.exedescription pid process target process PID 1720 wrote to memory of 1868 1720 3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe Download Counter Strike 1.6.0.exe PID 1720 wrote to memory of 1868 1720 3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe Download Counter Strike 1.6.0.exe PID 1720 wrote to memory of 1868 1720 3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe Download Counter Strike 1.6.0.exe PID 1720 wrote to memory of 1868 1720 3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe Download Counter Strike 1.6.0.exe PID 1868 wrote to memory of 1640 1868 Download Counter Strike 1.6.0.exe netsh.exe PID 1868 wrote to memory of 1640 1868 Download Counter Strike 1.6.0.exe netsh.exe PID 1868 wrote to memory of 1640 1868 Download Counter Strike 1.6.0.exe netsh.exe PID 1868 wrote to memory of 1640 1868 Download Counter Strike 1.6.0.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe"C:\Users\Admin\AppData\Local\Temp\3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\Download Counter Strike 1.6.0.exe"C:\Users\Admin\AppData\Local\Temp\Download Counter Strike 1.6.0.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Download Counter Strike 1.6.0.exe" "Download Counter Strike 1.6.0.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Download Counter Strike 1.6.0.exeFilesize
131KB
MD57172970c5f7feaeefea7dce05c77ec99
SHA1d54ab0a54b0eea89ab205f4eefa3455129a3fcd9
SHA2563fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03
SHA5122140f2fe551c1ec6409d6ccf292e9db02f89ac927d3f706925ed7143df73fe04c3e4ab0759125fd22702e62b1b46b0827168ed4716371b873a9ed2176898ff34
-
C:\Users\Admin\AppData\Local\Temp\Download Counter Strike 1.6.0.exeFilesize
131KB
MD57172970c5f7feaeefea7dce05c77ec99
SHA1d54ab0a54b0eea89ab205f4eefa3455129a3fcd9
SHA2563fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03
SHA5122140f2fe551c1ec6409d6ccf292e9db02f89ac927d3f706925ed7143df73fe04c3e4ab0759125fd22702e62b1b46b0827168ed4716371b873a9ed2176898ff34
-
\Users\Admin\AppData\Local\Temp\Download Counter Strike 1.6.0.exeFilesize
131KB
MD57172970c5f7feaeefea7dce05c77ec99
SHA1d54ab0a54b0eea89ab205f4eefa3455129a3fcd9
SHA2563fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03
SHA5122140f2fe551c1ec6409d6ccf292e9db02f89ac927d3f706925ed7143df73fe04c3e4ab0759125fd22702e62b1b46b0827168ed4716371b873a9ed2176898ff34
-
memory/1640-64-0x0000000000000000-mapping.dmp
-
memory/1720-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB
-
memory/1720-55-0x00000000744F0000-0x0000000074A9B000-memory.dmpFilesize
5.7MB
-
memory/1720-62-0x00000000744F0000-0x0000000074A9B000-memory.dmpFilesize
5.7MB
-
memory/1868-57-0x0000000000000000-mapping.dmp
-
memory/1868-61-0x00000000744F0000-0x0000000074A9B000-memory.dmpFilesize
5.7MB
-
memory/1868-63-0x00000000744F0000-0x0000000074A9B000-memory.dmpFilesize
5.7MB
-
memory/1868-66-0x00000000744F0000-0x0000000074A9B000-memory.dmpFilesize
5.7MB