Analysis
-
max time kernel
189s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 08:29
Static task
static1
Behavioral task
behavioral1
Sample
4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe
Resource
win10v2004-20221111-en
General
-
Target
4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe
-
Size
145KB
-
MD5
bac14564d1bc1337b43ef99a788dfd89
-
SHA1
5ae6bb3b4abe5a3daa29c66a4ff8d6eb3c57eb11
-
SHA256
4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb
-
SHA512
58b8e2c961fa830b4b5b287cfcfcab3e3daee06d0a1b56f2d157de1c6e2b6f9ea02b79e3c36d14fc42369546181ed5141c0b55f4ce99e076b049f057e1c8e509
-
SSDEEP
1536:M/21Q2fgdkH38Aas6hDkUDR3UNjOndXbkqAIBnI47Qz8PLsh7mpPey8X74Fk/5AB:M/2Q2TsvVtPXPKzb75FxpuH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
root.exepid process 328 root.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
root.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f4351e78b5e7521973848f1555ec2c00.exe root.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f4351e78b5e7521973848f1555ec2c00.exe root.exe -
Loads dropped DLL 1 IoCs
Processes:
4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exepid process 1552 4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
root.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\f4351e78b5e7521973848f1555ec2c00 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\root.exe\" .." root.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f4351e78b5e7521973848f1555ec2c00 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\root.exe\" .." root.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
root.exepid process 328 root.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
root.exedescription pid process Token: SeDebugPrivilege 328 root.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exeroot.exedescription pid process target process PID 1552 wrote to memory of 328 1552 4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe root.exe PID 1552 wrote to memory of 328 1552 4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe root.exe PID 1552 wrote to memory of 328 1552 4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe root.exe PID 1552 wrote to memory of 328 1552 4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe root.exe PID 328 wrote to memory of 1420 328 root.exe netsh.exe PID 328 wrote to memory of 1420 328 root.exe netsh.exe PID 328 wrote to memory of 1420 328 root.exe netsh.exe PID 328 wrote to memory of 1420 328 root.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe"C:\Users\Admin\AppData\Local\Temp\4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\root.exe"C:\Users\Admin\AppData\Local\Temp\root.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\root.exe" "root.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1420
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\root.exeFilesize
145KB
MD5bac14564d1bc1337b43ef99a788dfd89
SHA15ae6bb3b4abe5a3daa29c66a4ff8d6eb3c57eb11
SHA2564d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb
SHA51258b8e2c961fa830b4b5b287cfcfcab3e3daee06d0a1b56f2d157de1c6e2b6f9ea02b79e3c36d14fc42369546181ed5141c0b55f4ce99e076b049f057e1c8e509
-
C:\Users\Admin\AppData\Local\Temp\root.exeFilesize
145KB
MD5bac14564d1bc1337b43ef99a788dfd89
SHA15ae6bb3b4abe5a3daa29c66a4ff8d6eb3c57eb11
SHA2564d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb
SHA51258b8e2c961fa830b4b5b287cfcfcab3e3daee06d0a1b56f2d157de1c6e2b6f9ea02b79e3c36d14fc42369546181ed5141c0b55f4ce99e076b049f057e1c8e509
-
\Users\Admin\AppData\Local\Temp\root.exeFilesize
145KB
MD5bac14564d1bc1337b43ef99a788dfd89
SHA15ae6bb3b4abe5a3daa29c66a4ff8d6eb3c57eb11
SHA2564d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb
SHA51258b8e2c961fa830b4b5b287cfcfcab3e3daee06d0a1b56f2d157de1c6e2b6f9ea02b79e3c36d14fc42369546181ed5141c0b55f4ce99e076b049f057e1c8e509
-
memory/328-58-0x0000000000000000-mapping.dmp
-
memory/328-61-0x00000000008B0000-0x00000000008DC000-memory.dmpFilesize
176KB
-
memory/328-63-0x0000000000570000-0x0000000000582000-memory.dmpFilesize
72KB
-
memory/1420-64-0x0000000000000000-mapping.dmp
-
memory/1552-54-0x0000000000B80000-0x0000000000BAC000-memory.dmpFilesize
176KB
-
memory/1552-55-0x0000000075C81000-0x0000000075C83000-memory.dmpFilesize
8KB
-
memory/1552-56-0x00000000003C0000-0x00000000003D2000-memory.dmpFilesize
72KB