Analysis
-
max time kernel
150s -
max time network
86s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 14:30
Static task
static1
Behavioral task
behavioral1
Sample
6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe
Resource
win10v2004-20220812-en
General
-
Target
6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe
-
Size
566KB
-
MD5
7cd871c5dae7dfee205ac811f0d461d7
-
SHA1
9d564accbfefafeda236574750a4dcb481e187fa
-
SHA256
6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80
-
SHA512
f3834257535c252aac281ff8633c30dd599d1718ff85b1019e4eeabf59634680f75bd077af9f5c4092c1a70e5c5ffc9bc2d9762798212f4ac385bf62327218e4
-
SSDEEP
6144:12Or9Pk3/JxlpKI0ByUPiV8+AsGHDY+5l+anN40ty2or87P9U3ERvYb:5JEJP0TB76uJDf5lTnqe7q3sY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
System32.exepid process 1376 System32.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\71a16e0d6a04e0ba117f99d08d98d3fc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .." System32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\71a16e0d6a04e0ba117f99d08d98d3fc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .." System32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exeSystem32.exedescription pid process Token: SeDebugPrivilege 1680 6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe Token: 33 1680 6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe Token: SeIncBasePriorityPrivilege 1680 6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe Token: SeDebugPrivilege 1376 System32.exe Token: 33 1376 System32.exe Token: SeIncBasePriorityPrivilege 1376 System32.exe Token: 33 1376 System32.exe Token: SeIncBasePriorityPrivilege 1376 System32.exe Token: 33 1376 System32.exe Token: SeIncBasePriorityPrivilege 1376 System32.exe Token: 33 1376 System32.exe Token: SeIncBasePriorityPrivilege 1376 System32.exe Token: 33 1376 System32.exe Token: SeIncBasePriorityPrivilege 1376 System32.exe Token: 33 1376 System32.exe Token: SeIncBasePriorityPrivilege 1376 System32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exeSystem32.exedescription pid process target process PID 1680 wrote to memory of 1376 1680 6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe System32.exe PID 1680 wrote to memory of 1376 1680 6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe System32.exe PID 1680 wrote to memory of 1376 1680 6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe System32.exe PID 1376 wrote to memory of 1268 1376 System32.exe netsh.exe PID 1376 wrote to memory of 1268 1376 System32.exe netsh.exe PID 1376 wrote to memory of 1268 1376 System32.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe"C:\Users\Admin\AppData\Local\Temp\6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System32.exe"C:\Users\Admin\AppData\Local\Temp\System32.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System32.exe" "System32.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\System32.exeFilesize
566KB
MD57cd871c5dae7dfee205ac811f0d461d7
SHA19d564accbfefafeda236574750a4dcb481e187fa
SHA2566d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80
SHA512f3834257535c252aac281ff8633c30dd599d1718ff85b1019e4eeabf59634680f75bd077af9f5c4092c1a70e5c5ffc9bc2d9762798212f4ac385bf62327218e4
-
C:\Users\Admin\AppData\Local\Temp\System32.exeFilesize
566KB
MD57cd871c5dae7dfee205ac811f0d461d7
SHA19d564accbfefafeda236574750a4dcb481e187fa
SHA2566d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80
SHA512f3834257535c252aac281ff8633c30dd599d1718ff85b1019e4eeabf59634680f75bd077af9f5c4092c1a70e5c5ffc9bc2d9762798212f4ac385bf62327218e4
-
memory/1268-66-0x0000000000000000-mapping.dmp
-
memory/1376-63-0x000007FEF2980000-0x000007FEF3A16000-memory.dmpFilesize
16.6MB
-
memory/1376-59-0x0000000000000000-mapping.dmp
-
memory/1376-62-0x000007FEF3A20000-0x000007FEF4443000-memory.dmpFilesize
10.1MB
-
memory/1376-64-0x0000000000C18000-0x0000000000C37000-memory.dmpFilesize
124KB
-
memory/1680-58-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmpFilesize
8KB
-
memory/1680-57-0x0000000000C48000-0x0000000000C67000-memory.dmpFilesize
124KB
-
memory/1680-56-0x000007FEF2980000-0x000007FEF3A16000-memory.dmpFilesize
16.6MB
-
memory/1680-55-0x0000000000C48000-0x0000000000C67000-memory.dmpFilesize
124KB
-
memory/1680-65-0x0000000000C48000-0x0000000000C67000-memory.dmpFilesize
124KB
-
memory/1680-54-0x000007FEF3A20000-0x000007FEF4443000-memory.dmpFilesize
10.1MB