Analysis
-
max time kernel
150s -
max time network
70s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 15:05
Static task
static1
Behavioral task
behavioral1
Sample
3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe
Resource
win10v2004-20220812-en
General
-
Target
3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe
-
Size
181KB
-
MD5
cee647a4ac53946dedff90ba3c406674
-
SHA1
53ce72e3726de9c0eb4e6e6f7c569ac210c789e4
-
SHA256
3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff
-
SHA512
9c728f58876ada1ce505f7780f71770d6b467222bf28b3a316c4053e50413f77d2aa78b59b5642a80acf1caeaba98133b30354e07b2ab2262488c1a962b0de73
-
SSDEEP
3072:y7lUBMjrEoqCZbI3//Be/elqW3jcrrI0m0JGLUPiV8+/PgsGHDY+TM0DSKk:C2Or9Pk3/JxlpKI0ByUPiV8+AsGHDY+L
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
System32.exepid process 1100 System32.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\71a16e0d6a04e0ba117f99d08d98d3fc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .." System32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\71a16e0d6a04e0ba117f99d08d98d3fc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .." System32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exeSystem32.exedescription pid process Token: SeDebugPrivilege 1480 3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe Token: 33 1480 3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe Token: SeIncBasePriorityPrivilege 1480 3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe Token: SeDebugPrivilege 1100 System32.exe Token: 33 1100 System32.exe Token: SeIncBasePriorityPrivilege 1100 System32.exe Token: 33 1100 System32.exe Token: SeIncBasePriorityPrivilege 1100 System32.exe Token: 33 1100 System32.exe Token: SeIncBasePriorityPrivilege 1100 System32.exe Token: 33 1100 System32.exe Token: SeIncBasePriorityPrivilege 1100 System32.exe Token: 33 1100 System32.exe Token: SeIncBasePriorityPrivilege 1100 System32.exe Token: 33 1100 System32.exe Token: SeIncBasePriorityPrivilege 1100 System32.exe Token: 33 1100 System32.exe Token: SeIncBasePriorityPrivilege 1100 System32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exeSystem32.exedescription pid process target process PID 1480 wrote to memory of 1100 1480 3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe System32.exe PID 1480 wrote to memory of 1100 1480 3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe System32.exe PID 1480 wrote to memory of 1100 1480 3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe System32.exe PID 1100 wrote to memory of 472 1100 System32.exe netsh.exe PID 1100 wrote to memory of 472 1100 System32.exe netsh.exe PID 1100 wrote to memory of 472 1100 System32.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe"C:\Users\Admin\AppData\Local\Temp\3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System32.exe"C:\Users\Admin\AppData\Local\Temp\System32.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System32.exe" "System32.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\System32.exeFilesize
181KB
MD5cee647a4ac53946dedff90ba3c406674
SHA153ce72e3726de9c0eb4e6e6f7c569ac210c789e4
SHA2563a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff
SHA5129c728f58876ada1ce505f7780f71770d6b467222bf28b3a316c4053e50413f77d2aa78b59b5642a80acf1caeaba98133b30354e07b2ab2262488c1a962b0de73
-
C:\Users\Admin\AppData\Local\Temp\System32.exeFilesize
181KB
MD5cee647a4ac53946dedff90ba3c406674
SHA153ce72e3726de9c0eb4e6e6f7c569ac210c789e4
SHA2563a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff
SHA5129c728f58876ada1ce505f7780f71770d6b467222bf28b3a316c4053e50413f77d2aa78b59b5642a80acf1caeaba98133b30354e07b2ab2262488c1a962b0de73
-
memory/472-66-0x0000000000000000-mapping.dmp
-
memory/1100-63-0x000007FEF3590000-0x000007FEF3FB3000-memory.dmpFilesize
10.1MB
-
memory/1100-59-0x0000000000000000-mapping.dmp
-
memory/1100-64-0x000007FEF24F0000-0x000007FEF3586000-memory.dmpFilesize
16.6MB
-
memory/1100-65-0x0000000001F58000-0x0000000001F77000-memory.dmpFilesize
124KB
-
memory/1480-58-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmpFilesize
8KB
-
memory/1480-57-0x0000000000318000-0x0000000000337000-memory.dmpFilesize
124KB
-
memory/1480-56-0x0000000000318000-0x0000000000337000-memory.dmpFilesize
124KB
-
memory/1480-62-0x0000000000318000-0x0000000000337000-memory.dmpFilesize
124KB
-
memory/1480-54-0x000007FEF3FC0000-0x000007FEF49E3000-memory.dmpFilesize
10.1MB
-
memory/1480-55-0x000007FEF2870000-0x000007FEF3906000-memory.dmpFilesize
16.6MB