Analysis
-
max time kernel
152s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 23:03
Static task
static1
Behavioral task
behavioral1
Sample
ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
Resource
win10v2004-20220812-en
General
-
Target
ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
-
Size
68KB
-
MD5
dc9bf6257aa8cae47cbcc508e032a181
-
SHA1
2134837eef4edc6033e46efd2cbcf4747a7f544f
-
SHA256
ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331
-
SHA512
7984e1ecbc0173b6646cdb29deccbb598063b45a7ce65cd61a6a20b929f22c97ad91dd10d2368aba3059f08e675bd147a146681500654e026dfb81b7193defa4
-
SSDEEP
768:pcFliTdK61qSAl+qOQSgFrhKo//WomvdfQXwYt1IEDIefZsK:WFIxB1qSAcqOK3qowgnt1d
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exeAdmin.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Admin.exe -
Executes dropped EXE 1 IoCs
Processes:
Admin.exepid process 1704 Admin.exe -
Loads dropped DLL 2 IoCs
Processes:
ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exepid process 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exeAdmin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Admin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" Admin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exeAdmin.exepid process 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe 1704 Admin.exe 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exeAdmin.exepid process 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe 1704 Admin.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exedescription pid process target process PID 1672 wrote to memory of 1704 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe Admin.exe PID 1672 wrote to memory of 1704 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe Admin.exe PID 1672 wrote to memory of 1704 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe Admin.exe PID 1672 wrote to memory of 1704 1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe Admin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe"C:\Users\Admin\AppData\Local\Temp\ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Admin.exe"C:\Users\Admin\Admin.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Admin.exeFilesize
68KB
MD55ae66bebd73930b41a94e46438336a78
SHA1e099c940a6f0ef22c82f82c6f0543b57a32ea489
SHA25607ee0ad75085c171056bd4d6c029d77141d61e28845029ab3c02f056fbaf349c
SHA5126522ff416ad95be0edb37ae2e385dde7c996788e528484761bc64c333c7884ea18451c0534eec7c9aac7fa1fe488deb6d9b15d49090a3d030d6c9054f1c816ba
-
\Users\Admin\Admin.exeFilesize
68KB
MD55ae66bebd73930b41a94e46438336a78
SHA1e099c940a6f0ef22c82f82c6f0543b57a32ea489
SHA25607ee0ad75085c171056bd4d6c029d77141d61e28845029ab3c02f056fbaf349c
SHA5126522ff416ad95be0edb37ae2e385dde7c996788e528484761bc64c333c7884ea18451c0534eec7c9aac7fa1fe488deb6d9b15d49090a3d030d6c9054f1c816ba
-
\Users\Admin\Admin.exeFilesize
68KB
MD55ae66bebd73930b41a94e46438336a78
SHA1e099c940a6f0ef22c82f82c6f0543b57a32ea489
SHA25607ee0ad75085c171056bd4d6c029d77141d61e28845029ab3c02f056fbaf349c
SHA5126522ff416ad95be0edb37ae2e385dde7c996788e528484761bc64c333c7884ea18451c0534eec7c9aac7fa1fe488deb6d9b15d49090a3d030d6c9054f1c816ba
-
memory/1672-54-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/1672-57-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB
-
memory/1704-60-0x0000000000000000-mapping.dmp
-
memory/1704-62-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB