Analysis
-
max time kernel
150s -
max time network
188s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 22:40
Static task
static1
Behavioral task
behavioral1
Sample
9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.exe
Resource
win10v2004-20220812-en
General
-
Target
9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.exe
-
Size
61KB
-
MD5
84fbf0b6ad4a8e090f0c46fb7014314a
-
SHA1
35fb8bf532863e769660070079799ada057af7c7
-
SHA256
9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c
-
SHA512
143f87e4303b391df1e5ff1142ec94c67051a02fdf957dfbec6c95048983e037336ec93b41ec0aacde73852e79276fc4a29e1f69e36b63664c9552bd54e6310b
-
SSDEEP
768:fwSlBy8rR4OtJ1JYconEfEbIT/DtRw0FJ8pmp+Ou3UA5KDFQMSbowBA3iNsrie:fnlByQRonEfuIT/Dw5ZTKEHfNsl
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
comhost.execsrsss.exepid process 1480 comhost.exe 1920 csrsss.exe -
Deletes itself 1 IoCs
Processes:
comhost.exepid process 1480 comhost.exe -
Loads dropped DLL 2 IoCs
Processes:
9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.execomhost.exepid process 1248 9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.exe 1480 comhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSOffice Users Licenses = "\"c:\\users\\admin\\appdata\\roaming\\MSOffice Users Licenses\\comhost.exe\"" 9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.execomhost.execsrsss.exepid process 1248 9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.exe 1248 9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.exe 1480 comhost.exe 1480 comhost.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe 1920 csrsss.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.execomhost.execsrsss.exedescription pid process Token: SeDebugPrivilege 1248 9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.exe Token: SeDebugPrivilege 1480 comhost.exe Token: SeDebugPrivilege 1920 csrsss.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.execomhost.exedescription pid process target process PID 1248 wrote to memory of 1480 1248 9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.exe comhost.exe PID 1248 wrote to memory of 1480 1248 9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.exe comhost.exe PID 1248 wrote to memory of 1480 1248 9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.exe comhost.exe PID 1248 wrote to memory of 1480 1248 9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.exe comhost.exe PID 1480 wrote to memory of 1920 1480 comhost.exe csrsss.exe PID 1480 wrote to memory of 1920 1480 comhost.exe csrsss.exe PID 1480 wrote to memory of 1920 1480 comhost.exe csrsss.exe PID 1480 wrote to memory of 1920 1480 comhost.exe csrsss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.exe"C:\Users\Admin\AppData\Local\Temp\9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\appdata\roaming\MSOffice Users Licenses\comhost.exe"C:\Users\Admin\appdata\roaming\MSOffice Users Licenses\comhost.exe" "c:\users\admin\appdata\local\temp\9fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\csrsss.exe"C:\Users\Admin\AppData\Local\Temp\csrsss.exe" -mon3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrsss.exeFilesize
61KB
MD584fbf0b6ad4a8e090f0c46fb7014314a
SHA135fb8bf532863e769660070079799ada057af7c7
SHA2569fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c
SHA512143f87e4303b391df1e5ff1142ec94c67051a02fdf957dfbec6c95048983e037336ec93b41ec0aacde73852e79276fc4a29e1f69e36b63664c9552bd54e6310b
-
C:\Users\Admin\AppData\Local\Temp\csrsss.exeFilesize
61KB
MD584fbf0b6ad4a8e090f0c46fb7014314a
SHA135fb8bf532863e769660070079799ada057af7c7
SHA2569fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c
SHA512143f87e4303b391df1e5ff1142ec94c67051a02fdf957dfbec6c95048983e037336ec93b41ec0aacde73852e79276fc4a29e1f69e36b63664c9552bd54e6310b
-
C:\Users\Admin\AppData\Roaming\MSOffice Users Licenses\comhost.exeFilesize
61KB
MD584fbf0b6ad4a8e090f0c46fb7014314a
SHA135fb8bf532863e769660070079799ada057af7c7
SHA2569fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c
SHA512143f87e4303b391df1e5ff1142ec94c67051a02fdf957dfbec6c95048983e037336ec93b41ec0aacde73852e79276fc4a29e1f69e36b63664c9552bd54e6310b
-
C:\Users\Admin\appdata\roaming\MSOffice Users Licenses\comhost.exeFilesize
61KB
MD584fbf0b6ad4a8e090f0c46fb7014314a
SHA135fb8bf532863e769660070079799ada057af7c7
SHA2569fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c
SHA512143f87e4303b391df1e5ff1142ec94c67051a02fdf957dfbec6c95048983e037336ec93b41ec0aacde73852e79276fc4a29e1f69e36b63664c9552bd54e6310b
-
\Users\Admin\AppData\Local\Temp\csrsss.exeFilesize
61KB
MD584fbf0b6ad4a8e090f0c46fb7014314a
SHA135fb8bf532863e769660070079799ada057af7c7
SHA2569fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c
SHA512143f87e4303b391df1e5ff1142ec94c67051a02fdf957dfbec6c95048983e037336ec93b41ec0aacde73852e79276fc4a29e1f69e36b63664c9552bd54e6310b
-
\Users\Admin\AppData\Roaming\MSOffice Users Licenses\comhost.exeFilesize
61KB
MD584fbf0b6ad4a8e090f0c46fb7014314a
SHA135fb8bf532863e769660070079799ada057af7c7
SHA2569fd868358712a7197667f60d896209bfec81c5c80c200baba261eea3b6e94b7c
SHA512143f87e4303b391df1e5ff1142ec94c67051a02fdf957dfbec6c95048983e037336ec93b41ec0aacde73852e79276fc4a29e1f69e36b63664c9552bd54e6310b
-
memory/1248-54-0x00000000760A1000-0x00000000760A3000-memory.dmpFilesize
8KB
-
memory/1248-62-0x00000000745D0000-0x0000000074B7B000-memory.dmpFilesize
5.7MB
-
memory/1248-56-0x00000000745D0000-0x0000000074B7B000-memory.dmpFilesize
5.7MB
-
memory/1248-55-0x00000000745D0000-0x0000000074B7B000-memory.dmpFilesize
5.7MB
-
memory/1480-58-0x0000000000000000-mapping.dmp
-
memory/1480-63-0x00000000745D0000-0x0000000074B7B000-memory.dmpFilesize
5.7MB
-
memory/1480-65-0x00000000745D0000-0x0000000074B7B000-memory.dmpFilesize
5.7MB
-
memory/1920-66-0x0000000000000000-mapping.dmp
-
memory/1920-70-0x00000000745D0000-0x0000000074B7B000-memory.dmpFilesize
5.7MB
-
memory/1920-71-0x00000000745D0000-0x0000000074B7B000-memory.dmpFilesize
5.7MB