Analysis
-
max time kernel
188s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 22:52
Static task
static1
Behavioral task
behavioral1
Sample
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe
Resource
win10v2004-20221111-en
General
-
Target
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe
-
Size
1.2MB
-
MD5
33a67ab9f3cd79bb48c8e3db30728986
-
SHA1
b0154442643a0d8dafd036a501bf5e40245a0841
-
SHA256
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3
-
SHA512
4c0f15131b9a5d05ded58b51fc75e1d0c2070f7b6b859b0fb84d2c5c23d8bcc257e342d8f44734004b4b48ee2be1a50f0218610ba67fdc23af2d89bc6c15fd83
-
SSDEEP
24576:A8ndVY0XKelcxVs1I5pYLqEeYmoRq1CNRa9XURbHudjrcSdg:A8nzYIOUQW2EeYBRq1Ag9XURbHuhm
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BBBCfg\\file.exe" reg.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 3716 svhost.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe File opened for modification C:\Windows\assembly\Desktop.ini 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exedescription pid process target process PID 2240 set thread context of 3716 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exedescription ioc process File opened for modification C:\Windows\assembly 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe File created C:\Windows\assembly\Desktop.ini 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe File opened for modification C:\Windows\assembly\Desktop.ini 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exepid process 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 3716 svhost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exesvhost.exedescription pid process Token: SeDebugPrivilege 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe Token: 33 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe Token: SeIncBasePriorityPrivilege 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe Token: SeDebugPrivilege 3716 svhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svhost.exepid process 3716 svhost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.execmd.exedescription pid process target process PID 2240 wrote to memory of 4568 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe cmd.exe PID 2240 wrote to memory of 4568 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe cmd.exe PID 2240 wrote to memory of 4568 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe cmd.exe PID 4568 wrote to memory of 2708 4568 cmd.exe reg.exe PID 4568 wrote to memory of 2708 4568 cmd.exe reg.exe PID 4568 wrote to memory of 2708 4568 cmd.exe reg.exe PID 2240 wrote to memory of 3716 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe PID 2240 wrote to memory of 3716 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe PID 2240 wrote to memory of 3716 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe PID 2240 wrote to memory of 3716 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe PID 2240 wrote to memory of 3716 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe PID 2240 wrote to memory of 3716 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe PID 2240 wrote to memory of 3716 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe PID 2240 wrote to memory of 3716 2240 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe"C:\Users\Admin\AppData\Local\Temp\48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BBBCfg\file.exe" /f3⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeC:\Users\Admin\AppData\Local\Temp\svhost.exe2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479
-
memory/2240-132-0x0000000075440000-0x00000000759F1000-memory.dmpFilesize
5.7MB
-
memory/2240-140-0x0000000075440000-0x00000000759F1000-memory.dmpFilesize
5.7MB
-
memory/2240-141-0x0000000075440000-0x00000000759F1000-memory.dmpFilesize
5.7MB
-
memory/2708-134-0x0000000000000000-mapping.dmp
-
memory/3716-135-0x0000000000000000-mapping.dmp
-
memory/3716-136-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/3716-139-0x0000000075440000-0x00000000759F1000-memory.dmpFilesize
5.7MB
-
memory/3716-142-0x0000000075440000-0x00000000759F1000-memory.dmpFilesize
5.7MB
-
memory/4568-133-0x0000000000000000-mapping.dmp