Analysis
-
max time kernel
192s -
max time network
213s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 00:21
Static task
static1
Behavioral task
behavioral1
Sample
1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe
Resource
win10v2004-20221111-en
General
-
Target
1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe
-
Size
547KB
-
MD5
9aa95b27ff879d63f093759239086a50
-
SHA1
889325176e8c14cf31f0d940abcb0c027af5072b
-
SHA256
1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874
-
SHA512
4349e92b874316c8479d006452652e7e755f55116364bcc86f29719a4123f518736d7bb1df9c8a5f09ca9a5ec858974d0b4182710fc442209fc0cfa094e7db74
-
SSDEEP
12288:uQ3gf7q14BqI/jHzh1GRLYT1ZneaqiTALuNGSRWGN62PedWTEOr:5gTq1KqI/zz/GqZnE/uNGyltPeggOr
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 5 IoCs
Processes:
F3A4.tmpFFB6.tmpupdate.exeUpdate.exepid process 1000 F3A4.tmp 1008 FFB6.tmp 1552 update.exe 464 1660 Update.exe -
Drops startup file 1 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\526932a.exe explorer.exe -
Loads dropped DLL 6 IoCs
Processes:
1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exeFFB6.tmppid process 1064 1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe 1064 1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe 1064 1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe 1008 FFB6.tmp 1008 FFB6.tmp 464 -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\526932 = "C:\\526932a\\526932a.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*26932 = "C:\\526932a\\526932a.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\526932a = "C:\\Users\\Admin\\AppData\\Roaming\\526932a.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*26932a = "C:\\Users\\Admin\\AppData\\Roaming\\526932a.exe" explorer.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-addr.es 5 myexternalip.com 7 myexternalip.com -
Drops file in Windows directory 2 IoCs
Processes:
update.exeUpdate.exedescription ioc process File created C:\Windows\FrameworkUpdate\Update.exe update.exe File created C:\Windows\FrameworkUpdate\Update.exe Update.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 524 vssadmin.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
F3A4.tmpexplorer.exepid process 1000 F3A4.tmp 2024 explorer.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vssvc.exeFFB6.tmpupdate.exeUpdate.exedescription pid process Token: SeBackupPrivilege 1348 vssvc.exe Token: SeRestorePrivilege 1348 vssvc.exe Token: SeAuditPrivilege 1348 vssvc.exe Token: SeImpersonatePrivilege 1008 FFB6.tmp Token: SeTcbPrivilege 1008 FFB6.tmp Token: SeChangeNotifyPrivilege 1008 FFB6.tmp Token: SeCreateTokenPrivilege 1008 FFB6.tmp Token: SeBackupPrivilege 1008 FFB6.tmp Token: SeIncreaseQuotaPrivilege 1008 FFB6.tmp Token: SeAssignPrimaryTokenPrivilege 1008 FFB6.tmp Token: SeImpersonatePrivilege 1552 update.exe Token: SeTcbPrivilege 1552 update.exe Token: SeChangeNotifyPrivilege 1552 update.exe Token: SeCreateTokenPrivilege 1552 update.exe Token: SeBackupPrivilege 1552 update.exe Token: SeIncreaseQuotaPrivilege 1552 update.exe Token: SeAssignPrimaryTokenPrivilege 1552 update.exe Token: SeImpersonatePrivilege 1660 Update.exe Token: SeTcbPrivilege 1660 Update.exe Token: SeChangeNotifyPrivilege 1660 Update.exe Token: SeCreateTokenPrivilege 1660 Update.exe Token: SeBackupPrivilege 1660 Update.exe Token: SeIncreaseQuotaPrivilege 1660 Update.exe Token: SeAssignPrimaryTokenPrivilege 1660 Update.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exeF3A4.tmpexplorer.exeFFB6.tmpdescription pid process target process PID 1064 wrote to memory of 1000 1064 1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe F3A4.tmp PID 1064 wrote to memory of 1000 1064 1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe F3A4.tmp PID 1064 wrote to memory of 1000 1064 1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe F3A4.tmp PID 1064 wrote to memory of 1000 1064 1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe F3A4.tmp PID 1000 wrote to memory of 2024 1000 F3A4.tmp explorer.exe PID 1000 wrote to memory of 2024 1000 F3A4.tmp explorer.exe PID 1000 wrote to memory of 2024 1000 F3A4.tmp explorer.exe PID 1000 wrote to memory of 2024 1000 F3A4.tmp explorer.exe PID 1064 wrote to memory of 1008 1064 1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe FFB6.tmp PID 1064 wrote to memory of 1008 1064 1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe FFB6.tmp PID 1064 wrote to memory of 1008 1064 1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe FFB6.tmp PID 1064 wrote to memory of 1008 1064 1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe FFB6.tmp PID 2024 wrote to memory of 768 2024 explorer.exe svchost.exe PID 2024 wrote to memory of 768 2024 explorer.exe svchost.exe PID 2024 wrote to memory of 768 2024 explorer.exe svchost.exe PID 2024 wrote to memory of 768 2024 explorer.exe svchost.exe PID 2024 wrote to memory of 524 2024 explorer.exe vssadmin.exe PID 2024 wrote to memory of 524 2024 explorer.exe vssadmin.exe PID 2024 wrote to memory of 524 2024 explorer.exe vssadmin.exe PID 2024 wrote to memory of 524 2024 explorer.exe vssadmin.exe PID 1008 wrote to memory of 1552 1008 FFB6.tmp update.exe PID 1008 wrote to memory of 1552 1008 FFB6.tmp update.exe PID 1008 wrote to memory of 1552 1008 FFB6.tmp update.exe PID 1008 wrote to memory of 1552 1008 FFB6.tmp update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe"C:\Users\Admin\AppData\Local\Temp\1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F3A4.tmpC:\Users\Admin\AppData\Local\Temp\F3A4.tmp2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\explorer.exe"C:\Windows\syswow64\explorer.exe"3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\svchost.exe-k netsvcs4⤵
-
C:\Windows\syswow64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\FFB6.tmpC:\Users\Admin\AppData\Local\Temp\FFB6.tmp2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\update.exeC:\Users\Admin\AppData\Local\Temp\\update.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\FrameworkUpdate\Update.exeC:\Windows\FrameworkUpdate\Update.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\F3A4.tmpFilesize
165KB
MD5bb16150dac73a699d4cf80c2a57ccf49
SHA10412c35713fef33ffc7c674f2d3f26889372593e
SHA256c6b59297a4fa5e4f6c7c59dc197b5097ecfbb615691dad8292229456f862b54b
SHA51218ceb2214cfd7754222bcd0623deb6927256ebf1c2e3ce1098dcd337c0e4f4dc4738596e2cd661122f6eaf2c977a7fba7e67a5e57be1f0087aded15b8df29fa8
-
C:\Users\Admin\AppData\Local\Temp\F3A4.tmpFilesize
165KB
MD5bb16150dac73a699d4cf80c2a57ccf49
SHA10412c35713fef33ffc7c674f2d3f26889372593e
SHA256c6b59297a4fa5e4f6c7c59dc197b5097ecfbb615691dad8292229456f862b54b
SHA51218ceb2214cfd7754222bcd0623deb6927256ebf1c2e3ce1098dcd337c0e4f4dc4738596e2cd661122f6eaf2c977a7fba7e67a5e57be1f0087aded15b8df29fa8
-
C:\Users\Admin\AppData\Local\Temp\FFB6.tmpFilesize
268KB
MD54e361203ebaa7247beea3ce8274cbf08
SHA18326e672261c012552251116eba6f9e98158a815
SHA256a4e9511ab25e80b6a2ecdbad8f0f501ae3d62d2bc1fe4f71085ebdd995dcf217
SHA512f8aeeb51938fc0b56ff7cac47676d12d6b36a24b681374c4dfb6656e4c03904c811ac8039d610229dd418fd38f2b0007066c0338bdc3b8d0beb6affba48ab517
-
C:\Users\Admin\AppData\Local\Temp\update.exeFilesize
93KB
MD554cf93f7976501f309ce569fcd2db677
SHA107690d9ada0bd3f4ee8c499a079f0177f4e462b9
SHA25636ea10cf67e673133e71eccb8652630c563474c29f757c74d22ba117b72a3c09
SHA5121800852018a939c909e868ab6797c5369e94a99adc0be0dfb3ab4d77676be014a30e7624ad2064bcc4344cb10003747c2ebf7f07b0e995d69e7b9c038c561109
-
C:\Users\Admin\AppData\Local\Temp\update.exeFilesize
93KB
MD554cf93f7976501f309ce569fcd2db677
SHA107690d9ada0bd3f4ee8c499a079f0177f4e462b9
SHA25636ea10cf67e673133e71eccb8652630c563474c29f757c74d22ba117b72a3c09
SHA5121800852018a939c909e868ab6797c5369e94a99adc0be0dfb3ab4d77676be014a30e7624ad2064bcc4344cb10003747c2ebf7f07b0e995d69e7b9c038c561109
-
C:\Windows\FrameworkUpdate\Update.exeFilesize
93KB
MD554cf93f7976501f309ce569fcd2db677
SHA107690d9ada0bd3f4ee8c499a079f0177f4e462b9
SHA25636ea10cf67e673133e71eccb8652630c563474c29f757c74d22ba117b72a3c09
SHA5121800852018a939c909e868ab6797c5369e94a99adc0be0dfb3ab4d77676be014a30e7624ad2064bcc4344cb10003747c2ebf7f07b0e995d69e7b9c038c561109
-
C:\Windows\FrameworkUpdate\Update.exeFilesize
93KB
MD554cf93f7976501f309ce569fcd2db677
SHA107690d9ada0bd3f4ee8c499a079f0177f4e462b9
SHA25636ea10cf67e673133e71eccb8652630c563474c29f757c74d22ba117b72a3c09
SHA5121800852018a939c909e868ab6797c5369e94a99adc0be0dfb3ab4d77676be014a30e7624ad2064bcc4344cb10003747c2ebf7f07b0e995d69e7b9c038c561109
-
\Users\Admin\AppData\Local\Temp\F3A4.tmpFilesize
165KB
MD5bb16150dac73a699d4cf80c2a57ccf49
SHA10412c35713fef33ffc7c674f2d3f26889372593e
SHA256c6b59297a4fa5e4f6c7c59dc197b5097ecfbb615691dad8292229456f862b54b
SHA51218ceb2214cfd7754222bcd0623deb6927256ebf1c2e3ce1098dcd337c0e4f4dc4738596e2cd661122f6eaf2c977a7fba7e67a5e57be1f0087aded15b8df29fa8
-
\Users\Admin\AppData\Local\Temp\FFB6.tmpFilesize
268KB
MD54e361203ebaa7247beea3ce8274cbf08
SHA18326e672261c012552251116eba6f9e98158a815
SHA256a4e9511ab25e80b6a2ecdbad8f0f501ae3d62d2bc1fe4f71085ebdd995dcf217
SHA512f8aeeb51938fc0b56ff7cac47676d12d6b36a24b681374c4dfb6656e4c03904c811ac8039d610229dd418fd38f2b0007066c0338bdc3b8d0beb6affba48ab517
-
\Users\Admin\AppData\Local\Temp\FFB6.tmpFilesize
268KB
MD54e361203ebaa7247beea3ce8274cbf08
SHA18326e672261c012552251116eba6f9e98158a815
SHA256a4e9511ab25e80b6a2ecdbad8f0f501ae3d62d2bc1fe4f71085ebdd995dcf217
SHA512f8aeeb51938fc0b56ff7cac47676d12d6b36a24b681374c4dfb6656e4c03904c811ac8039d610229dd418fd38f2b0007066c0338bdc3b8d0beb6affba48ab517
-
\Users\Admin\AppData\Local\Temp\update.exeFilesize
93KB
MD554cf93f7976501f309ce569fcd2db677
SHA107690d9ada0bd3f4ee8c499a079f0177f4e462b9
SHA25636ea10cf67e673133e71eccb8652630c563474c29f757c74d22ba117b72a3c09
SHA5121800852018a939c909e868ab6797c5369e94a99adc0be0dfb3ab4d77676be014a30e7624ad2064bcc4344cb10003747c2ebf7f07b0e995d69e7b9c038c561109
-
\Users\Admin\AppData\Local\Temp\update.exeFilesize
93KB
MD554cf93f7976501f309ce569fcd2db677
SHA107690d9ada0bd3f4ee8c499a079f0177f4e462b9
SHA25636ea10cf67e673133e71eccb8652630c563474c29f757c74d22ba117b72a3c09
SHA5121800852018a939c909e868ab6797c5369e94a99adc0be0dfb3ab4d77676be014a30e7624ad2064bcc4344cb10003747c2ebf7f07b0e995d69e7b9c038c561109
-
\Windows\FrameworkUpdate\Update.exeFilesize
93KB
MD554cf93f7976501f309ce569fcd2db677
SHA107690d9ada0bd3f4ee8c499a079f0177f4e462b9
SHA25636ea10cf67e673133e71eccb8652630c563474c29f757c74d22ba117b72a3c09
SHA5121800852018a939c909e868ab6797c5369e94a99adc0be0dfb3ab4d77676be014a30e7624ad2064bcc4344cb10003747c2ebf7f07b0e995d69e7b9c038c561109
-
\Windows\FrameworkUpdate\Update.exeFilesize
93KB
MD554cf93f7976501f309ce569fcd2db677
SHA107690d9ada0bd3f4ee8c499a079f0177f4e462b9
SHA25636ea10cf67e673133e71eccb8652630c563474c29f757c74d22ba117b72a3c09
SHA5121800852018a939c909e868ab6797c5369e94a99adc0be0dfb3ab4d77676be014a30e7624ad2064bcc4344cb10003747c2ebf7f07b0e995d69e7b9c038c561109
-
memory/524-74-0x0000000000000000-mapping.dmp
-
memory/768-79-0x00000000000C0000-0x00000000000E4000-memory.dmpFilesize
144KB
-
memory/768-73-0x0000000000000000-mapping.dmp
-
memory/768-76-0x00000000000C0000-0x00000000000E4000-memory.dmpFilesize
144KB
-
memory/1000-62-0x0000000000240000-0x0000000000256000-memory.dmpFilesize
88KB
-
memory/1000-63-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1000-58-0x0000000000000000-mapping.dmp
-
memory/1008-70-0x0000000000000000-mapping.dmp
-
memory/1008-78-0x0000000000400000-0x000000000044D000-memory.dmpFilesize
308KB
-
memory/1008-84-0x0000000000400000-0x000000000044D000-memory.dmpFilesize
308KB
-
memory/1064-72-0x0000000000400000-0x00000000004C5000-memory.dmpFilesize
788KB
-
memory/1064-56-0x0000000000400000-0x00000000004C5000-memory.dmpFilesize
788KB
-
memory/1064-55-0x0000000001C90000-0x0000000001D06000-memory.dmpFilesize
472KB
-
memory/1064-54-0x00000000753C1000-0x00000000753C3000-memory.dmpFilesize
8KB
-
memory/1552-85-0x0000000140000000-0x0000000140048000-memory.dmpFilesize
288KB
-
memory/1552-82-0x0000000000000000-mapping.dmp
-
memory/1552-90-0x0000000140000000-0x0000000140048000-memory.dmpFilesize
288KB
-
memory/1552-93-0x0000000140000000-0x0000000140048000-memory.dmpFilesize
288KB
-
memory/1660-91-0x0000000140000000-0x0000000140048000-memory.dmpFilesize
288KB
-
memory/1660-94-0x0000000140000000-0x0000000140048000-memory.dmpFilesize
288KB
-
memory/2024-66-0x00000000000E0000-0x0000000000104000-memory.dmpFilesize
144KB
-
memory/2024-65-0x0000000074A61000-0x0000000074A63000-memory.dmpFilesize
8KB
-
memory/2024-61-0x0000000000000000-mapping.dmp