Analysis
-
max time kernel
153s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 02:05
Behavioral task
behavioral1
Sample
1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Resource
win7-20220901-en
windows7-x64
5 signatures
150 seconds
General
-
Target
1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
-
Size
1.5MB
-
MD5
255d824058f18f2d9dac2dda2214e08a
-
SHA1
95ebcbae50218bc8ca8d472a5b1b7f23d7a0c061
-
SHA256
1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8
-
SHA512
65451253c32711991f742a045c4158d3219ed473a1b9120eeae888f6caa59ad108fe2133a3e95f8b98d224d119c905bed26073f29a10cf125bb73677de23a0d5
-
SSDEEP
24576:mZ1xuVVjfFoynPaVBUR8f+kN10EBiKzn1AAHEvtcwOwnvzuEG9WlE:2QDgok309qA3c5VFkW
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exedescription pid process Token: SeIncreaseQuotaPrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeSecurityPrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeTakeOwnershipPrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeLoadDriverPrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeSystemProfilePrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeSystemtimePrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeProfSingleProcessPrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeIncBasePriorityPrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeCreatePagefilePrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeBackupPrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeRestorePrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeShutdownPrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeDebugPrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeSystemEnvironmentPrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeChangeNotifyPrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeRemoteShutdownPrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeUndockPrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeManageVolumePrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeImpersonatePrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: SeCreateGlobalPrivilege 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: 33 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: 34 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: 35 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe Token: 36 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exepid process 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exedescription pid process target process PID 4880 wrote to memory of 4812 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe iexplore.exe PID 4880 wrote to memory of 4812 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe iexplore.exe PID 4880 wrote to memory of 4812 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe iexplore.exe PID 4880 wrote to memory of 1932 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe explorer.exe PID 4880 wrote to memory of 1932 4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe"C:\Users\Admin\AppData\Local\Temp\1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1932-132-0x0000000000000000-mapping.dmp