Analysis
-
max time kernel
185s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 09:07
Static task
static1
Behavioral task
behavioral1
Sample
18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe
Resource
win10v2004-20220812-en
General
-
Target
18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe
-
Size
932KB
-
MD5
ec09d55e2054d289f1aa138382c83f4a
-
SHA1
c8e01f6036deededf8c52d1b600b307b0829c81a
-
SHA256
18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2
-
SHA512
aba623c1a41445e197cde6eff18f17838b8a1d6e8488ca4264a9f9f9f8bdd07e1ccf5d0ed809354a0dc7ece79dee3c9fda48ec9ebd8fdc0204b4ab502795e2ec
-
SSDEEP
12288:M/sJFtFjMkihXnREUMJAIOoHuRBg3OLtjUWFIOpftASG9tRquNLe1J0MC1Y:M/gtlMkiXREzJTOF+NOxtA9tRNLe1e3Y
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
Svchost.exepid process 752 Svchost.exe -
Drops startup file 1 IoCs
Processes:
Svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svchost.exe.lnk Svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exeSvchost.exedescription ioc process File created C:\Windows\Svchost.exe 18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe File opened for modification C:\Windows\Svchost.exe 18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe File opened for modification C:\Windows\Svchost.exe Svchost.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 596 sc.exe 296 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Svchost.exedescription pid process Token: SeDebugPrivilege 752 Svchost.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exeSvchost.exepid process 1252 18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe 1252 18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe 752 Svchost.exe 752 Svchost.exe 752 Svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exedescription pid process target process PID 1252 wrote to memory of 596 1252 18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe sc.exe PID 1252 wrote to memory of 596 1252 18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe sc.exe PID 1252 wrote to memory of 596 1252 18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe sc.exe PID 1252 wrote to memory of 596 1252 18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe sc.exe PID 1252 wrote to memory of 296 1252 18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe sc.exe PID 1252 wrote to memory of 296 1252 18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe sc.exe PID 1252 wrote to memory of 296 1252 18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe sc.exe PID 1252 wrote to memory of 296 1252 18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe sc.exe PID 1252 wrote to memory of 752 1252 18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe Svchost.exe PID 1252 wrote to memory of 752 1252 18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe Svchost.exe PID 1252 wrote to memory of 752 1252 18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe Svchost.exe PID 1252 wrote to memory of 752 1252 18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe Svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe"C:\Users\Admin\AppData\Local\Temp\18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc.exe Create "COMEventn" type= own type= interact start= auto DisplayName= "COM++ Event System32" binPath= "cmd.exe /c start "C:\Windows\\Svchost.exe"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc.exe description "COMEventn" Ö§³Öϵͳʼþ֪ͨ·þÎñ(SENS)£¬´Ë·þÎñΪ¶©ÔÄ×é'¼þ¶ÔÏóÄ£ÐÍ(COM)×é¼þʼþÌṩ×Ô¶¯·Ö²¼¹¦ÄÜ2⤵
- Launches sc.exe
-
C:\Windows\Svchost.exeC:\Windows\\Svchost.exe2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Svchost.exeFilesize
10.9MB
MD5bee22806cf7e67c1300707c9ad9086d2
SHA113966159c8f66da48d6827f7dbcfbf973bf9fa5e
SHA256a70ee15c4c7692753a5d65525a1f29508dc9f8bf4611171df488490ca3fcf2b7
SHA512ad87c669a422972e12a2835981dc0259de705fecc61364d462f4797edcd098cb3f7b1def68c296ee902e555730765a71d6d240e1d62e4323f21cafa9118673d6
-
C:\Windows\Svchost.exeFilesize
10.9MB
MD5bee22806cf7e67c1300707c9ad9086d2
SHA113966159c8f66da48d6827f7dbcfbf973bf9fa5e
SHA256a70ee15c4c7692753a5d65525a1f29508dc9f8bf4611171df488490ca3fcf2b7
SHA512ad87c669a422972e12a2835981dc0259de705fecc61364d462f4797edcd098cb3f7b1def68c296ee902e555730765a71d6d240e1d62e4323f21cafa9118673d6
-
memory/296-56-0x0000000000000000-mapping.dmp
-
memory/596-55-0x0000000000000000-mapping.dmp
-
memory/752-57-0x0000000000000000-mapping.dmp
-
memory/1252-54-0x00000000760D1000-0x00000000760D3000-memory.dmpFilesize
8KB