Analysis
-
max time kernel
41s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:30
Static task
static1
Behavioral task
behavioral1
Sample
34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
Resource
win10v2004-20220901-en
General
-
Target
34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
-
Size
192KB
-
MD5
943f756626ce91cde9b9246e26642039
-
SHA1
a633aa256f687d95fa746efcb8d8c55da309b879
-
SHA256
34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900
-
SHA512
125109e78c64516b30de6d757c5d36e8d69ecc8efb3e4a9780e8a2ba130ad3d079b6f702023d353e6168a2d14cf0357482373047fd02b7edc29ffc266323bee8
-
SSDEEP
3072:E2tbXewZT3vviEj3IbQhbElPYSIeXkOAAeSTYSijsFCOJHeI6Awd:E2tbX/v8bQ653BXktVSsTSCOhDc
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FolderName\\file.exe" reg.exe -
Loads dropped DLL 1 IoCs
Processes:
34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exepid process 868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exepid process 868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe 868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe 868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe 868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe 868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exedescription pid process Token: SeDebugPrivilege 868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe Token: 33 868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe Token: SeIncBasePriorityPrivilege 868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.execmd.exewscript.execmd.exedescription pid process target process PID 868 wrote to memory of 2032 868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe cmd.exe PID 868 wrote to memory of 2032 868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe cmd.exe PID 868 wrote to memory of 2032 868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe cmd.exe PID 868 wrote to memory of 2032 868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe cmd.exe PID 868 wrote to memory of 1756 868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe notepad .exe PID 868 wrote to memory of 1756 868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe notepad .exe PID 868 wrote to memory of 1756 868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe notepad .exe PID 868 wrote to memory of 1756 868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe notepad .exe PID 2032 wrote to memory of 1916 2032 cmd.exe wscript.exe PID 2032 wrote to memory of 1916 2032 cmd.exe wscript.exe PID 2032 wrote to memory of 1916 2032 cmd.exe wscript.exe PID 2032 wrote to memory of 1916 2032 cmd.exe wscript.exe PID 1916 wrote to memory of 2008 1916 wscript.exe cmd.exe PID 1916 wrote to memory of 2008 1916 wscript.exe cmd.exe PID 1916 wrote to memory of 2008 1916 wscript.exe cmd.exe PID 1916 wrote to memory of 2008 1916 wscript.exe cmd.exe PID 2008 wrote to memory of 1748 2008 cmd.exe reg.exe PID 2008 wrote to memory of 1748 2008 cmd.exe reg.exe PID 2008 wrote to memory of 1748 2008 cmd.exe reg.exe PID 2008 wrote to memory of 1748 2008 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe"C:\Users\Admin\AppData\Local\Temp\34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe" /f5⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Local\Temp\notepad .exe"C:\Users\Admin\AppData\Local\Temp\notepad .exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderName\file.exeFilesize
192KB
MD5943f756626ce91cde9b9246e26642039
SHA1a633aa256f687d95fa746efcb8d8c55da309b879
SHA25634253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900
SHA512125109e78c64516b30de6d757c5d36e8d69ecc8efb3e4a9780e8a2ba130ad3d079b6f702023d353e6168a2d14cf0357482373047fd02b7edc29ffc266323bee8
-
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbsFilesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.batFilesize
70B
MD523f72401196919748c14cb64c1d55c3b
SHA1869e3809cb4391e6f5aee5349a871e40a1e1fb22
SHA256d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11
SHA5122ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1
-
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.batFilesize
264B
MD54a348e658b3bece507de24309737f37e
SHA14abb0d9acf447d8ae8f2c4ffbdde71f74df0eb6e
SHA256fe0ccea8e63ad44a98bce2497dede9f5387c4596427e847686f7595301b1e15f
SHA512c285c3c8f5cbf16d1351d3771abec41970eb0c47211d6102057367f0aa5674ee745520aafa55f4383f6386bb1ec9b5329705added4d75a77ba58dcdc487c0ddd
-
\Users\Admin\AppData\Local\Temp\notepad .exeFilesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
memory/868-54-0x0000000075131000-0x0000000075133000-memory.dmpFilesize
8KB
-
memory/868-55-0x0000000073FA0000-0x000000007454B000-memory.dmpFilesize
5.7MB
-
memory/868-66-0x0000000073FA0000-0x000000007454B000-memory.dmpFilesize
5.7MB
-
memory/868-67-0x0000000073FA0000-0x000000007454B000-memory.dmpFilesize
5.7MB
-
memory/1748-64-0x0000000000000000-mapping.dmp
-
memory/1916-59-0x0000000000000000-mapping.dmp
-
memory/2008-63-0x0000000000000000-mapping.dmp
-
memory/2032-56-0x0000000000000000-mapping.dmp