Analysis
-
max time kernel
250s -
max time network
345s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:35
Static task
static1
Behavioral task
behavioral1
Sample
db2c557a428446fc053005075800d6107eb3664eecb95ce393e5b5ea511ee647.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
db2c557a428446fc053005075800d6107eb3664eecb95ce393e5b5ea511ee647.exe
Resource
win10v2004-20221111-en
General
-
Target
db2c557a428446fc053005075800d6107eb3664eecb95ce393e5b5ea511ee647.exe
-
Size
401KB
-
MD5
60632a21bdc4e01d73832e6e80ddbf7b
-
SHA1
4f5872f2e00662c129b0b7e541cd78862db3461c
-
SHA256
db2c557a428446fc053005075800d6107eb3664eecb95ce393e5b5ea511ee647
-
SHA512
a97ecd3ddd0243cd023ec56c816c0adf11cb85a2aded0c3201a19117726808ec667af0d06ef51c629c6e5867e6ba7567e3fda80c3016bc6ac13a77ec1d49c732
-
SSDEEP
3072:kx4ITM48SDZSBreHTNVujO/JVUSO2tmmXVhF26:4MFBqHTNEjO/JqC2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Firefox.exepid process 920 Firefox.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Firefox.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\0e3d1529a158ba6db2fcfe58fb321719 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Firefox.exe\" .." Firefox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0e3d1529a158ba6db2fcfe58fb321719 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Firefox.exe\" .." Firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
db2c557a428446fc053005075800d6107eb3664eecb95ce393e5b5ea511ee647.exeFirefox.exedescription pid process Token: SeDebugPrivilege 472 db2c557a428446fc053005075800d6107eb3664eecb95ce393e5b5ea511ee647.exe Token: 33 472 db2c557a428446fc053005075800d6107eb3664eecb95ce393e5b5ea511ee647.exe Token: SeIncBasePriorityPrivilege 472 db2c557a428446fc053005075800d6107eb3664eecb95ce393e5b5ea511ee647.exe Token: SeDebugPrivilege 920 Firefox.exe Token: 33 920 Firefox.exe Token: SeIncBasePriorityPrivilege 920 Firefox.exe Token: 33 920 Firefox.exe Token: SeIncBasePriorityPrivilege 920 Firefox.exe Token: 33 920 Firefox.exe Token: SeIncBasePriorityPrivilege 920 Firefox.exe Token: 33 920 Firefox.exe Token: SeIncBasePriorityPrivilege 920 Firefox.exe Token: 33 920 Firefox.exe Token: SeIncBasePriorityPrivilege 920 Firefox.exe Token: 33 920 Firefox.exe Token: SeIncBasePriorityPrivilege 920 Firefox.exe Token: 33 920 Firefox.exe Token: SeIncBasePriorityPrivilege 920 Firefox.exe Token: 33 920 Firefox.exe Token: SeIncBasePriorityPrivilege 920 Firefox.exe Token: 33 920 Firefox.exe Token: SeIncBasePriorityPrivilege 920 Firefox.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
db2c557a428446fc053005075800d6107eb3664eecb95ce393e5b5ea511ee647.exeFirefox.exedescription pid process target process PID 472 wrote to memory of 920 472 db2c557a428446fc053005075800d6107eb3664eecb95ce393e5b5ea511ee647.exe Firefox.exe PID 472 wrote to memory of 920 472 db2c557a428446fc053005075800d6107eb3664eecb95ce393e5b5ea511ee647.exe Firefox.exe PID 472 wrote to memory of 920 472 db2c557a428446fc053005075800d6107eb3664eecb95ce393e5b5ea511ee647.exe Firefox.exe PID 920 wrote to memory of 1868 920 Firefox.exe netsh.exe PID 920 wrote to memory of 1868 920 Firefox.exe netsh.exe PID 920 wrote to memory of 1868 920 Firefox.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db2c557a428446fc053005075800d6107eb3664eecb95ce393e5b5ea511ee647.exe"C:\Users\Admin\AppData\Local\Temp\db2c557a428446fc053005075800d6107eb3664eecb95ce393e5b5ea511ee647.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Users\Admin\AppData\Local\Temp\Firefox.exe"C:\Users\Admin\AppData\Local\Temp\Firefox.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Firefox.exe" "Firefox.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1868
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Firefox.exeFilesize
401KB
MD560632a21bdc4e01d73832e6e80ddbf7b
SHA14f5872f2e00662c129b0b7e541cd78862db3461c
SHA256db2c557a428446fc053005075800d6107eb3664eecb95ce393e5b5ea511ee647
SHA512a97ecd3ddd0243cd023ec56c816c0adf11cb85a2aded0c3201a19117726808ec667af0d06ef51c629c6e5867e6ba7567e3fda80c3016bc6ac13a77ec1d49c732
-
C:\Users\Admin\AppData\Local\Temp\Firefox.exeFilesize
401KB
MD560632a21bdc4e01d73832e6e80ddbf7b
SHA14f5872f2e00662c129b0b7e541cd78862db3461c
SHA256db2c557a428446fc053005075800d6107eb3664eecb95ce393e5b5ea511ee647
SHA512a97ecd3ddd0243cd023ec56c816c0adf11cb85a2aded0c3201a19117726808ec667af0d06ef51c629c6e5867e6ba7567e3fda80c3016bc6ac13a77ec1d49c732
-
memory/472-54-0x000007FEF3BC0000-0x000007FEF45E3000-memory.dmpFilesize
10.1MB
-
memory/472-55-0x000007FEF28E0000-0x000007FEF3976000-memory.dmpFilesize
16.6MB
-
memory/472-56-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmpFilesize
8KB
-
memory/920-57-0x0000000000000000-mapping.dmp
-
memory/920-60-0x000007FEF3BC0000-0x000007FEF45E3000-memory.dmpFilesize
10.1MB
-
memory/920-61-0x000007FEF28E0000-0x000007FEF3976000-memory.dmpFilesize
16.6MB
-
memory/1868-62-0x0000000000000000-mapping.dmp