Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:41
Static task
static1
Behavioral task
behavioral1
Sample
aebe14fe1dfbd89848f51831dc53f2e0df55908783959b57eec070c2a1ddc98c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
aebe14fe1dfbd89848f51831dc53f2e0df55908783959b57eec070c2a1ddc98c.exe
Resource
win10v2004-20220812-en
General
-
Target
aebe14fe1dfbd89848f51831dc53f2e0df55908783959b57eec070c2a1ddc98c.exe
-
Size
383KB
-
MD5
ee67fdd8f9b5dffe1d0d123caf3032f7
-
SHA1
a8adc23fae4182ec697f0bf313e5f6a35a7fb938
-
SHA256
aebe14fe1dfbd89848f51831dc53f2e0df55908783959b57eec070c2a1ddc98c
-
SHA512
0b72f4eaec920a45672ec3463075adc9f92fcfb694694362fbdfb807b9e4af2222a06ac8c472ea5449e8d154b2e739f0e1867986236614336cd0b2351123a391
-
SSDEEP
6144:lvLnQs/GKl8uHsdcPZBKsthXOb5klzPYbT9l4:MUBRXOb5klzPYbT9l
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Adobe Flash Player.exepid process 1940 Adobe Flash Player.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
aebe14fe1dfbd89848f51831dc53f2e0df55908783959b57eec070c2a1ddc98c.exepid process 2032 aebe14fe1dfbd89848f51831dc53f2e0df55908783959b57eec070c2a1ddc98c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Adobe Flash Player.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\a07a91777010474116d458fa1d4f8230 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe Flash Player.exe\" .." Adobe Flash Player.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a07a91777010474116d458fa1d4f8230 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe Flash Player.exe\" .." Adobe Flash Player.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Adobe Flash Player.exedescription pid process Token: SeDebugPrivilege 1940 Adobe Flash Player.exe Token: 33 1940 Adobe Flash Player.exe Token: SeIncBasePriorityPrivilege 1940 Adobe Flash Player.exe Token: 33 1940 Adobe Flash Player.exe Token: SeIncBasePriorityPrivilege 1940 Adobe Flash Player.exe Token: 33 1940 Adobe Flash Player.exe Token: SeIncBasePriorityPrivilege 1940 Adobe Flash Player.exe Token: 33 1940 Adobe Flash Player.exe Token: SeIncBasePriorityPrivilege 1940 Adobe Flash Player.exe Token: 33 1940 Adobe Flash Player.exe Token: SeIncBasePriorityPrivilege 1940 Adobe Flash Player.exe Token: 33 1940 Adobe Flash Player.exe Token: SeIncBasePriorityPrivilege 1940 Adobe Flash Player.exe Token: 33 1940 Adobe Flash Player.exe Token: SeIncBasePriorityPrivilege 1940 Adobe Flash Player.exe Token: 33 1940 Adobe Flash Player.exe Token: SeIncBasePriorityPrivilege 1940 Adobe Flash Player.exe Token: 33 1940 Adobe Flash Player.exe Token: SeIncBasePriorityPrivilege 1940 Adobe Flash Player.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
aebe14fe1dfbd89848f51831dc53f2e0df55908783959b57eec070c2a1ddc98c.exeAdobe Flash Player.exedescription pid process target process PID 2032 wrote to memory of 1940 2032 aebe14fe1dfbd89848f51831dc53f2e0df55908783959b57eec070c2a1ddc98c.exe Adobe Flash Player.exe PID 2032 wrote to memory of 1940 2032 aebe14fe1dfbd89848f51831dc53f2e0df55908783959b57eec070c2a1ddc98c.exe Adobe Flash Player.exe PID 2032 wrote to memory of 1940 2032 aebe14fe1dfbd89848f51831dc53f2e0df55908783959b57eec070c2a1ddc98c.exe Adobe Flash Player.exe PID 2032 wrote to memory of 1940 2032 aebe14fe1dfbd89848f51831dc53f2e0df55908783959b57eec070c2a1ddc98c.exe Adobe Flash Player.exe PID 1940 wrote to memory of 960 1940 Adobe Flash Player.exe netsh.exe PID 1940 wrote to memory of 960 1940 Adobe Flash Player.exe netsh.exe PID 1940 wrote to memory of 960 1940 Adobe Flash Player.exe netsh.exe PID 1940 wrote to memory of 960 1940 Adobe Flash Player.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aebe14fe1dfbd89848f51831dc53f2e0df55908783959b57eec070c2a1ddc98c.exe"C:\Users\Admin\AppData\Local\Temp\aebe14fe1dfbd89848f51831dc53f2e0df55908783959b57eec070c2a1ddc98c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\Adobe Flash Player.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Flash Player.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Adobe Flash Player.exe" "Adobe Flash Player.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Adobe Flash Player.exeFilesize
383KB
MD5ee67fdd8f9b5dffe1d0d123caf3032f7
SHA1a8adc23fae4182ec697f0bf313e5f6a35a7fb938
SHA256aebe14fe1dfbd89848f51831dc53f2e0df55908783959b57eec070c2a1ddc98c
SHA5120b72f4eaec920a45672ec3463075adc9f92fcfb694694362fbdfb807b9e4af2222a06ac8c472ea5449e8d154b2e739f0e1867986236614336cd0b2351123a391
-
C:\Users\Admin\AppData\Local\Temp\Adobe Flash Player.exeFilesize
383KB
MD5ee67fdd8f9b5dffe1d0d123caf3032f7
SHA1a8adc23fae4182ec697f0bf313e5f6a35a7fb938
SHA256aebe14fe1dfbd89848f51831dc53f2e0df55908783959b57eec070c2a1ddc98c
SHA5120b72f4eaec920a45672ec3463075adc9f92fcfb694694362fbdfb807b9e4af2222a06ac8c472ea5449e8d154b2e739f0e1867986236614336cd0b2351123a391
-
\Users\Admin\AppData\Local\Temp\Adobe Flash Player.exeFilesize
383KB
MD5ee67fdd8f9b5dffe1d0d123caf3032f7
SHA1a8adc23fae4182ec697f0bf313e5f6a35a7fb938
SHA256aebe14fe1dfbd89848f51831dc53f2e0df55908783959b57eec070c2a1ddc98c
SHA5120b72f4eaec920a45672ec3463075adc9f92fcfb694694362fbdfb807b9e4af2222a06ac8c472ea5449e8d154b2e739f0e1867986236614336cd0b2351123a391
-
memory/960-64-0x0000000000000000-mapping.dmp
-
memory/1940-57-0x0000000000000000-mapping.dmp
-
memory/1940-62-0x0000000074C00000-0x00000000751AB000-memory.dmpFilesize
5.7MB
-
memory/1940-63-0x0000000074C00000-0x00000000751AB000-memory.dmpFilesize
5.7MB
-
memory/1940-66-0x0000000074C00000-0x00000000751AB000-memory.dmpFilesize
5.7MB
-
memory/2032-54-0x0000000076261000-0x0000000076263000-memory.dmpFilesize
8KB
-
memory/2032-55-0x0000000074C00000-0x00000000751AB000-memory.dmpFilesize
5.7MB
-
memory/2032-61-0x0000000074C00000-0x00000000751AB000-memory.dmpFilesize
5.7MB