Analysis
-
max time kernel
82s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:44
Static task
static1
Behavioral task
behavioral1
Sample
4d1b673bd4b7e69436eb2c0946392b644e986a5a4470bd35f2953a69f81f94e3.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
4d1b673bd4b7e69436eb2c0946392b644e986a5a4470bd35f2953a69f81f94e3.exe
Resource
win10v2004-20220812-en
General
-
Target
4d1b673bd4b7e69436eb2c0946392b644e986a5a4470bd35f2953a69f81f94e3.exe
-
Size
43KB
-
MD5
0b29295ab9a85de16f4986ddfa429736
-
SHA1
a1dba87f0303dd0949a7aef43a22bf21faf82d47
-
SHA256
4d1b673bd4b7e69436eb2c0946392b644e986a5a4470bd35f2953a69f81f94e3
-
SHA512
7e8aea4c2ccbada8016c542ad138a0a3594873ca2a7e0bf1a33190ddd3bc9655997c7b28ae80dee2b53c73b51319ca77bf757475185046b5478a65355d106974
-
SSDEEP
768:T0YywTp8KxoTXS+GkvWrW9GTe2OZ501U6HEjHXuqvtq1/dEb17xFDZshR3lN83fp:DGGHpxMJWa2ZfHCCrk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
internet.exepid process 1240 internet.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
internet.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32f86268028bb7f4d8a6758000010377.exe internet.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32f86268028bb7f4d8a6758000010377.exe internet.exe -
Loads dropped DLL 1 IoCs
Processes:
4d1b673bd4b7e69436eb2c0946392b644e986a5a4470bd35f2953a69f81f94e3.exepid process 1168 4d1b673bd4b7e69436eb2c0946392b644e986a5a4470bd35f2953a69f81f94e3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
internet.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\32f86268028bb7f4d8a6758000010377 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\internet.exe\" .." internet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\32f86268028bb7f4d8a6758000010377 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\internet.exe\" .." internet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
internet.exepid process 1240 internet.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
internet.exedescription pid process Token: SeDebugPrivilege 1240 internet.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4d1b673bd4b7e69436eb2c0946392b644e986a5a4470bd35f2953a69f81f94e3.exeinternet.exedescription pid process target process PID 1168 wrote to memory of 1240 1168 4d1b673bd4b7e69436eb2c0946392b644e986a5a4470bd35f2953a69f81f94e3.exe internet.exe PID 1168 wrote to memory of 1240 1168 4d1b673bd4b7e69436eb2c0946392b644e986a5a4470bd35f2953a69f81f94e3.exe internet.exe PID 1168 wrote to memory of 1240 1168 4d1b673bd4b7e69436eb2c0946392b644e986a5a4470bd35f2953a69f81f94e3.exe internet.exe PID 1168 wrote to memory of 1240 1168 4d1b673bd4b7e69436eb2c0946392b644e986a5a4470bd35f2953a69f81f94e3.exe internet.exe PID 1240 wrote to memory of 900 1240 internet.exe netsh.exe PID 1240 wrote to memory of 900 1240 internet.exe netsh.exe PID 1240 wrote to memory of 900 1240 internet.exe netsh.exe PID 1240 wrote to memory of 900 1240 internet.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d1b673bd4b7e69436eb2c0946392b644e986a5a4470bd35f2953a69f81f94e3.exe"C:\Users\Admin\AppData\Local\Temp\4d1b673bd4b7e69436eb2c0946392b644e986a5a4470bd35f2953a69f81f94e3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\internet.exe"C:\Users\Admin\AppData\Local\Temp\internet.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\internet.exe" "internet.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\internet.exeFilesize
43KB
MD50b29295ab9a85de16f4986ddfa429736
SHA1a1dba87f0303dd0949a7aef43a22bf21faf82d47
SHA2564d1b673bd4b7e69436eb2c0946392b644e986a5a4470bd35f2953a69f81f94e3
SHA5127e8aea4c2ccbada8016c542ad138a0a3594873ca2a7e0bf1a33190ddd3bc9655997c7b28ae80dee2b53c73b51319ca77bf757475185046b5478a65355d106974
-
C:\Users\Admin\AppData\Local\Temp\internet.exeFilesize
43KB
MD50b29295ab9a85de16f4986ddfa429736
SHA1a1dba87f0303dd0949a7aef43a22bf21faf82d47
SHA2564d1b673bd4b7e69436eb2c0946392b644e986a5a4470bd35f2953a69f81f94e3
SHA5127e8aea4c2ccbada8016c542ad138a0a3594873ca2a7e0bf1a33190ddd3bc9655997c7b28ae80dee2b53c73b51319ca77bf757475185046b5478a65355d106974
-
\Users\Admin\AppData\Local\Temp\internet.exeFilesize
43KB
MD50b29295ab9a85de16f4986ddfa429736
SHA1a1dba87f0303dd0949a7aef43a22bf21faf82d47
SHA2564d1b673bd4b7e69436eb2c0946392b644e986a5a4470bd35f2953a69f81f94e3
SHA5127e8aea4c2ccbada8016c542ad138a0a3594873ca2a7e0bf1a33190ddd3bc9655997c7b28ae80dee2b53c73b51319ca77bf757475185046b5478a65355d106974
-
memory/900-60-0x0000000000000000-mapping.dmp
-
memory/1168-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/1168-61-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/1240-56-0x0000000000000000-mapping.dmp
-
memory/1240-62-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/1240-64-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB