Analysis
-
max time kernel
149s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:44
Static task
static1
Behavioral task
behavioral1
Sample
339d1e54d957d1982fd84cb2146c24f379156ed94ffd6fac6e86806d8095d2e8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
339d1e54d957d1982fd84cb2146c24f379156ed94ffd6fac6e86806d8095d2e8.exe
Resource
win10v2004-20220901-en
General
-
Target
339d1e54d957d1982fd84cb2146c24f379156ed94ffd6fac6e86806d8095d2e8.exe
-
Size
43KB
-
MD5
e9ec61fc8def56363871364a9af90e87
-
SHA1
bb227dc2d4abca5033e4ada392da8465f23db33f
-
SHA256
339d1e54d957d1982fd84cb2146c24f379156ed94ffd6fac6e86806d8095d2e8
-
SHA512
1aaf1a17e0e9a0ffe55301ed59799a7b5878700797f524c4a2ed87785e70b12c6dcd0cddc644262fd477d94c4c66dee8a17599a8f700fc3971c0926c7332c3ca
-
SSDEEP
768:pTe7nd8qhYz3S228PmrW96Te2+p581R6HijH+EqvtK1EXoB1T1kNtuPmHCCjPkaH:Gm6Hh0KQWvhkZHCCrk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svch.exepid process 536 svch.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
svch.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3d7799564c49ca2fb2f556a9f4a8d17a.exe svch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3d7799564c49ca2fb2f556a9f4a8d17a.exe svch.exe -
Loads dropped DLL 1 IoCs
Processes:
339d1e54d957d1982fd84cb2146c24f379156ed94ffd6fac6e86806d8095d2e8.exepid process 976 339d1e54d957d1982fd84cb2146c24f379156ed94ffd6fac6e86806d8095d2e8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svch.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\3d7799564c49ca2fb2f556a9f4a8d17a = "\"C:\\Users\\Admin\\AppData\\Roaming\\svch.exe\" .." svch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3d7799564c49ca2fb2f556a9f4a8d17a = "\"C:\\Users\\Admin\\AppData\\Roaming\\svch.exe\" .." svch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
svch.exepid process 536 svch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svch.exedescription pid process Token: SeDebugPrivilege 536 svch.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
339d1e54d957d1982fd84cb2146c24f379156ed94ffd6fac6e86806d8095d2e8.exesvch.exedescription pid process target process PID 976 wrote to memory of 536 976 339d1e54d957d1982fd84cb2146c24f379156ed94ffd6fac6e86806d8095d2e8.exe svch.exe PID 976 wrote to memory of 536 976 339d1e54d957d1982fd84cb2146c24f379156ed94ffd6fac6e86806d8095d2e8.exe svch.exe PID 976 wrote to memory of 536 976 339d1e54d957d1982fd84cb2146c24f379156ed94ffd6fac6e86806d8095d2e8.exe svch.exe PID 976 wrote to memory of 536 976 339d1e54d957d1982fd84cb2146c24f379156ed94ffd6fac6e86806d8095d2e8.exe svch.exe PID 536 wrote to memory of 872 536 svch.exe netsh.exe PID 536 wrote to memory of 872 536 svch.exe netsh.exe PID 536 wrote to memory of 872 536 svch.exe netsh.exe PID 536 wrote to memory of 872 536 svch.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\339d1e54d957d1982fd84cb2146c24f379156ed94ffd6fac6e86806d8095d2e8.exe"C:\Users\Admin\AppData\Local\Temp\339d1e54d957d1982fd84cb2146c24f379156ed94ffd6fac6e86806d8095d2e8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svch.exe"C:\Users\Admin\AppData\Roaming\svch.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svch.exe" "svch.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svch.exeFilesize
43KB
MD5e9ec61fc8def56363871364a9af90e87
SHA1bb227dc2d4abca5033e4ada392da8465f23db33f
SHA256339d1e54d957d1982fd84cb2146c24f379156ed94ffd6fac6e86806d8095d2e8
SHA5121aaf1a17e0e9a0ffe55301ed59799a7b5878700797f524c4a2ed87785e70b12c6dcd0cddc644262fd477d94c4c66dee8a17599a8f700fc3971c0926c7332c3ca
-
C:\Users\Admin\AppData\Roaming\svch.exeFilesize
43KB
MD5e9ec61fc8def56363871364a9af90e87
SHA1bb227dc2d4abca5033e4ada392da8465f23db33f
SHA256339d1e54d957d1982fd84cb2146c24f379156ed94ffd6fac6e86806d8095d2e8
SHA5121aaf1a17e0e9a0ffe55301ed59799a7b5878700797f524c4a2ed87785e70b12c6dcd0cddc644262fd477d94c4c66dee8a17599a8f700fc3971c0926c7332c3ca
-
\Users\Admin\AppData\Roaming\svch.exeFilesize
43KB
MD5e9ec61fc8def56363871364a9af90e87
SHA1bb227dc2d4abca5033e4ada392da8465f23db33f
SHA256339d1e54d957d1982fd84cb2146c24f379156ed94ffd6fac6e86806d8095d2e8
SHA5121aaf1a17e0e9a0ffe55301ed59799a7b5878700797f524c4a2ed87785e70b12c6dcd0cddc644262fd477d94c4c66dee8a17599a8f700fc3971c0926c7332c3ca
-
memory/536-56-0x0000000000000000-mapping.dmp
-
memory/536-64-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB
-
memory/536-65-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB
-
memory/872-62-0x0000000000000000-mapping.dmp
-
memory/976-54-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/976-60-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB
-
memory/976-61-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB