Analysis
-
max time kernel
152s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:44
Static task
static1
Behavioral task
behavioral1
Sample
0131d6f1350e2fc548993890d0a1919d8c795d5012f2ca9174549aa4bbdb8f5b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
0131d6f1350e2fc548993890d0a1919d8c795d5012f2ca9174549aa4bbdb8f5b.exe
Resource
win10v2004-20220901-en
General
-
Target
0131d6f1350e2fc548993890d0a1919d8c795d5012f2ca9174549aa4bbdb8f5b.exe
-
Size
43KB
-
MD5
42ff99b3b9e89ecd45860fee6375eaac
-
SHA1
b2468b712562525078a9b00b1caeafbd8f4f1762
-
SHA256
0131d6f1350e2fc548993890d0a1919d8c795d5012f2ca9174549aa4bbdb8f5b
-
SHA512
cc75e3f2df8219cb6e94069f079f69c68c4c2c4177b5e5f7500122393f082e1401b7fc65264f68d798193a062e43f16be1d2614f18552956667ed3b33a1c36cf
-
SSDEEP
768:QTe7nd8qhYz3S228PmrW96Te2+p581R6HijH+EqvtK1EXoB1T1kNtuPmHCCjPkaH:Xm6Hh0KQWvhkZHCCrk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svch.exepid process 948 svch.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
svch.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3d7799564c49ca2fb2f556a9f4a8d17a.exe svch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3d7799564c49ca2fb2f556a9f4a8d17a.exe svch.exe -
Loads dropped DLL 1 IoCs
Processes:
0131d6f1350e2fc548993890d0a1919d8c795d5012f2ca9174549aa4bbdb8f5b.exepid process 1132 0131d6f1350e2fc548993890d0a1919d8c795d5012f2ca9174549aa4bbdb8f5b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svch.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3d7799564c49ca2fb2f556a9f4a8d17a = "\"C:\\Users\\Admin\\AppData\\Roaming\\svch.exe\" .." svch.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\3d7799564c49ca2fb2f556a9f4a8d17a = "\"C:\\Users\\Admin\\AppData\\Roaming\\svch.exe\" .." svch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
svch.exepid process 948 svch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svch.exedescription pid process Token: SeDebugPrivilege 948 svch.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0131d6f1350e2fc548993890d0a1919d8c795d5012f2ca9174549aa4bbdb8f5b.exesvch.exedescription pid process target process PID 1132 wrote to memory of 948 1132 0131d6f1350e2fc548993890d0a1919d8c795d5012f2ca9174549aa4bbdb8f5b.exe svch.exe PID 1132 wrote to memory of 948 1132 0131d6f1350e2fc548993890d0a1919d8c795d5012f2ca9174549aa4bbdb8f5b.exe svch.exe PID 1132 wrote to memory of 948 1132 0131d6f1350e2fc548993890d0a1919d8c795d5012f2ca9174549aa4bbdb8f5b.exe svch.exe PID 1132 wrote to memory of 948 1132 0131d6f1350e2fc548993890d0a1919d8c795d5012f2ca9174549aa4bbdb8f5b.exe svch.exe PID 948 wrote to memory of 1896 948 svch.exe netsh.exe PID 948 wrote to memory of 1896 948 svch.exe netsh.exe PID 948 wrote to memory of 1896 948 svch.exe netsh.exe PID 948 wrote to memory of 1896 948 svch.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0131d6f1350e2fc548993890d0a1919d8c795d5012f2ca9174549aa4bbdb8f5b.exe"C:\Users\Admin\AppData\Local\Temp\0131d6f1350e2fc548993890d0a1919d8c795d5012f2ca9174549aa4bbdb8f5b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svch.exe"C:\Users\Admin\AppData\Roaming\svch.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svch.exe" "svch.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svch.exeFilesize
43KB
MD542ff99b3b9e89ecd45860fee6375eaac
SHA1b2468b712562525078a9b00b1caeafbd8f4f1762
SHA2560131d6f1350e2fc548993890d0a1919d8c795d5012f2ca9174549aa4bbdb8f5b
SHA512cc75e3f2df8219cb6e94069f079f69c68c4c2c4177b5e5f7500122393f082e1401b7fc65264f68d798193a062e43f16be1d2614f18552956667ed3b33a1c36cf
-
C:\Users\Admin\AppData\Roaming\svch.exeFilesize
43KB
MD542ff99b3b9e89ecd45860fee6375eaac
SHA1b2468b712562525078a9b00b1caeafbd8f4f1762
SHA2560131d6f1350e2fc548993890d0a1919d8c795d5012f2ca9174549aa4bbdb8f5b
SHA512cc75e3f2df8219cb6e94069f079f69c68c4c2c4177b5e5f7500122393f082e1401b7fc65264f68d798193a062e43f16be1d2614f18552956667ed3b33a1c36cf
-
\Users\Admin\AppData\Roaming\svch.exeFilesize
43KB
MD542ff99b3b9e89ecd45860fee6375eaac
SHA1b2468b712562525078a9b00b1caeafbd8f4f1762
SHA2560131d6f1350e2fc548993890d0a1919d8c795d5012f2ca9174549aa4bbdb8f5b
SHA512cc75e3f2df8219cb6e94069f079f69c68c4c2c4177b5e5f7500122393f082e1401b7fc65264f68d798193a062e43f16be1d2614f18552956667ed3b33a1c36cf
-
memory/948-56-0x0000000000000000-mapping.dmp
-
memory/948-63-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB
-
memory/948-64-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB
-
memory/1132-54-0x00000000761E1000-0x00000000761E3000-memory.dmpFilesize
8KB
-
memory/1132-61-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB
-
memory/1896-60-0x0000000000000000-mapping.dmp