Overview

overview

10

Static

static

fb9ead1d8b...81.exe

windows7-x64

10

fb9ead1d8b...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    166s
  • max time network
    170s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 07:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb9ead1d8b0d7e26264e73d190c190bec35b3e31ebf74bee17c84514c29a3a81.exe

  • Size

    162KB

  • MD5

    f6710a928e7c123887bf5716b6ce3d72

  • SHA1

    78ff43711800f8b55c90053ee469f317d5456855

  • SHA256

    fb9ead1d8b0d7e26264e73d190c190bec35b3e31ebf74bee17c84514c29a3a81

  • SHA512

    948ca2b3fe6cf09dff33576b748d12812b97d6e85d9ec3b2cab91148c3d38c5fdcef6fcca8d2295d47bc9e19332eec0ec312b675460b5c52143ad40affb07742

  • SSDEEP

    3072:SATjMpxXxgGvYskJLRiuyVisMekmUd0aIjwJczcvuo+wxmiAY/:BTjMpz6qnQ0b7gu1wE

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb9ead1d8b0d7e26264e73d190c190bec35b3e31ebf74bee17c84514c29a3a81.exe
    "C:\Users\Admin\AppData\Local\Temp\fb9ead1d8b0d7e26264e73d190c190bec35b3e31ebf74bee17c84514c29a3a81.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Admin\AppData\Local\Temp\fb9ead1d8b0d7e26264e73d190c190bec35b3e31ebf74bee17c84514c29a3a81.exe
      "C:\Users\Admin\AppData\Local\Temp\fb9ead1d8b0d7e26264e73d190c190bec35b3e31ebf74bee17c84514c29a3a81.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Sets file execution options in registry
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\SysWOW64\NT Kernel\NTKernel.exe
        "C:\Windows\system32\NT Kernel\NTKernel.exe"
        3⤵
        • Executes dropped EXE
        PID:1976

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\NT Kernel\NTKernel.exe
    Filesize

    162KB

    MD5

    f6710a928e7c123887bf5716b6ce3d72

    SHA1

    78ff43711800f8b55c90053ee469f317d5456855

    SHA256

    fb9ead1d8b0d7e26264e73d190c190bec35b3e31ebf74bee17c84514c29a3a81

    SHA512

    948ca2b3fe6cf09dff33576b748d12812b97d6e85d9ec3b2cab91148c3d38c5fdcef6fcca8d2295d47bc9e19332eec0ec312b675460b5c52143ad40affb07742

    Download Submit

  • C:\Windows\SysWOW64\NT Kernel\NTKernel.exe
    Filesize

    162KB

    MD5

    f6710a928e7c123887bf5716b6ce3d72

    SHA1

    78ff43711800f8b55c90053ee469f317d5456855

    SHA256

    fb9ead1d8b0d7e26264e73d190c190bec35b3e31ebf74bee17c84514c29a3a81

    SHA512

    948ca2b3fe6cf09dff33576b748d12812b97d6e85d9ec3b2cab91148c3d38c5fdcef6fcca8d2295d47bc9e19332eec0ec312b675460b5c52143ad40affb07742

    Download Submit

  • \Windows\SysWOW64\NT Kernel\NTKernel.exe
    Filesize

    162KB

    MD5

    f6710a928e7c123887bf5716b6ce3d72

    SHA1

    78ff43711800f8b55c90053ee469f317d5456855

    SHA256

    fb9ead1d8b0d7e26264e73d190c190bec35b3e31ebf74bee17c84514c29a3a81

    SHA512

    948ca2b3fe6cf09dff33576b748d12812b97d6e85d9ec3b2cab91148c3d38c5fdcef6fcca8d2295d47bc9e19332eec0ec312b675460b5c52143ad40affb07742

    Download Submit

  • \Windows\SysWOW64\NT Kernel\NTKernel.exe
    Filesize

    162KB

    MD5

    f6710a928e7c123887bf5716b6ce3d72

    SHA1

    78ff43711800f8b55c90053ee469f317d5456855

    SHA256

    fb9ead1d8b0d7e26264e73d190c190bec35b3e31ebf74bee17c84514c29a3a81

    SHA512

    948ca2b3fe6cf09dff33576b748d12812b97d6e85d9ec3b2cab91148c3d38c5fdcef6fcca8d2295d47bc9e19332eec0ec312b675460b5c52143ad40affb07742

    Download Submit

  • memory/1728-68-0x00000000744F0000-0x0000000074A9B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1728-55-0x00000000744F0000-0x0000000074A9B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1728-56-0x00000000744F0000-0x0000000074A9B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1728-54-0x0000000075591000-0x0000000075593000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1904-60-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1904-65-0x0000000000402000-0x0000000000419600-memory.dmp

    Filesize

    93KB

    Download

  • memory/1904-66-0x0000000000402000-0x0000000000419600-memory.dmp

    Filesize

    93KB

    Download

  • memory/1904-62-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1904-63-0x000000000041952E-mapping.dmp

    Download

  • memory/1904-61-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1904-58-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1904-57-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1904-75-0x00000000744F0000-0x0000000074A9B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1904-77-0x00000000744F0000-0x0000000074A9B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1976-71-0x0000000000000000-mapping.dmp

    Download

  • memory/1976-76-0x00000000744F0000-0x0000000074A9B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1976-78-0x00000000744F0000-0x0000000074A9B000-memory.dmp

    Filesize

    5.7MB

    Download