4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319

Analysis

max time kernel
140s
max time network
153s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exe
Size

415KB
MD5

0f9703b147cf0c8a884019cb1bafe08c
SHA1

633bff3c09940f99de3e4d1421c66d118086f3cf
SHA256

4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319
SHA512

2d259c75729b25b23a3848592477fe64cc2b2bad5c4fc44cd32c43fe064b41ea5e2eba6a80ca1d009426d725d38a836282613e423812572b1e4f6937640350e3
SSDEEP

12288:/36YkiWzQXZ1+La51ID6DQoyazsfyRVOC:sK1kamMwpC

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Server.exewin32.exenetsh.exe

pid process

1520 Server.exe
1108 win32.exe
1740 netsh.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1740 netsh.exe

pid	process
1520	Server.exe
1108	win32.exe
1740	netsh.exe

pid	process
1740	netsh.exe

Drops startup file 2 IoCs

Processes:

win32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\45ca55fc1756e880072f0dde4455397b.exe	win32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\45ca55fc1756e880072f0dde4455397b.exe	win32.exe

Loads dropped DLL 5 IoCs

Processes:

4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exeServer.exewin32.exe

pid process

1612 4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exe
1520 Server.exe
1520 Server.exe
1108 win32.exe
1108 win32.exe

pid	process
1612	4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exe
1520	Server.exe
1520	Server.exe
1108	win32.exe
1108	win32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

win32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\45ca55fc1756e880072f0dde4455397b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\win32.exe\" .."	win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\45ca55fc1756e880072f0dde4455397b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\win32.exe\" .."	win32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

win32.exe

pid process

1108 win32.exe
1108 win32.exe

pid	process
1108	win32.exe
1108	win32.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exeServer.exewin32.exe

description	pid	process
Token: 33	1612	4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exe
Token: SeIncBasePriorityPrivilege	1612	4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exe
Token: 33	1612	4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exe
Token: SeIncBasePriorityPrivilege	1612	4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exe
Token: 33	1612	4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exe
Token: SeIncBasePriorityPrivilege	1612	4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exe
Token: 33	1520	Server.exe
Token: SeIncBasePriorityPrivilege	1520	Server.exe
Token: 33	1520	Server.exe
Token: SeIncBasePriorityPrivilege	1520	Server.exe
Token: 33	1520	Server.exe
Token: SeIncBasePriorityPrivilege	1520	Server.exe
Token: 33	1520	Server.exe
Token: SeIncBasePriorityPrivilege	1520	Server.exe
Token: SeDebugPrivilege	1108	win32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exeServer.exewin32.exe

description	pid	process	target process
PID 1612 wrote to memory of 1520	1612	4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exe	Server.exe
PID 1612 wrote to memory of 1520	1612	4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exe	Server.exe
PID 1612 wrote to memory of 1520	1612	4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exe	Server.exe
PID 1612 wrote to memory of 1520	1612	4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exe	Server.exe
PID 1520 wrote to memory of 1108	1520	Server.exe	win32.exe
PID 1520 wrote to memory of 1108	1520	Server.exe	win32.exe
PID 1520 wrote to memory of 1108	1520	Server.exe	win32.exe
PID 1520 wrote to memory of 1108	1520	Server.exe	win32.exe
PID 1108 wrote to memory of 1740	1108	win32.exe	netsh.exe
PID 1108 wrote to memory of 1740	1108	win32.exe	netsh.exe
PID 1108 wrote to memory of 1740	1108	win32.exe	netsh.exe
PID 1108 wrote to memory of 1740	1108	win32.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exe
"C:\Users\Admin\AppData\Local\Temp\4e6740435de944e3f8135241bd6c76aedd3ab9bacaf75acd11a31fd0ea57b319.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2013.07.23T15.42\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2013.07.23T15.42\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\win32.exe
"C:\Users\Admin\AppData\Local\Temp\win32.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2013.07.23T15.42\Native\STUBEXE\8.0.1112\@SYSTEM@\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\win32.exe" "win32.exe" ENABLE
4⤵
- Executes dropped EXE
- Modifies Windows Firewall
PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2013.07.23T15.42\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\win32.exe
Filesize
17KB

MD5
549cbab3836795de8794995e286e2c72

SHA1
0dd6f92e8de8e9e90ef6e1f5a8c1a2b78cd74146

SHA256
0ce1cfd26b84d318d6c2cd6ca820a2bc69812df992a67ecd5252ce90b391e44a

SHA512
06a1c4a0a3868782337506e59139ee7425ec063f40954fe35cf0ec8c13cdbbf5321e5c717d232f5f834844e36a16d1d14ac57c53acd94319e3785ae6fb3c7962

Download Submit
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2013.07.23T15.42\Native\STUBEXE\8.0.1112\@SYSTEM@\netsh.exe
Filesize
17KB

MD5
332bcdced27f34b7b32a50f50790e78b

SHA1
c02075a3a621b0103913d92b552f6819d5b13c87

SHA256
1674cfb9bf199211c8e860fada6f5d3a8b08e2ea33c328e0474d449c23a464be

SHA512
610409d2519f9ffaca01ddd8859c6a7c28cf539b1651d2b11be8153b0565e53f5b95512b5a5e09d6394568a2d3e81e1d6e4c525288178778b47d47fb913564b9

Download Submit
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2013.07.23T15.42\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\Server.exe
Filesize
17KB

MD5
549cbab3836795de8794995e286e2c72

SHA1
0dd6f92e8de8e9e90ef6e1f5a8c1a2b78cd74146

SHA256
0ce1cfd26b84d318d6c2cd6ca820a2bc69812df992a67ecd5252ce90b391e44a

SHA512
06a1c4a0a3868782337506e59139ee7425ec063f40954fe35cf0ec8c13cdbbf5321e5c717d232f5f834844e36a16d1d14ac57c53acd94319e3785ae6fb3c7962

Download Submit
\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Temp\win32.exe
Filesize
116KB

MD5
8afc97d20e6a8119edc0da89e996d8ab

SHA1
cf7c78b335c6ab4cf7ab6aa01b24046515fb0cfb

SHA256
69176aa72587c46a8659f1c59a6f1c1d50f4da159c50aa9dc657f4f2c4e65974

SHA512
ccbe413cfdcad76ba9214569b5733a8a6f8f15c205f33b11f441da82047108bcb40210032f684310f709c96a7a19a31f266c13be0712e41f2e445b54daa201e9

Download Submit
\Users\Admin\AppData\Local\Temp\win32.exe
Filesize
116KB

MD5
8afc97d20e6a8119edc0da89e996d8ab

SHA1
cf7c78b335c6ab4cf7ab6aa01b24046515fb0cfb

SHA256
69176aa72587c46a8659f1c59a6f1c1d50f4da159c50aa9dc657f4f2c4e65974

SHA512
ccbe413cfdcad76ba9214569b5733a8a6f8f15c205f33b11f441da82047108bcb40210032f684310f709c96a7a19a31f266c13be0712e41f2e445b54daa201e9

Download Submit
\Users\Admin\AppData\Local\Temp\win32.exe
Filesize
116KB

MD5
8afc97d20e6a8119edc0da89e996d8ab

SHA1
cf7c78b335c6ab4cf7ab6aa01b24046515fb0cfb

SHA256
69176aa72587c46a8659f1c59a6f1c1d50f4da159c50aa9dc657f4f2c4e65974

SHA512
ccbe413cfdcad76ba9214569b5733a8a6f8f15c205f33b11f441da82047108bcb40210032f684310f709c96a7a19a31f266c13be0712e41f2e445b54daa201e9

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2013.07.23T15.42\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\win32.exe
Filesize
17KB

MD5
549cbab3836795de8794995e286e2c72

SHA1
0dd6f92e8de8e9e90ef6e1f5a8c1a2b78cd74146

SHA256
0ce1cfd26b84d318d6c2cd6ca820a2bc69812df992a67ecd5252ce90b391e44a

SHA512
06a1c4a0a3868782337506e59139ee7425ec063f40954fe35cf0ec8c13cdbbf5321e5c717d232f5f834844e36a16d1d14ac57c53acd94319e3785ae6fb3c7962

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2013.07.23T15.42\Native\STUBEXE\8.0.1112\@SYSTEM@\netsh.exe
Filesize
17KB

MD5
332bcdced27f34b7b32a50f50790e78b

SHA1
c02075a3a621b0103913d92b552f6819d5b13c87

SHA256
1674cfb9bf199211c8e860fada6f5d3a8b08e2ea33c328e0474d449c23a464be

SHA512
610409d2519f9ffaca01ddd8859c6a7c28cf539b1651d2b11be8153b0565e53f5b95512b5a5e09d6394568a2d3e81e1d6e4c525288178778b47d47fb913564b9

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2013.07.23T15.42\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\Server.exe
Filesize
17KB

MD5
549cbab3836795de8794995e286e2c72

SHA1
0dd6f92e8de8e9e90ef6e1f5a8c1a2b78cd74146

SHA256
0ce1cfd26b84d318d6c2cd6ca820a2bc69812df992a67ecd5252ce90b391e44a

SHA512
06a1c4a0a3868782337506e59139ee7425ec063f40954fe35cf0ec8c13cdbbf5321e5c717d232f5f834844e36a16d1d14ac57c53acd94319e3785ae6fb3c7962

Download Submit
memory/1108-94-0x0000000072F70000-0x000000007351B000-memory.dmp

Filesize
5.7MB

Download
memory/1108-78-0x0000000000430000-0x00000000004A2000-memory.dmp

Filesize
456KB

Download
memory/1108-68-0x0000000000000000-mapping.dmp

Download
memory/1108-97-0x0000000000430000-0x00000000004A2000-memory.dmp

Filesize
456KB

Download
memory/1108-98-0x0000000072F70000-0x000000007351B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1520-70-0x00000000004A0000-0x0000000000512000-memory.dmp

Filesize
456KB

Download
memory/1520-62-0x0000000000000000-mapping.dmp

Download
memory/1520-75-0x00000000004A0000-0x0000000000512000-memory.dmp

Filesize
456KB

Download
memory/1520-77-0x0000000072F70000-0x000000007351B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1612-76-0x0000000000520000-0x0000000000592000-memory.dmp

Filesize
456KB

Download
memory/1612-60-0x0000000000520000-0x0000000000592000-memory.dmp

Filesize
456KB

Download
memory/1612-59-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1612-55-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1612-58-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1612-57-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1612-56-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1740-86-0x0000000001800000-0x000000000181B000-memory.dmp

Filesize
108KB

Download
memory/1740-89-0x0000000001800000-0x000000000181B000-memory.dmp

Filesize
108KB

Download
memory/1740-83-0x0000000001800000-0x000000000181B000-memory.dmp

Filesize
108KB

Download
memory/1740-93-0x0000000001800000-0x000000000181B000-memory.dmp

Filesize
108KB

Download
memory/1740-92-0x0000000001800000-0x000000000181B000-memory.dmp

Filesize
108KB

Download
memory/1740-91-0x0000000001800000-0x000000000181B000-memory.dmp

Filesize
108KB

Download
memory/1740-90-0x0000000001800000-0x000000000181B000-memory.dmp

Filesize
108KB

Download
memory/1740-84-0x0000000001800000-0x000000000181B000-memory.dmp

Filesize
108KB

Download
memory/1740-88-0x0000000001800000-0x000000000181B000-memory.dmp

Filesize
108KB

Download
memory/1740-87-0x0000000001800000-0x000000000181B000-memory.dmp

Filesize
108KB

Download
memory/1740-95-0x00000000002E0000-0x0000000000352000-memory.dmp

Filesize
456KB

Download
memory/1740-96-0x00000000002E0000-0x0000000000352000-memory.dmp

Filesize
456KB

Download
memory/1740-85-0x0000000001800000-0x000000000181B000-memory.dmp

Filesize
108KB

Download
memory/1740-80-0x0000000000000000-mapping.dmp

Download