Analysis
-
max time kernel
159s -
max time network
196s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 16:15
Static task
static1
Behavioral task
behavioral1
Sample
3ee18df08f8af7319afda24f357bc9456da5768ae9f136bdbc41dee242e96b7d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3ee18df08f8af7319afda24f357bc9456da5768ae9f136bdbc41dee242e96b7d.exe
Resource
win10v2004-20220901-en
General
-
Target
3ee18df08f8af7319afda24f357bc9456da5768ae9f136bdbc41dee242e96b7d.exe
-
Size
77KB
-
MD5
beded2eb7bd6454c76e1aaa660d9dd54
-
SHA1
613b48bc516415c4b018717e08374c19753617a2
-
SHA256
3ee18df08f8af7319afda24f357bc9456da5768ae9f136bdbc41dee242e96b7d
-
SHA512
5a6480626143db80965eda8e8ec0887fa29485ec9cb855de69e00b80fe989fc0c679dc64577003c39e5a587819da985de26bd9ae49f02b73e6911b55275f6003
-
SSDEEP
1536:49b5lz0XrCjMMNDFpKUjMnh6GQYYSv3YtRFLxsXIPwuz:O5qXrGMMNe9h6GQTSvYBlAuz
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
up.exepid process 1892 up.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
up.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93b05534b6844a356153151e33a454aa.exe up.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93b05534b6844a356153151e33a454aa.exe up.exe -
Loads dropped DLL 1 IoCs
Processes:
3ee18df08f8af7319afda24f357bc9456da5768ae9f136bdbc41dee242e96b7d.exepid process 884 3ee18df08f8af7319afda24f357bc9456da5768ae9f136bdbc41dee242e96b7d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
up.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\93b05534b6844a356153151e33a454aa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\up.exe\" .." up.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\93b05534b6844a356153151e33a454aa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\up.exe\" .." up.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
up.exedescription pid process Token: SeDebugPrivilege 1892 up.exe Token: 33 1892 up.exe Token: SeIncBasePriorityPrivilege 1892 up.exe Token: 33 1892 up.exe Token: SeIncBasePriorityPrivilege 1892 up.exe Token: 33 1892 up.exe Token: SeIncBasePriorityPrivilege 1892 up.exe Token: 33 1892 up.exe Token: SeIncBasePriorityPrivilege 1892 up.exe Token: 33 1892 up.exe Token: SeIncBasePriorityPrivilege 1892 up.exe Token: 33 1892 up.exe Token: SeIncBasePriorityPrivilege 1892 up.exe Token: 33 1892 up.exe Token: SeIncBasePriorityPrivilege 1892 up.exe Token: 33 1892 up.exe Token: SeIncBasePriorityPrivilege 1892 up.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3ee18df08f8af7319afda24f357bc9456da5768ae9f136bdbc41dee242e96b7d.exeup.exedescription pid process target process PID 884 wrote to memory of 1892 884 3ee18df08f8af7319afda24f357bc9456da5768ae9f136bdbc41dee242e96b7d.exe up.exe PID 884 wrote to memory of 1892 884 3ee18df08f8af7319afda24f357bc9456da5768ae9f136bdbc41dee242e96b7d.exe up.exe PID 884 wrote to memory of 1892 884 3ee18df08f8af7319afda24f357bc9456da5768ae9f136bdbc41dee242e96b7d.exe up.exe PID 884 wrote to memory of 1892 884 3ee18df08f8af7319afda24f357bc9456da5768ae9f136bdbc41dee242e96b7d.exe up.exe PID 1892 wrote to memory of 1436 1892 up.exe netsh.exe PID 1892 wrote to memory of 1436 1892 up.exe netsh.exe PID 1892 wrote to memory of 1436 1892 up.exe netsh.exe PID 1892 wrote to memory of 1436 1892 up.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ee18df08f8af7319afda24f357bc9456da5768ae9f136bdbc41dee242e96b7d.exe"C:\Users\Admin\AppData\Local\Temp\3ee18df08f8af7319afda24f357bc9456da5768ae9f136bdbc41dee242e96b7d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\up.exe"C:\Users\Admin\AppData\Local\Temp\up.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\up.exe" "up.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\up.exeFilesize
77KB
MD5beded2eb7bd6454c76e1aaa660d9dd54
SHA1613b48bc516415c4b018717e08374c19753617a2
SHA2563ee18df08f8af7319afda24f357bc9456da5768ae9f136bdbc41dee242e96b7d
SHA5125a6480626143db80965eda8e8ec0887fa29485ec9cb855de69e00b80fe989fc0c679dc64577003c39e5a587819da985de26bd9ae49f02b73e6911b55275f6003
-
C:\Users\Admin\AppData\Local\Temp\up.exeFilesize
77KB
MD5beded2eb7bd6454c76e1aaa660d9dd54
SHA1613b48bc516415c4b018717e08374c19753617a2
SHA2563ee18df08f8af7319afda24f357bc9456da5768ae9f136bdbc41dee242e96b7d
SHA5125a6480626143db80965eda8e8ec0887fa29485ec9cb855de69e00b80fe989fc0c679dc64577003c39e5a587819da985de26bd9ae49f02b73e6911b55275f6003
-
\Users\Admin\AppData\Local\Temp\up.exeFilesize
77KB
MD5beded2eb7bd6454c76e1aaa660d9dd54
SHA1613b48bc516415c4b018717e08374c19753617a2
SHA2563ee18df08f8af7319afda24f357bc9456da5768ae9f136bdbc41dee242e96b7d
SHA5125a6480626143db80965eda8e8ec0887fa29485ec9cb855de69e00b80fe989fc0c679dc64577003c39e5a587819da985de26bd9ae49f02b73e6911b55275f6003
-
memory/884-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/884-55-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/884-56-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/884-62-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/1436-64-0x0000000000000000-mapping.dmp
-
memory/1892-58-0x0000000000000000-mapping.dmp
-
memory/1892-63-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/1892-66-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB