05e38b22fb61a3352b42cf2c00a5c31fe144e1a15eaadaa2d3d52b023a8a3f95

Analysis

max time kernel
151s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 02:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

05e38b22fb61a3352b42cf2c00a5c31fe144e1a15eaadaa2d3d52b023a8a3f95.exe
Size

572KB
MD5

06da818ab015dec152dd9afc93f856f6
SHA1

e2db98f633bce98a4b4ea20b3eef270870ed4d18
SHA256

05e38b22fb61a3352b42cf2c00a5c31fe144e1a15eaadaa2d3d52b023a8a3f95
SHA512

bf63b91c1e197b34d15f558224e857ab6cb7d6077e4123ec5866c68d0c2023f16a14f448b65e590d9d3e152a2d3320f20bfc8b1dd51623cfff04361865e3f273
SSDEEP

12288:IRWNcr8oxnNqrrrrrrrrr/O85fxAxEOiZO47kPwTbf/DX:rNBI4rrrrrrrrr/F5fJOKkGbD

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1192	فيديو تبرئ مبارك من المتظاهرين.exe
1924	v.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1936	netsh.exe

Loads dropped DLL 5 IoCs

pid	Process
1696	05e38b22fb61a3352b42cf2c00a5c31fe144e1a15eaadaa2d3d52b023a8a3f95.exe
1696	05e38b22fb61a3352b42cf2c00a5c31fe144e1a15eaadaa2d3d52b023a8a3f95.exe
1696	05e38b22fb61a3352b42cf2c00a5c31fe144e1a15eaadaa2d3d52b023a8a3f95.exe
1696	05e38b22fb61a3352b42cf2c00a5c31fe144e1a15eaadaa2d3d52b023a8a3f95.exe
1696	05e38b22fb61a3352b42cf2c00a5c31fe144e1a15eaadaa2d3d52b023a8a3f95.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\f08e9dedb85a19c5a981a4a87c4fb3a6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\v.exe\" .."	v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f08e9dedb85a19c5a981a4a87c4fb3a6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\v.exe\" .."	v.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1924	v.exe
1924	v.exe
1924	v.exe
1924	v.exe
1924	v.exe
1924	v.exe
1924	v.exe
1924	v.exe
1924	v.exe
1924	v.exe
1924	v.exe
1924	v.exe
1924	v.exe
1924	v.exe
1924	v.exe
1924	v.exe
1924	v.exe
1924	v.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	v.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1192	1696	05e38b22fb61a3352b42cf2c00a5c31fe144e1a15eaadaa2d3d52b023a8a3f95.exe	27
PID 1696 wrote to memory of 1192	1696	05e38b22fb61a3352b42cf2c00a5c31fe144e1a15eaadaa2d3d52b023a8a3f95.exe	27
PID 1696 wrote to memory of 1192	1696	05e38b22fb61a3352b42cf2c00a5c31fe144e1a15eaadaa2d3d52b023a8a3f95.exe	27
PID 1696 wrote to memory of 1192	1696	05e38b22fb61a3352b42cf2c00a5c31fe144e1a15eaadaa2d3d52b023a8a3f95.exe	27
PID 1192 wrote to memory of 1924	1192	فيديو تبرئ مبارك من المتظاهرين.exe	28
PID 1192 wrote to memory of 1924	1192	فيديو تبرئ مبارك من المتظاهرين.exe	28
PID 1192 wrote to memory of 1924	1192	فيديو تبرئ مبارك من المتظاهرين.exe	28
PID 1924 wrote to memory of 1936	1924	v.exe	29
PID 1924 wrote to memory of 1936	1924	v.exe	29
PID 1924 wrote to memory of 1936	1924	v.exe	29

C:\Users\Admin\AppData\Local\Temp\05e38b22fb61a3352b42cf2c00a5c31fe144e1a15eaadaa2d3d52b023a8a3f95.exe
"C:\Users\Admin\AppData\Local\Temp\05e38b22fb61a3352b42cf2c00a5c31fe144e1a15eaadaa2d3d52b023a8a3f95.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\فيديو تبرئ مبارك من المتظاهرين.exe
  "C:\Users\Admin\AppData\Local\Temp\فيديو تبرئ مبارك من المتظاهرين.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Users\Admin\AppData\Local\Temp\v.exe
    "C:\Users\Admin\AppData\Local\Temp\v.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\system32\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\v.exe" "v.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\v.exe

Filesize
306KB

MD5
a68797f27788ec169fafd496979ad8e9

SHA1
c593e83567c2cd98ba63f572bfc578d5fc511d7a

SHA256
403c4dee64dfb5b848e0a00751a93d29ce4a9c687c71dbc8c4fe4b64d89f2979

SHA512
201e430546be788c3622cfdca23358448317b85f2cddcd56dfe843a6901a8ef4dc59cc72925022d6fe2e790982e7de94cb1c12bf04a9b0d081c14495f76fb09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.exe

Filesize
306KB

MD5
a68797f27788ec169fafd496979ad8e9

SHA1
c593e83567c2cd98ba63f572bfc578d5fc511d7a

SHA256
403c4dee64dfb5b848e0a00751a93d29ce4a9c687c71dbc8c4fe4b64d89f2979

SHA512
201e430546be788c3622cfdca23358448317b85f2cddcd56dfe843a6901a8ef4dc59cc72925022d6fe2e790982e7de94cb1c12bf04a9b0d081c14495f76fb09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\فيديو تبرئ مبارك من المتظاهرين.exe

Filesize
306KB

MD5
a68797f27788ec169fafd496979ad8e9

SHA1
c593e83567c2cd98ba63f572bfc578d5fc511d7a

SHA256
403c4dee64dfb5b848e0a00751a93d29ce4a9c687c71dbc8c4fe4b64d89f2979

SHA512
201e430546be788c3622cfdca23358448317b85f2cddcd56dfe843a6901a8ef4dc59cc72925022d6fe2e790982e7de94cb1c12bf04a9b0d081c14495f76fb09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\فيديو تبرئ مبارك من المتظاهرين.exe

Filesize
306KB

MD5
a68797f27788ec169fafd496979ad8e9

SHA1
c593e83567c2cd98ba63f572bfc578d5fc511d7a

SHA256
403c4dee64dfb5b848e0a00751a93d29ce4a9c687c71dbc8c4fe4b64d89f2979

SHA512
201e430546be788c3622cfdca23358448317b85f2cddcd56dfe843a6901a8ef4dc59cc72925022d6fe2e790982e7de94cb1c12bf04a9b0d081c14495f76fb09e

Download Submit
\Users\Admin\AppData\Local\Temp\فيديو تبرئ مبارك من المتظاهرين.exe

Filesize
306KB

MD5
a68797f27788ec169fafd496979ad8e9

SHA1
c593e83567c2cd98ba63f572bfc578d5fc511d7a

SHA256
403c4dee64dfb5b848e0a00751a93d29ce4a9c687c71dbc8c4fe4b64d89f2979

SHA512
201e430546be788c3622cfdca23358448317b85f2cddcd56dfe843a6901a8ef4dc59cc72925022d6fe2e790982e7de94cb1c12bf04a9b0d081c14495f76fb09e

Download Submit
\Users\Admin\AppData\Local\Temp\فيديو تبرئ مبارك من المتظاهرين.exe

Filesize
306KB

MD5
a68797f27788ec169fafd496979ad8e9

SHA1
c593e83567c2cd98ba63f572bfc578d5fc511d7a

SHA256
403c4dee64dfb5b848e0a00751a93d29ce4a9c687c71dbc8c4fe4b64d89f2979

SHA512
201e430546be788c3622cfdca23358448317b85f2cddcd56dfe843a6901a8ef4dc59cc72925022d6fe2e790982e7de94cb1c12bf04a9b0d081c14495f76fb09e

Download Submit
\Users\Admin\AppData\Local\Temp\فيديو تبرئ مبارك من المتظاهرين.exe

Filesize
306KB

MD5
a68797f27788ec169fafd496979ad8e9

SHA1
c593e83567c2cd98ba63f572bfc578d5fc511d7a

SHA256
403c4dee64dfb5b848e0a00751a93d29ce4a9c687c71dbc8c4fe4b64d89f2979

SHA512
201e430546be788c3622cfdca23358448317b85f2cddcd56dfe843a6901a8ef4dc59cc72925022d6fe2e790982e7de94cb1c12bf04a9b0d081c14495f76fb09e

Download Submit
\Users\Admin\AppData\Local\Temp\فيديو تبرئ مبارك من المتظاهرين.exe

Filesize
306KB

MD5
a68797f27788ec169fafd496979ad8e9

SHA1
c593e83567c2cd98ba63f572bfc578d5fc511d7a

SHA256
403c4dee64dfb5b848e0a00751a93d29ce4a9c687c71dbc8c4fe4b64d89f2979

SHA512
201e430546be788c3622cfdca23358448317b85f2cddcd56dfe843a6901a8ef4dc59cc72925022d6fe2e790982e7de94cb1c12bf04a9b0d081c14495f76fb09e

Download Submit
\Users\Admin\AppData\Local\Temp\فيديو تبرئ مبارك من المتظاهرين.exe

Filesize
306KB

MD5
a68797f27788ec169fafd496979ad8e9

SHA1
c593e83567c2cd98ba63f572bfc578d5fc511d7a

SHA256
403c4dee64dfb5b848e0a00751a93d29ce4a9c687c71dbc8c4fe4b64d89f2979

SHA512
201e430546be788c3622cfdca23358448317b85f2cddcd56dfe843a6901a8ef4dc59cc72925022d6fe2e790982e7de94cb1c12bf04a9b0d081c14495f76fb09e

Download Submit
memory/1192-64-0x000007FEEE160000-0x000007FEEF1F6000-memory.dmp

Filesize
16.6MB

Download
memory/1192-65-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/1192-63-0x000007FEF4930000-0x000007FEF5353000-memory.dmp

Filesize
10.1MB

Download
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1924-69-0x000007FEF3F00000-0x000007FEF4923000-memory.dmp

Filesize
10.1MB

Download
memory/1924-70-0x000007FEED0C0000-0x000007FEEE156000-memory.dmp

Filesize
16.6MB

Download
memory/1924-73-0x00000000009C6000-0x00000000009E5000-memory.dmp

Filesize
124KB

Download
memory/1924-74-0x00000000009C6000-0x00000000009E5000-memory.dmp

Filesize
124KB

Download