Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 06:06
Behavioral task
behavioral1
Sample
6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Resource
win7-20220812-en
General
-
Target
6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
-
Size
382KB
-
MD5
1ebf9166d9b0e6bc0415f665f7fcd626
-
SHA1
dd172a3834de7cf3af5d19500559996d3b0ace49
-
SHA256
6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311
-
SHA512
86daa80e18ff3d7a3785f6f89f97c2c664ca32ac4f4a373a3bd311f7cb4b1f0c7ce4312590756cea3db998881a6a78b3147f1ecb78a5cb02bb9836a67380f433
-
SSDEEP
6144:8lb6SDOiIN4o2cOMayarS0IjX7n6wXmzbBFXm6d/p:80Siiu2cOMayaZerXXmhFXmyh
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Processes:
resource yara_rule behavioral1/memory/1028-55-0x0000000000400000-0x00000000004F9000-memory.dmp upx behavioral1/memory/1028-59-0x0000000000400000-0x00000000004F9000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exedescription pid process Token: SeIncreaseQuotaPrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeSecurityPrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeTakeOwnershipPrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeLoadDriverPrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeSystemProfilePrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeSystemtimePrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeProfSingleProcessPrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeIncBasePriorityPrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeCreatePagefilePrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeBackupPrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeRestorePrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeShutdownPrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeDebugPrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeSystemEnvironmentPrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeChangeNotifyPrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeRemoteShutdownPrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeUndockPrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeManageVolumePrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeImpersonatePrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: SeCreateGlobalPrivilege 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: 33 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: 34 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe Token: 35 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exepid process 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.execmd.exedescription pid process target process PID 1028 wrote to memory of 1076 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe cmd.exe PID 1028 wrote to memory of 1076 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe cmd.exe PID 1028 wrote to memory of 1076 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe cmd.exe PID 1028 wrote to memory of 1076 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe cmd.exe PID 1028 wrote to memory of 1728 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe iexplore.exe PID 1028 wrote to memory of 1728 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe iexplore.exe PID 1028 wrote to memory of 1728 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe iexplore.exe PID 1028 wrote to memory of 1728 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe iexplore.exe PID 1028 wrote to memory of 2004 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe explorer.exe PID 1028 wrote to memory of 2004 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe explorer.exe PID 1028 wrote to memory of 2004 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe explorer.exe PID 1028 wrote to memory of 2004 1028 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe explorer.exe PID 1076 wrote to memory of 1724 1076 cmd.exe attrib.exe PID 1076 wrote to memory of 1724 1076 cmd.exe attrib.exe PID 1076 wrote to memory of 1724 1076 cmd.exe attrib.exe PID 1076 wrote to memory of 1724 1076 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe"C:\Users\Admin\AppData\Local\Temp\6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
119B
MD5be05b49f5290e39bea8f5845c8954d2d
SHA19e10a04d4520b40ecbd4a6baced3637588835215
SHA256bddde9bec40e0032ebf4a886a3edf64e35209a88b0f1ab30f080e373aef6630e
SHA512e4fcb83393feeb90ea24c30902874002d9de286b3ad1bb8537dbab20a88d1e800cb81a671890b32a834c49e1bf31fb0cc49654ffca7be9061070a8f63e704b71
-
memory/1028-54-0x0000000075021000-0x0000000075023000-memory.dmpFilesize
8KB
-
memory/1028-55-0x0000000000400000-0x00000000004F9000-memory.dmpFilesize
996KB
-
memory/1028-59-0x0000000000400000-0x00000000004F9000-memory.dmpFilesize
996KB
-
memory/1076-56-0x0000000000000000-mapping.dmp
-
memory/1724-58-0x0000000000000000-mapping.dmp