Analysis
-
max time kernel
181s -
max time network
191s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 07:09
Behavioral task
behavioral1
Sample
7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe
Resource
win10v2004-20220812-en
General
-
Target
7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe
-
Size
140KB
-
MD5
2986b17992a2d9ffad87fd601c685977
-
SHA1
01a5a995304b78a44516d608490ddbe95a497e26
-
SHA256
7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489
-
SHA512
a3d27b739981a4c6981772b7cfbcefef738e6ad2975e826c00cc20e4e3c519ddf5696d945031fb0dcebef5bb54b11b1e7f39961dd292bd2312b5840fc96acff5
-
SSDEEP
3072:Hb4s/l8iiDXiYukRy9Vd746gh4Z91gCBzTz4y3/UHj7Nzspl+fX/:HB/l0Xi3uyJ7Mhy9dx3s3fv
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServTestDos\Parameters\ServiceDll = "C:\\Windows\\ServTestDos.dll" 7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe -
Processes:
resource yara_rule behavioral1/memory/956-54-0x0000000000ED0000-0x0000000000F17000-memory.dmp vmprotect behavioral1/memory/956-55-0x0000000000ED0000-0x0000000000F17000-memory.dmp vmprotect \??\c:\windows\servtestdos.dll vmprotect behavioral1/memory/1732-58-0x00000000745A0000-0x00000000745E7000-memory.dmp vmprotect behavioral1/memory/1732-61-0x00000000745A0000-0x00000000745E7000-memory.dmp vmprotect -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 696 cmd.exe -
Drops file in Windows directory 2 IoCs
Processes:
7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exedescription ioc process File created C:\Windows\ServTestDos.dll 7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe File opened for modification C:\Windows\ServTestDos.dll 7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exedescription pid process target process PID 956 wrote to memory of 696 956 7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe cmd.exe PID 956 wrote to memory of 696 956 7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe cmd.exe PID 956 wrote to memory of 696 956 7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe cmd.exe PID 956 wrote to memory of 696 956 7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe"C:\Users\Admin\AppData\Local\Temp\7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe"1⤵
- Sets DLL path for service in the registry
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7119355.bat" "2⤵
- Deletes itself
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k ServTestDos1⤵
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7119355.batFilesize
239B
MD5472aeb73e8a6ca5cb3886bd96e5505bb
SHA1e24df0dcf77369cf037036e9954405b275dea12f
SHA2567d3c5a2ca963f64d9a98cb22990449b429aa10f2a8a6f511e00336e061eac4c9
SHA5125c5437f3feba0e9742415866645429262826ec6c1bf33aae85f2c3f627f3b3c8b51162cf15f9cc4ef52aaf741885d349400c368381932e06982a2b26b595f499
-
\??\c:\windows\servtestdos.dllFilesize
140KB
MD5b9f33d2f141ca844a452298ffa705431
SHA1863c9b23d580813467fe5adbfdabdda62fd10d6b
SHA256810db9351dcd3e9b7958d558434fcebb03a1e53d4eed34f2ff495c875d475946
SHA512c8cc36465b9f323363304ba32bd33e319bdeb9258a40680c2158861ad7ad62c8145504b89cb3eba61f42fb11a95ad632c185a93c101e55a0487d1f8075866adc
-
memory/696-59-0x0000000000000000-mapping.dmp
-
memory/956-54-0x0000000000ED0000-0x0000000000F17000-memory.dmpFilesize
284KB
-
memory/956-55-0x0000000000ED0000-0x0000000000F17000-memory.dmpFilesize
284KB
-
memory/956-57-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/1732-58-0x00000000745A0000-0x00000000745E7000-memory.dmpFilesize
284KB
-
memory/1732-61-0x00000000745A0000-0x00000000745E7000-memory.dmpFilesize
284KB