Analysis
-
max time kernel
164s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 14:12
Behavioral task
behavioral1
Sample
ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe
Resource
win7-20220812-en
windows7-x64
10 signatures
150 seconds
General
-
Target
ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe
-
Size
690KB
-
MD5
75a3b3a00d77c8dd6c223025dfe09723
-
SHA1
a64b85df7e57ae76b7164d66ed3e5446fdb7a343
-
SHA256
ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203
-
SHA512
595198542fa9df70e200487a40669edcda2ec2f216ddcca286212ef176d37bb91e4e680a3f03af019c7796e64299d0e5f65be2eb109cf66e76d80967b5b3e06a
-
SSDEEP
12288:Z9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hGE:jZ1xuVVjfFoynPaVBUR8f+kN10EBN
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeSecurityPrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeTakeOwnershipPrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeLoadDriverPrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeSystemProfilePrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeSystemtimePrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeProfSingleProcessPrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeIncBasePriorityPrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeCreatePagefilePrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeBackupPrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeRestorePrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeShutdownPrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeDebugPrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeSystemEnvironmentPrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeChangeNotifyPrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeRemoteShutdownPrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeUndockPrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeManageVolumePrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeImpersonatePrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: SeCreateGlobalPrivilege 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: 33 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: 34 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: 35 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe Token: 36 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79 PID 4208 wrote to memory of 4932 4208 ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe"C:\Users\Admin\AppData\Local\Temp\ad206e7fc904702cc39366ee348202e3b8bf5c38074f1b2b2bb3485f2d69f203.exe"1⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵PID:4932
-