Analysis
-
max time kernel
255s -
max time network
336s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 18:38
Static task
static1
Behavioral task
behavioral1
Sample
73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe
Resource
win10v2004-20220812-en
General
-
Target
73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe
-
Size
43KB
-
MD5
c494de9e9a77b07ad0ae470b6e68a20e
-
SHA1
f4ed93992928e2da478ca70d61dc6fc25f6bb6a7
-
SHA256
73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826
-
SHA512
ae85cd6f2c87ba4c7b5c63688541dc8b83166f7ba4d86e86908c1e8f6fff749109b0811fcbc9b85c502f6a8c08f758f8634c30aefa1528df6de3d02002925b2d
-
SSDEEP
768:9UdNT8uX2d5SogqD0rK9GTW2Es5E1v6HatjHX8qvtG1GlIL19x2N/UT6HCCjPkaW:K6GvUmaxTitj2xHCCrk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ssh.exepid process 1388 ssh.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
ssh.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a6bb7bf955d6f8e836accef2364db9c4.exe ssh.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a6bb7bf955d6f8e836accef2364db9c4.exe ssh.exe -
Loads dropped DLL 1 IoCs
Processes:
73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exepid process 1940 73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ssh.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\a6bb7bf955d6f8e836accef2364db9c4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ssh.exe\" .." ssh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a6bb7bf955d6f8e836accef2364db9c4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ssh.exe\" .." ssh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
ssh.exepid process 1388 ssh.exe 1388 ssh.exe 1388 ssh.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ssh.exedescription pid process Token: SeDebugPrivilege 1388 ssh.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exessh.exedescription pid process target process PID 1940 wrote to memory of 1388 1940 73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe ssh.exe PID 1940 wrote to memory of 1388 1940 73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe ssh.exe PID 1940 wrote to memory of 1388 1940 73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe ssh.exe PID 1940 wrote to memory of 1388 1940 73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe ssh.exe PID 1388 wrote to memory of 1272 1388 ssh.exe netsh.exe PID 1388 wrote to memory of 1272 1388 ssh.exe netsh.exe PID 1388 wrote to memory of 1272 1388 ssh.exe netsh.exe PID 1388 wrote to memory of 1272 1388 ssh.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe"C:\Users\Admin\AppData\Local\Temp\73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ssh.exe"C:\Users\Admin\AppData\Local\Temp\ssh.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\ssh.exe" "ssh.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ssh.exeFilesize
43KB
MD5c494de9e9a77b07ad0ae470b6e68a20e
SHA1f4ed93992928e2da478ca70d61dc6fc25f6bb6a7
SHA25673dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826
SHA512ae85cd6f2c87ba4c7b5c63688541dc8b83166f7ba4d86e86908c1e8f6fff749109b0811fcbc9b85c502f6a8c08f758f8634c30aefa1528df6de3d02002925b2d
-
C:\Users\Admin\AppData\Local\Temp\ssh.exeFilesize
43KB
MD5c494de9e9a77b07ad0ae470b6e68a20e
SHA1f4ed93992928e2da478ca70d61dc6fc25f6bb6a7
SHA25673dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826
SHA512ae85cd6f2c87ba4c7b5c63688541dc8b83166f7ba4d86e86908c1e8f6fff749109b0811fcbc9b85c502f6a8c08f758f8634c30aefa1528df6de3d02002925b2d
-
\Users\Admin\AppData\Local\Temp\ssh.exeFilesize
43KB
MD5c494de9e9a77b07ad0ae470b6e68a20e
SHA1f4ed93992928e2da478ca70d61dc6fc25f6bb6a7
SHA25673dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826
SHA512ae85cd6f2c87ba4c7b5c63688541dc8b83166f7ba4d86e86908c1e8f6fff749109b0811fcbc9b85c502f6a8c08f758f8634c30aefa1528df6de3d02002925b2d
-
memory/1272-62-0x0000000000000000-mapping.dmp
-
memory/1388-57-0x0000000000000000-mapping.dmp
-
memory/1388-61-0x00000000747E0000-0x0000000074D8B000-memory.dmpFilesize
5.7MB
-
memory/1388-64-0x00000000747E0000-0x0000000074D8B000-memory.dmpFilesize
5.7MB
-
memory/1940-54-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1940-55-0x00000000747E0000-0x0000000074D8B000-memory.dmpFilesize
5.7MB
-
memory/1940-63-0x00000000747E0000-0x0000000074D8B000-memory.dmpFilesize
5.7MB