Analysis
-
max time kernel
152s -
max time network
57s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 19:14
Static task
static1
Behavioral task
behavioral1
Sample
eb09b1428d18d3c19dfe2cd67a39aef3b56f9fdb26c103c1ac324cf6c32a5659.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
eb09b1428d18d3c19dfe2cd67a39aef3b56f9fdb26c103c1ac324cf6c32a5659.exe
Resource
win10v2004-20220812-en
General
-
Target
eb09b1428d18d3c19dfe2cd67a39aef3b56f9fdb26c103c1ac324cf6c32a5659.exe
-
Size
1.3MB
-
MD5
65e4e35648c5e3420042efa9e030baca
-
SHA1
c1f807321a76dbe893d9f99c20e7934b19208490
-
SHA256
eb09b1428d18d3c19dfe2cd67a39aef3b56f9fdb26c103c1ac324cf6c32a5659
-
SHA512
fdfdfc8540af42861f301c1082bc168de264d74edb2897e2771ba011a0fd2b58af1358ece312670dcc1a00dbc78facb9056086225b8b07d0e6be01967b75e42d
-
SSDEEP
24576:n82orkRP/V1ep7sef8xffmTFOvr6Xiwf/PR8wsF42nSYLS/8WLl9:82o6/q1sef8xfWFOveLf/aFlSYO/3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
System.exepid process 1900 System.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
System.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b95c8175db0a4f1cc45b97312326391.exe System.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b95c8175db0a4f1cc45b97312326391.exe System.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b95c8175db0a4f1cc45b97312326391 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.exe\" .." System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8b95c8175db0a4f1cc45b97312326391 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.exe\" .." System.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
eb09b1428d18d3c19dfe2cd67a39aef3b56f9fdb26c103c1ac324cf6c32a5659.exeSystem.exedescription pid process Token: SeDebugPrivilege 1832 eb09b1428d18d3c19dfe2cd67a39aef3b56f9fdb26c103c1ac324cf6c32a5659.exe Token: 33 1832 eb09b1428d18d3c19dfe2cd67a39aef3b56f9fdb26c103c1ac324cf6c32a5659.exe Token: SeIncBasePriorityPrivilege 1832 eb09b1428d18d3c19dfe2cd67a39aef3b56f9fdb26c103c1ac324cf6c32a5659.exe Token: SeDebugPrivilege 1900 System.exe Token: 33 1900 System.exe Token: SeIncBasePriorityPrivilege 1900 System.exe Token: 33 1900 System.exe Token: SeIncBasePriorityPrivilege 1900 System.exe Token: 33 1900 System.exe Token: SeIncBasePriorityPrivilege 1900 System.exe Token: 33 1900 System.exe Token: SeIncBasePriorityPrivilege 1900 System.exe Token: 33 1900 System.exe Token: SeIncBasePriorityPrivilege 1900 System.exe Token: 33 1900 System.exe Token: SeIncBasePriorityPrivilege 1900 System.exe Token: 33 1900 System.exe Token: SeIncBasePriorityPrivilege 1900 System.exe Token: 33 1900 System.exe Token: SeIncBasePriorityPrivilege 1900 System.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
eb09b1428d18d3c19dfe2cd67a39aef3b56f9fdb26c103c1ac324cf6c32a5659.exeSystem.exedescription pid process target process PID 1832 wrote to memory of 1900 1832 eb09b1428d18d3c19dfe2cd67a39aef3b56f9fdb26c103c1ac324cf6c32a5659.exe System.exe PID 1832 wrote to memory of 1900 1832 eb09b1428d18d3c19dfe2cd67a39aef3b56f9fdb26c103c1ac324cf6c32a5659.exe System.exe PID 1832 wrote to memory of 1900 1832 eb09b1428d18d3c19dfe2cd67a39aef3b56f9fdb26c103c1ac324cf6c32a5659.exe System.exe PID 1900 wrote to memory of 1108 1900 System.exe netsh.exe PID 1900 wrote to memory of 1108 1900 System.exe netsh.exe PID 1900 wrote to memory of 1108 1900 System.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb09b1428d18d3c19dfe2cd67a39aef3b56f9fdb26c103c1ac324cf6c32a5659.exe"C:\Users\Admin\AppData\Local\Temp\eb09b1428d18d3c19dfe2cd67a39aef3b56f9fdb26c103c1ac324cf6c32a5659.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System.exe" "System.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\System.exeFilesize
1.3MB
MD565e4e35648c5e3420042efa9e030baca
SHA1c1f807321a76dbe893d9f99c20e7934b19208490
SHA256eb09b1428d18d3c19dfe2cd67a39aef3b56f9fdb26c103c1ac324cf6c32a5659
SHA512fdfdfc8540af42861f301c1082bc168de264d74edb2897e2771ba011a0fd2b58af1358ece312670dcc1a00dbc78facb9056086225b8b07d0e6be01967b75e42d
-
C:\Users\Admin\AppData\Local\Temp\System.exeFilesize
1.3MB
MD565e4e35648c5e3420042efa9e030baca
SHA1c1f807321a76dbe893d9f99c20e7934b19208490
SHA256eb09b1428d18d3c19dfe2cd67a39aef3b56f9fdb26c103c1ac324cf6c32a5659
SHA512fdfdfc8540af42861f301c1082bc168de264d74edb2897e2771ba011a0fd2b58af1358ece312670dcc1a00dbc78facb9056086225b8b07d0e6be01967b75e42d
-
memory/1108-61-0x0000000000000000-mapping.dmp
-
memory/1832-54-0x00000000001D0000-0x0000000000316000-memory.dmpFilesize
1.3MB
-
memory/1832-55-0x000000001B550000-0x000000001B7C0000-memory.dmpFilesize
2.4MB
-
memory/1832-56-0x000007FEFC341000-0x000007FEFC343000-memory.dmpFilesize
8KB
-
memory/1900-57-0x0000000000000000-mapping.dmp
-
memory/1900-60-0x0000000000A10000-0x0000000000B56000-memory.dmpFilesize
1.3MB