Analysis
-
max time kernel
142s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 16:45
Behavioral task
behavioral1
Sample
2ae3a0c040d6570d55d82d06f3d31584.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2ae3a0c040d6570d55d82d06f3d31584.exe
Resource
win10v2004-20221111-en
General
-
Target
2ae3a0c040d6570d55d82d06f3d31584.exe
-
Size
41KB
-
MD5
2ae3a0c040d6570d55d82d06f3d31584
-
SHA1
e69f8b020a5ea66426f00458c535b2f0ce336329
-
SHA256
20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46
-
SHA512
d87b5cd1c1e9c5c7c1a188f3abceba227035e1b2a8ceba7861e0d5f415868c21d75db5af9808d396a50c5e13e9a42534bd5630caa6869a3d658a2982db24d48d
-
SSDEEP
768:eOQvBUsvIsEaxV0h/L9/1rsQhLOSyoZV65:eXlAbCGL9/x1OSZZV65
Malware Config
Extracted
xworm
PNfnJNqXASy2Le3d
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/2L3vs8UY
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1720 2ae3a0c040d6570d55d82d06f3d31584.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\2ae3a0c040d6570d55d82d06f3d31584 = "C:\\Users\\Admin\\AppData\\Roaming\\2ae3a0c040d6570d55d82d06f3d31584.exe" 2ae3a0c040d6570d55d82d06f3d31584.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1820 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 2ae3a0c040d6570d55d82d06f3d31584.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 2ae3a0c040d6570d55d82d06f3d31584.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 704 2ae3a0c040d6570d55d82d06f3d31584.exe Token: SeDebugPrivilege 1720 2ae3a0c040d6570d55d82d06f3d31584.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 704 wrote to memory of 1820 704 2ae3a0c040d6570d55d82d06f3d31584.exe 27 PID 704 wrote to memory of 1820 704 2ae3a0c040d6570d55d82d06f3d31584.exe 27 PID 704 wrote to memory of 1820 704 2ae3a0c040d6570d55d82d06f3d31584.exe 27 PID 904 wrote to memory of 1720 904 taskeng.exe 30 PID 904 wrote to memory of 1720 904 taskeng.exe 30 PID 904 wrote to memory of 1720 904 taskeng.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ae3a0c040d6570d55d82d06f3d31584.exe"C:\Users\Admin\AppData\Local\Temp\2ae3a0c040d6570d55d82d06f3d31584.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "2ae3a0c040d6570d55d82d06f3d31584" /tr "C:\Users\Admin\AppData\Roaming\2ae3a0c040d6570d55d82d06f3d31584.exe"2⤵
- Creates scheduled task(s)
PID:1820
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {3062110D-8578-4F94-AA47-807ECEFF9B92} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Roaming\2ae3a0c040d6570d55d82d06f3d31584.exeC:\Users\Admin\AppData\Roaming\2ae3a0c040d6570d55d82d06f3d31584.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD52ae3a0c040d6570d55d82d06f3d31584
SHA1e69f8b020a5ea66426f00458c535b2f0ce336329
SHA25620d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46
SHA512d87b5cd1c1e9c5c7c1a188f3abceba227035e1b2a8ceba7861e0d5f415868c21d75db5af9808d396a50c5e13e9a42534bd5630caa6869a3d658a2982db24d48d
-
Filesize
41KB
MD52ae3a0c040d6570d55d82d06f3d31584
SHA1e69f8b020a5ea66426f00458c535b2f0ce336329
SHA25620d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46
SHA512d87b5cd1c1e9c5c7c1a188f3abceba227035e1b2a8ceba7861e0d5f415868c21d75db5af9808d396a50c5e13e9a42534bd5630caa6869a3d658a2982db24d48d