Analysis
-
max time kernel
70s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 17:15
Static task
static1
Behavioral task
behavioral1
Sample
d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe
Resource
win10v2004-20221111-en
General
-
Target
d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe
-
Size
279KB
-
MD5
6e0a8f09481a82dbe5d5bc54c03f6817
-
SHA1
9c3c7fa3018dc175920689264abdd43b894b787b
-
SHA256
d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68
-
SHA512
4ecfed5dc02524eae7b885f7e4b86578e3579f06b7ee4fe650dd19b54dbf499202e1a216b700ad6559460de7b7c35207816b9d439302420ab7ced1f755581fe6
-
SSDEEP
6144:HY/XgvZX4NeCpv8WjKQ5RkuSwfi3JMA7gYUR5KrGyIR:+I4Nhp6Gn+JMM4RcmR
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 952 svchost.exe 1540 Q1.exe 1452 Q2.exe -
Deletes itself 1 IoCs
pid Process 896 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tDev1lServer.exe = "tDev1lServer.exe" Q1.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\tDev1lServer.exe Q1.exe File opened for modification C:\Windows\system32\tDev1lServer.exe Q1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 524 taskkill.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1540 Q1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 524 taskkill.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1380 wrote to memory of 952 1380 d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe 27 PID 1380 wrote to memory of 952 1380 d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe 27 PID 1380 wrote to memory of 952 1380 d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe 27 PID 1380 wrote to memory of 896 1380 d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe 28 PID 1380 wrote to memory of 896 1380 d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe 28 PID 1380 wrote to memory of 896 1380 d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe 28 PID 1380 wrote to memory of 896 1380 d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe 28 PID 1380 wrote to memory of 896 1380 d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe 28 PID 896 wrote to memory of 524 896 cmd.exe 30 PID 896 wrote to memory of 524 896 cmd.exe 30 PID 896 wrote to memory of 524 896 cmd.exe 30 PID 952 wrote to memory of 1540 952 svchost.exe 32 PID 952 wrote to memory of 1540 952 svchost.exe 32 PID 952 wrote to memory of 1540 952 svchost.exe 32 PID 952 wrote to memory of 1452 952 svchost.exe 33 PID 952 wrote to memory of 1452 952 svchost.exe 33 PID 952 wrote to memory of 1452 952 svchost.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe"C:\Users\Admin\AppData\Local\Temp\d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\Q1.exe"C:\Users\Admin\AppData\Local\Temp\Q1.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
PID:1540
-
-
C:\Users\Admin\AppData\Local\Temp\Q2.exe"C:\Users\Admin\AppData\Local\Temp\Q2.exe"3⤵
- Executes dropped EXE
PID:1452
-
-
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\\mUpdate.bat2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\system32\taskkill.exeTASKKILL /F /T /IM My3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:524
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD55f89b2186a30d75382f01deae3fcb50b
SHA1aa769c71244db023ba88d58f5ca0dd80f5885be5
SHA256b42aa0159a233c13c7b0a1ef028f2430dc3161be9b58675a69ddb079bdb60fb4
SHA512fea3d8d5af91f424462ed25cbe7e2c92b5f14b837649fe5d6e2c8717d727ba1cd9a7358c2146a17213118cf8209c45c58cb38d33728e95fc12e3d16ea7568fa3
-
Filesize
101KB
MD55f89b2186a30d75382f01deae3fcb50b
SHA1aa769c71244db023ba88d58f5ca0dd80f5885be5
SHA256b42aa0159a233c13c7b0a1ef028f2430dc3161be9b58675a69ddb079bdb60fb4
SHA512fea3d8d5af91f424462ed25cbe7e2c92b5f14b837649fe5d6e2c8717d727ba1cd9a7358c2146a17213118cf8209c45c58cb38d33728e95fc12e3d16ea7568fa3
-
Filesize
43KB
MD58b77c2c0143d83ee6e0f1e039713e7fd
SHA1806a3adba6bf775e22bd1a9c0d533f61053a1bcb
SHA2563ca4c9df68cd22d87934a1835d2eccbcafc306b06626a812ae26ae3353eaf9fd
SHA512d893ca27983a82869d1a38e2ff6d667be5096f5229cd72f4fc9e3aedf32f5ecbd8e0d7c08a132024f274a02912dbf91ca5975329f9d8ff7891080b4556fa2341
-
Filesize
43KB
MD58b77c2c0143d83ee6e0f1e039713e7fd
SHA1806a3adba6bf775e22bd1a9c0d533f61053a1bcb
SHA2563ca4c9df68cd22d87934a1835d2eccbcafc306b06626a812ae26ae3353eaf9fd
SHA512d893ca27983a82869d1a38e2ff6d667be5096f5229cd72f4fc9e3aedf32f5ecbd8e0d7c08a132024f274a02912dbf91ca5975329f9d8ff7891080b4556fa2341
-
Filesize
125B
MD5e4a13d0ff2d91af41346649fcfcdd95c
SHA1307c3714aeac925eed8a8a1a4a08ec4e3c1ec7ec
SHA2568fcf29def1748dc8b696e036154d932adbc34237691d739bff405547f664fe1d
SHA5121127652d8c69b2e741d68cab8473413098471bc2cb2ce7a9737ef7639017c6fac0f1c646ef821dea391ec78bccd8b6277e7b3c57261dcb7005076bdafdb68c8f
-
Filesize
160KB
MD52a0de66faa401c5610e4089e80679646
SHA1ba481aca63ff54a45e6fa6046443566bbca9f6c7
SHA256dcd076ac872aa0bbf01fe235920de6b7178fc2c7aa1bc45a81826d45a5a021ad
SHA5124e02fd6d7525e7d5c6a75bd5f797e38814d6572709954edb9783dce46ae05de716c7904ce148a8edef5d36dbc925e9d88f71362db1ba8bfe0712e5e36cb701b0
-
Filesize
160KB
MD52a0de66faa401c5610e4089e80679646
SHA1ba481aca63ff54a45e6fa6046443566bbca9f6c7
SHA256dcd076ac872aa0bbf01fe235920de6b7178fc2c7aa1bc45a81826d45a5a021ad
SHA5124e02fd6d7525e7d5c6a75bd5f797e38814d6572709954edb9783dce46ae05de716c7904ce148a8edef5d36dbc925e9d88f71362db1ba8bfe0712e5e36cb701b0