Analysis
-
max time kernel
48s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
01/12/2022, 18:08
General
-
Target
bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76.exe
-
Size
40KB
-
MD5
7bed7c82efafe6fbbe811b9cdb7ef374
-
SHA1
253e75dd646496c947aea0270ab74110c5445419
-
SHA256
bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76
-
SHA512
669c8c51c76907b2885ddcaa0d1bcb66c8aee493fec7217aa379f2f691b7a58bb745985f9b5debb87ccb15d8d4fd24b8490eebb9cf77f41fbbcaceb58145b1cd
-
SSDEEP
768:SI8KnBLmtqeOQhbq+WVGvbsLHCAQpBryb0A4T+Ko+OA5FRe:2KnheOoa0fryAT
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76.exe"C:\Users\Admin\AppData\Local\Temp\bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Trojan.exe"C:\Users\Admin\AppData\Roaming\Trojan.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Trojan.exe" "Trojan.exe" ENABLE3⤵
- Modifies Windows Firewall
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD57bed7c82efafe6fbbe811b9cdb7ef374
SHA1253e75dd646496c947aea0270ab74110c5445419
SHA256bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76
SHA512669c8c51c76907b2885ddcaa0d1bcb66c8aee493fec7217aa379f2f691b7a58bb745985f9b5debb87ccb15d8d4fd24b8490eebb9cf77f41fbbcaceb58145b1cd
-
Filesize
40KB
MD57bed7c82efafe6fbbe811b9cdb7ef374
SHA1253e75dd646496c947aea0270ab74110c5445419
SHA256bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76
SHA512669c8c51c76907b2885ddcaa0d1bcb66c8aee493fec7217aa379f2f691b7a58bb745985f9b5debb87ccb15d8d4fd24b8490eebb9cf77f41fbbcaceb58145b1cd
-
Filesize
40KB
MD57bed7c82efafe6fbbe811b9cdb7ef374
SHA1253e75dd646496c947aea0270ab74110c5445419
SHA256bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76
SHA512669c8c51c76907b2885ddcaa0d1bcb66c8aee493fec7217aa379f2f691b7a58bb745985f9b5debb87ccb15d8d4fd24b8490eebb9cf77f41fbbcaceb58145b1cd
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
8KB
-
Filesize
5.7MB