Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 20:18
Static task
static1
Behavioral task
behavioral1
Sample
a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436.exe
Resource
win10v2004-20220812-en
General
-
Target
a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436.exe
-
Size
847KB
-
MD5
22e400a57bb3843a22b7fa495d1838b6
-
SHA1
5f193630afa84d30e46ce64d20ab6aedb0cb4660
-
SHA256
a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436
-
SHA512
0a00369fe514d6f5018e3aea1f73f3770dd78b67532fcc412883afb2e5febb4c820e5afed7f82497d9a4f63fb6a434061d290c8f0bff00283274309e48d1878b
-
SSDEEP
24576:XlHU6Z3HDApIDkgZqwxVYil8y6Q4XyOifcM:XlzZzAhgpxNiyHAc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
msprotection.exepid process 1036 msprotection.exe -
Loads dropped DLL 2 IoCs
Processes:
a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436.exepid process 1204 a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436.exe 1204 a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msprotection.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run msprotection.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Security = "C:\\ProgramData\\msprotection.exe" msprotection.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msprotection.exedescription ioc process File opened (read-only) \??\O: msprotection.exe File opened (read-only) \??\T: msprotection.exe File opened (read-only) \??\Z: msprotection.exe File opened (read-only) \??\E: msprotection.exe File opened (read-only) \??\I: msprotection.exe File opened (read-only) \??\J: msprotection.exe File opened (read-only) \??\K: msprotection.exe File opened (read-only) \??\W: msprotection.exe File opened (read-only) \??\X: msprotection.exe File opened (read-only) \??\Y: msprotection.exe File opened (read-only) \??\H: msprotection.exe File opened (read-only) \??\N: msprotection.exe File opened (read-only) \??\R: msprotection.exe File opened (read-only) \??\V: msprotection.exe File opened (read-only) \??\F: msprotection.exe File opened (read-only) \??\M: msprotection.exe File opened (read-only) \??\P: msprotection.exe File opened (read-only) \??\U: msprotection.exe File opened (read-only) \??\G: msprotection.exe File opened (read-only) \??\L: msprotection.exe File opened (read-only) \??\Q: msprotection.exe File opened (read-only) \??\S: msprotection.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
msprotection.exedescription ioc process File opened for modification \??\PhysicalDrive0 msprotection.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436.exemsprotection.exepid process 1204 a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436.exepid process 1204 a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
msprotection.exepid process 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msprotection.exepid process 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe 1036 msprotection.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
msprotection.exepid process 1036 msprotection.exe 1036 msprotection.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436.exedescription pid process target process PID 1204 wrote to memory of 1036 1204 a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436.exe msprotection.exe PID 1204 wrote to memory of 1036 1204 a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436.exe msprotection.exe PID 1204 wrote to memory of 1036 1204 a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436.exe msprotection.exe PID 1204 wrote to memory of 1036 1204 a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436.exe msprotection.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436.exe"C:\Users\Admin\AppData\Local\Temp\a2b0531a61ba1928ee484d1e0883979667309903166aa830c1f6719425a92436.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\msprotection.exeC:\ProgramData\msprotection.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\msprotection.exeFilesize
825KB
MD5d223093c45d018c56fda06944940dc4f
SHA1d586f4f18eed4ae4ef5dc6084b02b68ee04889cd
SHA25609bfb1d21cf9fd028b38a5178d531ee5776674f36f85dd49a22c215c42947780
SHA512f5eb187cf2ae196bc7d56a5a0a9a3159057ad1339668dc252835c621a00e340ee4fc759f4241bbf6fec082d90253642b7d9ab4dd2bda4898557cc2bdfe70bdfa
-
\ProgramData\msprotection.exeFilesize
825KB
MD5d223093c45d018c56fda06944940dc4f
SHA1d586f4f18eed4ae4ef5dc6084b02b68ee04889cd
SHA25609bfb1d21cf9fd028b38a5178d531ee5776674f36f85dd49a22c215c42947780
SHA512f5eb187cf2ae196bc7d56a5a0a9a3159057ad1339668dc252835c621a00e340ee4fc759f4241bbf6fec082d90253642b7d9ab4dd2bda4898557cc2bdfe70bdfa
-
\ProgramData\msprotection.exeFilesize
825KB
MD5d223093c45d018c56fda06944940dc4f
SHA1d586f4f18eed4ae4ef5dc6084b02b68ee04889cd
SHA25609bfb1d21cf9fd028b38a5178d531ee5776674f36f85dd49a22c215c42947780
SHA512f5eb187cf2ae196bc7d56a5a0a9a3159057ad1339668dc252835c621a00e340ee4fc759f4241bbf6fec082d90253642b7d9ab4dd2bda4898557cc2bdfe70bdfa
-
memory/1036-58-0x0000000000000000-mapping.dmp
-
memory/1036-62-0x0000000000400000-0x0000000000A1B000-memory.dmpFilesize
6.1MB
-
memory/1036-64-0x0000000000400000-0x0000000000A1B000-memory.dmpFilesize
6.1MB
-
memory/1036-65-0x0000000000400000-0x0000000000A1B000-memory.dmpFilesize
6.1MB
-
memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB
-
memory/1204-55-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/1204-60-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB