8398ee25e1f67f866aeac9c0fd8fb22302839b6dbc48163b9778a744ade88ce3

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8398ee25e1f67f866aeac9c0fd8fb22302839b6dbc48163b9778a744ade88ce3.exe
Size

7KB
MD5

84a39cb712de28760fc6a7740f674bd9
SHA1

c152916eb9393c5d946dfc6f324423df39c94bbe
SHA256

8398ee25e1f67f866aeac9c0fd8fb22302839b6dbc48163b9778a744ade88ce3
SHA512

f31d6214e5f7c6ccde67418a9d9130cd8aedafe2bbf84f9bf893452c34495453c72570ef5a93db16582542940cabdea365a46a699d146bf9075f838e0927f0ab
SSDEEP

96:CfpxK68Lh5TOsiBx9wRcE2TYlnlYJnLOL0Kff2W8K0ucuRXmmNFL930zNt:CSxqsiBx9nV2nlYJLOLT8n2pO

Score

8^/10

evasion

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

tmpE1B8.tmp.exe

pid process

900 tmpE1B8.tmp.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

944 netsh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
900	tmpE1B8.tmp.exe

pid	process
944	netsh.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

8398ee25e1f67f866aeac9c0fd8fb22302839b6dbc48163b9778a744ade88ce3.exetmpE1B8.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1452	8398ee25e1f67f866aeac9c0fd8fb22302839b6dbc48163b9778a744ade88ce3.exe
Token: SeDebugPrivilege	900	tmpE1B8.tmp.exe
Token: 33	900	tmpE1B8.tmp.exe
Token: SeIncBasePriorityPrivilege	900	tmpE1B8.tmp.exe
Token: 33	900	tmpE1B8.tmp.exe
Token: SeIncBasePriorityPrivilege	900	tmpE1B8.tmp.exe
Token: 33	900	tmpE1B8.tmp.exe
Token: SeIncBasePriorityPrivilege	900	tmpE1B8.tmp.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8398ee25e1f67f866aeac9c0fd8fb22302839b6dbc48163b9778a744ade88ce3.exetmpE1B8.tmp.exe

description	pid	process	target process
PID 1452 wrote to memory of 900	1452	8398ee25e1f67f866aeac9c0fd8fb22302839b6dbc48163b9778a744ade88ce3.exe	tmpE1B8.tmp.exe
PID 1452 wrote to memory of 900	1452	8398ee25e1f67f866aeac9c0fd8fb22302839b6dbc48163b9778a744ade88ce3.exe	tmpE1B8.tmp.exe
PID 1452 wrote to memory of 900	1452	8398ee25e1f67f866aeac9c0fd8fb22302839b6dbc48163b9778a744ade88ce3.exe	tmpE1B8.tmp.exe
PID 900 wrote to memory of 944	900	tmpE1B8.tmp.exe	netsh.exe
PID 900 wrote to memory of 944	900	tmpE1B8.tmp.exe	netsh.exe
PID 900 wrote to memory of 944	900	tmpE1B8.tmp.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\8398ee25e1f67f866aeac9c0fd8fb22302839b6dbc48163b9778a744ade88ce3.exe
"C:\Users\Admin\AppData\Local\Temp\8398ee25e1f67f866aeac9c0fd8fb22302839b6dbc48163b9778a744ade88ce3.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Local\Temp\tmpE1B8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE1B8.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\tmpE1B8.tmp.exe" "tmpE1B8.tmp.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE1B8.tmp.exe
Filesize
69KB

MD5
f0da38a3904e4f67fdea72f706ea31dc

SHA1
6e48aaee6e81d6eb9cd13c91aa5fde40212b1054

SHA256
2c56d388dc7e23000be01f7d7faf9b917aa0b84c3f9f148e4cdb9c3a8fcf9f5f

SHA512
9d89925168e70014d0029c54ab8ab7bc63729dc25d79a6f4a115dd1643c393b8f3ccb328e7a223eca53c90a49289d8e34ecb5c303f066df3134d89b4e4a99618

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE1B8.tmp.exe
Filesize
69KB

MD5
f0da38a3904e4f67fdea72f706ea31dc

SHA1
6e48aaee6e81d6eb9cd13c91aa5fde40212b1054

SHA256
2c56d388dc7e23000be01f7d7faf9b917aa0b84c3f9f148e4cdb9c3a8fcf9f5f

SHA512
9d89925168e70014d0029c54ab8ab7bc63729dc25d79a6f4a115dd1643c393b8f3ccb328e7a223eca53c90a49289d8e34ecb5c303f066df3134d89b4e4a99618

Download Submit
memory/900-56-0x0000000000000000-mapping.dmp

Download
memory/900-59-0x000007FEF5B00000-0x000007FEF6523000-memory.dmp

Filesize
10.1MB

Download
memory/900-60-0x000007FEF4A60000-0x000007FEF5AF6000-memory.dmp

Filesize
16.6MB

Download
memory/900-63-0x0000000001EC6000-0x0000000001EE5000-memory.dmp

Filesize
124KB

Download
memory/900-64-0x0000000002180000-0x0000000002199000-memory.dmp

Filesize
100KB

Download
memory/900-65-0x0000000001EC6000-0x0000000001EE5000-memory.dmp

Filesize
124KB

Download
memory/944-61-0x0000000000000000-mapping.dmp

Download
memory/1452-54-0x0000000001000000-0x0000000001008000-memory.dmp

Filesize
32KB

Download
memory/1452-55-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

Filesize
8KB

Download