Analysis
-
max time kernel
150s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10/01/2023, 02:36
Static task
static1
Behavioral task
behavioral1
Sample
c3b3353bebc2d81df44b3ffa94b57599d92ad694.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c3b3353bebc2d81df44b3ffa94b57599d92ad694.exe
Resource
win10v2004-20221111-en
General
-
Target
c3b3353bebc2d81df44b3ffa94b57599d92ad694.exe
-
Size
339KB
-
MD5
8df81fe85eb46567491d0fc8e1f8aff8
-
SHA1
c3b3353bebc2d81df44b3ffa94b57599d92ad694
-
SHA256
7bdf7008dff8fd0c2f09d32c930641e72b00c94864f1bebc1e0336f0353070d9
-
SHA512
4ce25bd8efa3d9d9dfcaf7cc9389ee42cb4d44dc01d4836c3c7427144d0dfcb185d4a12dd8cccd97edb0598f4a84ad4a115767b2b43a71ba69c69c79b9ad8fa0
-
SSDEEP
6144:uXUXyc1A2i0or/7Oou1c5K6wwt3dfJqhxfmbTziCSZXfu5zp7:uEXZ1vQTnu1cfwaZctmbTz/SZXfu5zp7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 680 bamtp.exe -
Deletes itself 1 IoCs
pid Process 1168 cmd.exe -
Loads dropped DLL 3 IoCs
pid Process 1168 cmd.exe 1168 cmd.exe 680 bamtp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce c3b3353bebc2d81df44b3ffa94b57599d92ad694.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1792 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 972 PING.EXE -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1792 taskkill.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe 680 bamtp.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1672 wrote to memory of 1168 1672 c3b3353bebc2d81df44b3ffa94b57599d92ad694.exe 27 PID 1672 wrote to memory of 1168 1672 c3b3353bebc2d81df44b3ffa94b57599d92ad694.exe 27 PID 1672 wrote to memory of 1168 1672 c3b3353bebc2d81df44b3ffa94b57599d92ad694.exe 27 PID 1672 wrote to memory of 1168 1672 c3b3353bebc2d81df44b3ffa94b57599d92ad694.exe 27 PID 1168 wrote to memory of 1792 1168 cmd.exe 29 PID 1168 wrote to memory of 1792 1168 cmd.exe 29 PID 1168 wrote to memory of 1792 1168 cmd.exe 29 PID 1168 wrote to memory of 1792 1168 cmd.exe 29 PID 1168 wrote to memory of 972 1168 cmd.exe 31 PID 1168 wrote to memory of 972 1168 cmd.exe 31 PID 1168 wrote to memory of 972 1168 cmd.exe 31 PID 1168 wrote to memory of 972 1168 cmd.exe 31 PID 1168 wrote to memory of 680 1168 cmd.exe 32 PID 1168 wrote to memory of 680 1168 cmd.exe 32 PID 1168 wrote to memory of 680 1168 cmd.exe 32 PID 1168 wrote to memory of 680 1168 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3b3353bebc2d81df44b3ffa94b57599d92ad694.exe"C:\Users\Admin\AppData\Local\Temp\c3b3353bebc2d81df44b3ffa94b57599d92ad694.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1672 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\c3b3353bebc2d81df44b3ffa94b57599d92ad694.exe" & start C:\Users\Admin\AppData\Local\bamtp.exe -f2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 16723⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:972
-
-
C:\Users\Admin\AppData\Local\bamtp.exeC:\Users\Admin\AppData\Local\bamtp.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:680
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
339KB
MD58df81fe85eb46567491d0fc8e1f8aff8
SHA1c3b3353bebc2d81df44b3ffa94b57599d92ad694
SHA2567bdf7008dff8fd0c2f09d32c930641e72b00c94864f1bebc1e0336f0353070d9
SHA5124ce25bd8efa3d9d9dfcaf7cc9389ee42cb4d44dc01d4836c3c7427144d0dfcb185d4a12dd8cccd97edb0598f4a84ad4a115767b2b43a71ba69c69c79b9ad8fa0
-
Filesize
339KB
MD58df81fe85eb46567491d0fc8e1f8aff8
SHA1c3b3353bebc2d81df44b3ffa94b57599d92ad694
SHA2567bdf7008dff8fd0c2f09d32c930641e72b00c94864f1bebc1e0336f0353070d9
SHA5124ce25bd8efa3d9d9dfcaf7cc9389ee42cb4d44dc01d4836c3c7427144d0dfcb185d4a12dd8cccd97edb0598f4a84ad4a115767b2b43a71ba69c69c79b9ad8fa0
-
Filesize
339KB
MD58df81fe85eb46567491d0fc8e1f8aff8
SHA1c3b3353bebc2d81df44b3ffa94b57599d92ad694
SHA2567bdf7008dff8fd0c2f09d32c930641e72b00c94864f1bebc1e0336f0353070d9
SHA5124ce25bd8efa3d9d9dfcaf7cc9389ee42cb4d44dc01d4836c3c7427144d0dfcb185d4a12dd8cccd97edb0598f4a84ad4a115767b2b43a71ba69c69c79b9ad8fa0
-
Filesize
339KB
MD58df81fe85eb46567491d0fc8e1f8aff8
SHA1c3b3353bebc2d81df44b3ffa94b57599d92ad694
SHA2567bdf7008dff8fd0c2f09d32c930641e72b00c94864f1bebc1e0336f0353070d9
SHA5124ce25bd8efa3d9d9dfcaf7cc9389ee42cb4d44dc01d4836c3c7427144d0dfcb185d4a12dd8cccd97edb0598f4a84ad4a115767b2b43a71ba69c69c79b9ad8fa0
-
Filesize
339KB
MD58df81fe85eb46567491d0fc8e1f8aff8
SHA1c3b3353bebc2d81df44b3ffa94b57599d92ad694
SHA2567bdf7008dff8fd0c2f09d32c930641e72b00c94864f1bebc1e0336f0353070d9
SHA5124ce25bd8efa3d9d9dfcaf7cc9389ee42cb4d44dc01d4836c3c7427144d0dfcb185d4a12dd8cccd97edb0598f4a84ad4a115767b2b43a71ba69c69c79b9ad8fa0