Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
27-02-2023 09:20
Behavioral task
behavioral1
Sample
c4067d965604f4f37a63f298b22cc4d0.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
c4067d965604f4f37a63f298b22cc4d0.exe
Resource
win10v2004-20230220-en
General
-
Target
c4067d965604f4f37a63f298b22cc4d0.exe
-
Size
157KB
-
MD5
c4067d965604f4f37a63f298b22cc4d0
-
SHA1
325b70cdf286d63934fe34f51dd6da3a8b672081
-
SHA256
6f2e22d541680c151da164b02f916a3d72da0517b2f052f7356d05e8b374690b
-
SHA512
dd7f7c06e2d28c84f901dbe1ee55963342ec60b08fac54e404185b70b0ef10090df797ca72e9adc42d3ba9ed32aa71f344e3f277529c92f43fc82603a5a8e12e
-
SSDEEP
1536:tTP0/lt9ZWAUpysZbALBYoz6M9OvW/CdEB:tTs/lt9rUpysZbAL62OvzdEB
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c4067d965604f4f37a63f298b22cc4d0.lnk c4067d965604f4f37a63f298b22cc4d0.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c4067d965604f4f37a63f298b22cc4d0.lnk c4067d965604f4f37a63f298b22cc4d0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\c4067d965604f4f37a63f298b22cc4d0 = "C:\\Users\\Admin\\AppData\\Roaming\\c4067d965604f4f37a63f298b22cc4d0.exe" c4067d965604f4f37a63f298b22cc4d0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1052 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1156 powershell.exe 268 powershell.exe 1016 powershell.exe 1408 c4067d965604f4f37a63f298b22cc4d0.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1408 c4067d965604f4f37a63f298b22cc4d0.exe Token: SeDebugPrivilege 1156 powershell.exe Token: SeDebugPrivilege 268 powershell.exe Token: SeDebugPrivilege 1016 powershell.exe Token: SeDebugPrivilege 1408 c4067d965604f4f37a63f298b22cc4d0.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1408 c4067d965604f4f37a63f298b22cc4d0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1408 wrote to memory of 1156 1408 c4067d965604f4f37a63f298b22cc4d0.exe 27 PID 1408 wrote to memory of 1156 1408 c4067d965604f4f37a63f298b22cc4d0.exe 27 PID 1408 wrote to memory of 1156 1408 c4067d965604f4f37a63f298b22cc4d0.exe 27 PID 1408 wrote to memory of 268 1408 c4067d965604f4f37a63f298b22cc4d0.exe 29 PID 1408 wrote to memory of 268 1408 c4067d965604f4f37a63f298b22cc4d0.exe 29 PID 1408 wrote to memory of 268 1408 c4067d965604f4f37a63f298b22cc4d0.exe 29 PID 1408 wrote to memory of 1016 1408 c4067d965604f4f37a63f298b22cc4d0.exe 31 PID 1408 wrote to memory of 1016 1408 c4067d965604f4f37a63f298b22cc4d0.exe 31 PID 1408 wrote to memory of 1016 1408 c4067d965604f4f37a63f298b22cc4d0.exe 31 PID 1408 wrote to memory of 1052 1408 c4067d965604f4f37a63f298b22cc4d0.exe 33 PID 1408 wrote to memory of 1052 1408 c4067d965604f4f37a63f298b22cc4d0.exe 33 PID 1408 wrote to memory of 1052 1408 c4067d965604f4f37a63f298b22cc4d0.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4067d965604f4f37a63f298b22cc4d0.exe"C:\Users\Admin\AppData\Local\Temp\c4067d965604f4f37a63f298b22cc4d0.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c4067d965604f4f37a63f298b22cc4d0.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'c4067d965604f4f37a63f298b22cc4d0.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\c4067d965604f4f37a63f298b22cc4d0.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "c4067d965604f4f37a63f298b22cc4d0" /tr "C:\Users\Admin\AppData\Roaming\c4067d965604f4f37a63f298b22cc4d0.exe"2⤵
- Creates scheduled task(s)
PID:1052
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {537F8A49-791D-4B3C-BB2C-2213D26730E2} S-1-5-21-1914912747-3343861975-731272777-1000:TMRJMUQF\Admin:Interactive:[1]1⤵PID:1928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5fedf102969de6012d0a579f1f5e266f9
SHA1782d75ea4995289386c7a031161b9d845a0393ca
SHA2561deab7ebbe65bb290758d2682f7493cdfd9f16d96d1099c6332da582f8531831
SHA5128f288a60219d51682d57612d9d61c825cdb6f2d855b888df4d8d5a928fe670931519137067ecf64ba35f4ad428bf63a30e7165e887f7378610571ecf7a63bc93
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5fedf102969de6012d0a579f1f5e266f9
SHA1782d75ea4995289386c7a031161b9d845a0393ca
SHA2561deab7ebbe65bb290758d2682f7493cdfd9f16d96d1099c6332da582f8531831
SHA5128f288a60219d51682d57612d9d61c825cdb6f2d855b888df4d8d5a928fe670931519137067ecf64ba35f4ad428bf63a30e7165e887f7378610571ecf7a63bc93
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D755IZ9DVY92GGWOSMP8.temp
Filesize7KB
MD5fedf102969de6012d0a579f1f5e266f9
SHA1782d75ea4995289386c7a031161b9d845a0393ca
SHA2561deab7ebbe65bb290758d2682f7493cdfd9f16d96d1099c6332da582f8531831
SHA5128f288a60219d51682d57612d9d61c825cdb6f2d855b888df4d8d5a928fe670931519137067ecf64ba35f4ad428bf63a30e7165e887f7378610571ecf7a63bc93