Overview

overview

8

Static

static

69577.exe

windows7_x64

8

69577.exe

windows10_x64

8

Analysis

  • max time kernel
    119s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-02-2021 23:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69577.exe

  • Size

    501KB

  • MD5

    a7913461e211158d5ac34ac3bd06bc7b

  • SHA1

    71c3f7a9eac34b0b5ccd5ec2df01f9c95f14235b

  • SHA256

    5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13

  • SHA512

    8107feec4426f820d3910e35d6e3c1a1aa85a104231a0529f7fcd825f2dfec10fbf856bc2b37c585a34f5d03b514ece7f54b600add6fb668cda0c7d1a7374e04

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69577.exe
    "C:\Users\Admin\AppData\Local\Temp\69577.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Users\Admin\AppData\Local\Temp\69577.exe
      "{path}"
      2⤵
      • Drops startup file
      • Maps connected drives based on registry
      • Suspicious use of WriteProcessMemory
      PID:3136
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9092.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9092.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:732
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9092.exe
          "{path}"
          4⤵
          • Executes dropped EXE
          • Drops startup file
          • Loads dropped DLL
          • Maps connected drives based on registry
          • Suspicious use of WriteProcessMemory
          PID:1596
          • C:\Windows\SysWOW64\EhStorAuthn.exe
            "C:\Windows\System32\EhStorAuthn.exe"
            5⤵
            • Loads dropped DLL
            • Adds Run key to start application
            • Maps connected drives based on registry
            • Drops file in System32 directory
            • Checks processor information in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:1328
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:844
        • C:\Windows\SysWOW64\PING.EXE
          ping localhost -n 3
          4⤵
          • Runs ping.exe
          PID:1264
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
          4⤵
            PID:1468

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    3
    T1082

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4
      MD5

      50741b3f2d7debf5d2bed63d88404029

      SHA1

      56210388a627b926162b36967045be06ffb1aad3

      SHA256

      f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

      SHA512

      fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9092.exe
      MD5

      a7913461e211158d5ac34ac3bd06bc7b

      SHA1

      71c3f7a9eac34b0b5ccd5ec2df01f9c95f14235b

      SHA256

      5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13

      SHA512

      8107feec4426f820d3910e35d6e3c1a1aa85a104231a0529f7fcd825f2dfec10fbf856bc2b37c585a34f5d03b514ece7f54b600add6fb668cda0c7d1a7374e04

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9092.exe
      MD5

      a7913461e211158d5ac34ac3bd06bc7b

      SHA1

      71c3f7a9eac34b0b5ccd5ec2df01f9c95f14235b

      SHA256

      5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13

      SHA512

      8107feec4426f820d3910e35d6e3c1a1aa85a104231a0529f7fcd825f2dfec10fbf856bc2b37c585a34f5d03b514ece7f54b600add6fb668cda0c7d1a7374e04

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9092.exe
      MD5

      a7913461e211158d5ac34ac3bd06bc7b

      SHA1

      71c3f7a9eac34b0b5ccd5ec2df01f9c95f14235b

      SHA256

      5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13

      SHA512

      8107feec4426f820d3910e35d6e3c1a1aa85a104231a0529f7fcd825f2dfec10fbf856bc2b37c585a34f5d03b514ece7f54b600add6fb668cda0c7d1a7374e04

      Download Submit
    • C:\Users\Admin\AppData\Roaming\del.bat
      MD5

      44e58a4d0ef4e79fb01c281742b3ff23

      SHA1

      5e1e8891e6b891f06d408b37893cadec2304f21b

      SHA256

      ac90cc2ef58efee7e23e64a06cf9b816ab59bb5dff9a94002ec812a56db6c060

      SHA512

      5ff9430fffc821a7445c32473b57ba727161e292c44f0106204562dfb11ed4aa93902fb5d047889a49c26e3888a95201c3a5e7faa715c01370a00b983eb48fbb

      Download Submit
    • \Users\Admin\AppData\Local\z_Admin\wallpaper.mp4
      MD5

      50741b3f2d7debf5d2bed63d88404029

      SHA1

      56210388a627b926162b36967045be06ffb1aad3

      SHA256

      f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

      SHA512

      fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

      Download Submit
    • \Users\Admin\AppData\Local\z_Admin\wallpaper.mp4
      MD5

      50741b3f2d7debf5d2bed63d88404029

      SHA1

      56210388a627b926162b36967045be06ffb1aad3

      SHA256

      f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

      SHA512

      fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

      Download Submit
    • memory/732-15-0x0000000000000000-mapping.dmp
      Download
    • memory/732-29-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/732-19-0x0000000072910000-0x0000000072FFE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/844-18-0x0000000000000000-mapping.dmp
      Download
    • memory/1264-28-0x0000000000000000-mapping.dmp
      Download
    • memory/1328-38-0x0000000000370000-0x000000000037C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1468-30-0x0000000000000000-mapping.dmp
      Download
    • memory/1596-33-0x00000000004020F8-mapping.dmp
      Download
    • memory/3136-14-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/3136-13-0x00000000004020F8-mapping.dmp
      Download
    • memory/3136-12-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/4692-2-0x0000000073430000-0x0000000073B1E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/4692-8-0x0000000005790000-0x0000000005791000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4692-9-0x0000000005970000-0x0000000005971000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4692-7-0x0000000005580000-0x0000000005581000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4692-10-0x0000000005950000-0x0000000005952000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4692-6-0x00000000055B0000-0x00000000055B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4692-5-0x0000000005A10000-0x0000000005A11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4692-11-0x0000000007280000-0x00000000072E1000-memory.dmp
      Filesize

      388KB

      Download
    • memory/4692-3-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
      Filesize

      4KB

      Download