Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
08-05-2021 18:46
Static task
static1
Behavioral task
behavioral1
Sample
e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe
Resource
win10v20210410
General
-
Target
e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe
-
Size
6.4MB
-
MD5
41253bfee19b9631d3c508621fc9deb6
-
SHA1
045398163ddb346eca0636bc7f9acc58f993c1e9
-
SHA256
e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e
-
SHA512
851dc55ffb8263f5bfcad9537fb81c5d4168d2d96bd29f085b785405216b348d99aabee102522dec587a9c70ff1486f67f052c167e0dd39e01be85329466d9c5
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
Processes:
e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe1systemsmss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\System64\\1systemsmss.exe, explorer.exe" e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" 1systemsmss.exe -
Executes dropped EXE 1 IoCs
Processes:
1systemsmss.exepid process 1760 1systemsmss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1systemsmss.exee66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run 1systemsmss.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe -
Drops file in Windows directory 1 IoCs
Processes:
1systemsmss.exedescription ioc process File created C:\Windows\Zont911\Tupe.bat 1systemsmss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 3200 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe1systemsmss.exepid process 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe 1760 1systemsmss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe1systemsmss.exedescription pid process target process PID 3892 wrote to memory of 1760 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 1systemsmss.exe PID 3892 wrote to memory of 1760 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 1systemsmss.exe PID 3892 wrote to memory of 1760 3892 e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe 1systemsmss.exe PID 1760 wrote to memory of 3200 1760 1systemsmss.exe regedit.exe PID 1760 wrote to memory of 3200 1760 1systemsmss.exe regedit.exe PID 1760 wrote to memory of 3200 1760 1systemsmss.exe regedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe"C:\Users\Admin\AppData\Local\Temp\e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System64\1systemsmss.exe"C:\Users\Admin\AppData\Roaming\System64\1systemsmss.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s "C:\Users\Admin\AppData\Roaming\Zont911\Regedit.reg"3⤵
- Runs .reg file with regedit
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\System64\1systemsmss.exeMD5
41253bfee19b9631d3c508621fc9deb6
SHA1045398163ddb346eca0636bc7f9acc58f993c1e9
SHA256e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e
SHA512851dc55ffb8263f5bfcad9537fb81c5d4168d2d96bd29f085b785405216b348d99aabee102522dec587a9c70ff1486f67f052c167e0dd39e01be85329466d9c5
-
C:\Users\Admin\AppData\Roaming\System64\1systemsmss.exeMD5
41253bfee19b9631d3c508621fc9deb6
SHA1045398163ddb346eca0636bc7f9acc58f993c1e9
SHA256e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e
SHA512851dc55ffb8263f5bfcad9537fb81c5d4168d2d96bd29f085b785405216b348d99aabee102522dec587a9c70ff1486f67f052c167e0dd39e01be85329466d9c5
-
C:\Users\Admin\AppData\Roaming\Zont911\Regedit.regMD5
f7fa0118ed5d484dc43be5b3f1fb23a1
SHA1dc344a3ed842e1bb0e1c8b6cff9dbc497118619e
SHA2569d0af58f891458994cba9daffaa3508cc643911503ffd2890cdc124f414cf3c1
SHA51244d3e5a7f116e540af4efb328b5d820774f3e9e65dcafb0e54e37b7aff46a872752a1e8c9a42aa0dc389cb036a8f8c3b385562578a47400e3ca313231b8c529b
-
memory/1760-115-0x0000000000000000-mapping.dmp
-
memory/1760-118-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/3200-119-0x0000000000000000-mapping.dmp
-
memory/3892-114-0x0000000002840000-0x0000000002841000-memory.dmpFilesize
4KB