Resubmissions
11-05-2021 21:52
210511-d1gjxrbxre 1011-05-2021 21:20
210511-nvkedg2xh6 811-05-2021 14:03
210511-emk98mhhbs 1011-05-2021 13:57
210511-dcgsj13j72 8Analysis
-
max time kernel
55s -
max time network
17s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-05-2021 13:57
Static task
static1
Behavioral task
behavioral1
Sample
InjCht.exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
InjCht.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
InjCht.exe
Resource
win10v20210410
General
-
Target
InjCht.exe
-
Size
6.4MB
-
MD5
bd2068cfbffbe0eeb388f40ba17724d2
-
SHA1
f8200558ef6bbf31474023d913642fed52b97e2f
-
SHA256
0204588ca4e01c306d247a6dfc7ec1e3a29014e08d2ee0ce73d756ebbc429b6b
-
SHA512
7a2e59c0bcd170636da3cc069cb6bb0fcf788dbe6d91ab48a70c10f7b0b950df737ecae1cc8d00cd6feb6f3d8a1c160dfe9ede6a73dfc8d47a9aa532bf46fae0
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
drvmngr.exepid process 1228 drvmngr.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 11 IoCs
Processes:
InjCht.exepid process 1832 InjCht.exe 1832 InjCht.exe 1832 InjCht.exe 1832 InjCht.exe 1832 InjCht.exe 1832 InjCht.exe 1832 InjCht.exe 1832 InjCht.exe 1832 InjCht.exe 1832 InjCht.exe 1832 InjCht.exe -
Drops file in Windows directory 4 IoCs
Processes:
drvmngr.execmd.exeInjCht.exedescription ioc process File opened for modification C:\Windows\parameters.ini drvmngr.exe File created C:\Windows\gpu_name.txt cmd.exe File created C:\Windows\parameters.ini InjCht.exe File created C:\Windows\drvmngr.exe InjCht.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 1 IoCs
Processes:
WMIC.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
InjCht.exedrvmngr.exepid process 1832 InjCht.exe 1832 InjCht.exe 1832 InjCht.exe 1832 InjCht.exe 1832 InjCht.exe 1832 InjCht.exe 1832 InjCht.exe 1832 InjCht.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe 1228 drvmngr.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
drvmngr.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1228 drvmngr.exe Token: SeAssignPrimaryTokenPrivilege 2808 WMIC.exe Token: SeIncreaseQuotaPrivilege 2808 WMIC.exe Token: SeSecurityPrivilege 2808 WMIC.exe Token: SeTakeOwnershipPrivilege 2808 WMIC.exe Token: SeLoadDriverPrivilege 2808 WMIC.exe Token: SeSystemtimePrivilege 2808 WMIC.exe Token: SeBackupPrivilege 2808 WMIC.exe Token: SeRestorePrivilege 2808 WMIC.exe Token: SeShutdownPrivilege 2808 WMIC.exe Token: SeSystemEnvironmentPrivilege 2808 WMIC.exe Token: SeUndockPrivilege 2808 WMIC.exe Token: SeManageVolumePrivilege 2808 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2808 WMIC.exe Token: SeIncreaseQuotaPrivilege 2808 WMIC.exe Token: SeSecurityPrivilege 2808 WMIC.exe Token: SeTakeOwnershipPrivilege 2808 WMIC.exe Token: SeLoadDriverPrivilege 2808 WMIC.exe Token: SeSystemtimePrivilege 2808 WMIC.exe Token: SeBackupPrivilege 2808 WMIC.exe Token: SeRestorePrivilege 2808 WMIC.exe Token: SeShutdownPrivilege 2808 WMIC.exe Token: SeSystemEnvironmentPrivilege 2808 WMIC.exe Token: SeUndockPrivilege 2808 WMIC.exe Token: SeManageVolumePrivilege 2808 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
drvmngr.exepid process 1228 drvmngr.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
InjCht.execmd.exenet.execmd.execmd.execmd.execmd.exenet.exedrvmngr.execmd.exedescription pid process target process PID 1832 wrote to memory of 1348 1832 InjCht.exe cmd.exe PID 1832 wrote to memory of 1348 1832 InjCht.exe cmd.exe PID 1832 wrote to memory of 1348 1832 InjCht.exe cmd.exe PID 1348 wrote to memory of 1664 1348 cmd.exe net.exe PID 1348 wrote to memory of 1664 1348 cmd.exe net.exe PID 1348 wrote to memory of 1664 1348 cmd.exe net.exe PID 1664 wrote to memory of 1824 1664 net.exe net1.exe PID 1664 wrote to memory of 1824 1664 net.exe net1.exe PID 1664 wrote to memory of 1824 1664 net.exe net1.exe PID 1832 wrote to memory of 2672 1832 InjCht.exe cmd.exe PID 1832 wrote to memory of 2672 1832 InjCht.exe cmd.exe PID 1832 wrote to memory of 2672 1832 InjCht.exe cmd.exe PID 2672 wrote to memory of 2224 2672 cmd.exe sc.exe PID 2672 wrote to memory of 2224 2672 cmd.exe sc.exe PID 2672 wrote to memory of 2224 2672 cmd.exe sc.exe PID 1832 wrote to memory of 3820 1832 InjCht.exe cmd.exe PID 1832 wrote to memory of 3820 1832 InjCht.exe cmd.exe PID 1832 wrote to memory of 3820 1832 InjCht.exe cmd.exe PID 3820 wrote to memory of 3976 3820 cmd.exe sc.exe PID 3820 wrote to memory of 3976 3820 cmd.exe sc.exe PID 3820 wrote to memory of 3976 3820 cmd.exe sc.exe PID 1832 wrote to memory of 1172 1832 InjCht.exe cmd.exe PID 1832 wrote to memory of 1172 1832 InjCht.exe cmd.exe PID 1832 wrote to memory of 1172 1832 InjCht.exe cmd.exe PID 1172 wrote to memory of 3724 1172 cmd.exe sc.exe PID 1172 wrote to memory of 3724 1172 cmd.exe sc.exe PID 1172 wrote to memory of 3724 1172 cmd.exe sc.exe PID 1832 wrote to memory of 2152 1832 InjCht.exe cmd.exe PID 1832 wrote to memory of 2152 1832 InjCht.exe cmd.exe PID 1832 wrote to memory of 2152 1832 InjCht.exe cmd.exe PID 2152 wrote to memory of 3228 2152 cmd.exe net.exe PID 2152 wrote to memory of 3228 2152 cmd.exe net.exe PID 2152 wrote to memory of 3228 2152 cmd.exe net.exe PID 3228 wrote to memory of 2332 3228 net.exe net1.exe PID 3228 wrote to memory of 2332 3228 net.exe net1.exe PID 3228 wrote to memory of 2332 3228 net.exe net1.exe PID 1228 wrote to memory of 2744 1228 drvmngr.exe cmd.exe PID 1228 wrote to memory of 2744 1228 drvmngr.exe cmd.exe PID 1228 wrote to memory of 2744 1228 drvmngr.exe cmd.exe PID 2744 wrote to memory of 2808 2744 cmd.exe WMIC.exe PID 2744 wrote to memory of 2808 2744 cmd.exe WMIC.exe PID 2744 wrote to memory of 2808 2744 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\InjCht.exe"C:\Users\Admin\AppData\Local\Temp\InjCht.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C net stop DriverService2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop DriverService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DriverService4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C Sc delete DriverService2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeSc delete DriverService3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C Sc create DriverService binpath= C:\Windows\drvmngr.exe start= auto DisplayName= DriversService2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeSc create DriverService binpath= C:\Windows\drvmngr.exe start= auto DisplayName= DriversService3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C sc description DriverService ServiceManagerForDriver2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc description DriverService ServiceManagerForDriver3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C net start DriverService2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start DriverService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start DriverService4⤵
-
C:\Windows\drvmngr.exeC:\Windows\drvmngr.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c wmic path win32_VideoController get name > C:\Windows\gpu_name.txt2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\drvmngr.exeMD5
029ea8bea38c49c59fc0ee2be5e82e18
SHA164e3cacb07ab01579fa2697460417bcac70bcbf3
SHA2563e3dbcb1f2dbd39f66cffa8fcf461c44b04b01783cdf2d5e3618e3c467743ee9
SHA5128ed8b4c9f71b65a4f095485a34fe314dbfce3c7929d913cc10578f9971fae5d57182fadcda2d3a7dc0b75a7ff62fbcf67f00320e736c810cbddc56170e5fb56a
-
C:\Windows\drvmngr.exeMD5
029ea8bea38c49c59fc0ee2be5e82e18
SHA164e3cacb07ab01579fa2697460417bcac70bcbf3
SHA2563e3dbcb1f2dbd39f66cffa8fcf461c44b04b01783cdf2d5e3618e3c467743ee9
SHA5128ed8b4c9f71b65a4f095485a34fe314dbfce3c7929d913cc10578f9971fae5d57182fadcda2d3a7dc0b75a7ff62fbcf67f00320e736c810cbddc56170e5fb56a
-
C:\Windows\parameters.iniMD5
7a99d07a5ecc6a7358fb34b13c7fecd5
SHA1b1954987bffde4a8a844b3b16a421ebaf2673838
SHA2564710c22494cbe7629cf1064f7a8beb9028556b7b2f611a7f968a6b968cd5f286
SHA512d1aeae80ab519991e8a5b9882c6b10b04aeba2e3c037d4822c8a4ceee735ae1e3118b0e9cd74c129f147fe7ac15a61511dfdbb527e69c4c41dd8527a836286de
-
\Users\Admin\AppData\Local\Temp\nshDB2.tmp\nsExec.dllMD5
b5a1f9dc73e2944a388a61411bdd8c70
SHA1dc9b20df3f3810c2e81a0c54dea385704ba8bef7
SHA256288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884
SHA512b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8
-
\Users\Admin\AppData\Local\Temp\nshDB2.tmp\nsExec.dllMD5
b5a1f9dc73e2944a388a61411bdd8c70
SHA1dc9b20df3f3810c2e81a0c54dea385704ba8bef7
SHA256288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884
SHA512b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8
-
\Users\Admin\AppData\Local\Temp\nshDB2.tmp\nsExec.dllMD5
b5a1f9dc73e2944a388a61411bdd8c70
SHA1dc9b20df3f3810c2e81a0c54dea385704ba8bef7
SHA256288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884
SHA512b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8
-
\Users\Admin\AppData\Local\Temp\nshDB2.tmp\nsExec.dllMD5
b5a1f9dc73e2944a388a61411bdd8c70
SHA1dc9b20df3f3810c2e81a0c54dea385704ba8bef7
SHA256288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884
SHA512b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8
-
\Users\Admin\AppData\Local\Temp\nshDB2.tmp\nsExec.dllMD5
b5a1f9dc73e2944a388a61411bdd8c70
SHA1dc9b20df3f3810c2e81a0c54dea385704ba8bef7
SHA256288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884
SHA512b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8
-
\Users\Admin\AppData\Local\Temp\nshDB2.tmp\nsExec.dllMD5
b5a1f9dc73e2944a388a61411bdd8c70
SHA1dc9b20df3f3810c2e81a0c54dea385704ba8bef7
SHA256288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884
SHA512b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8
-
\Users\Admin\AppData\Local\Temp\nshDB2.tmp\nsExec.dllMD5
b5a1f9dc73e2944a388a61411bdd8c70
SHA1dc9b20df3f3810c2e81a0c54dea385704ba8bef7
SHA256288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884
SHA512b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8
-
\Users\Admin\AppData\Local\Temp\nshDB2.tmp\nsExec.dllMD5
b5a1f9dc73e2944a388a61411bdd8c70
SHA1dc9b20df3f3810c2e81a0c54dea385704ba8bef7
SHA256288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884
SHA512b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8
-
\Users\Admin\AppData\Local\Temp\nshDB2.tmp\nsExec.dllMD5
b5a1f9dc73e2944a388a61411bdd8c70
SHA1dc9b20df3f3810c2e81a0c54dea385704ba8bef7
SHA256288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884
SHA512b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8
-
\Users\Admin\AppData\Local\Temp\nshDB2.tmp\nsExec.dllMD5
b5a1f9dc73e2944a388a61411bdd8c70
SHA1dc9b20df3f3810c2e81a0c54dea385704ba8bef7
SHA256288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884
SHA512b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8
-
\Users\Admin\AppData\Local\Temp\nshDB2.tmp\nsProcess.dllMD5
05450face243b3a7472407b999b03a72
SHA1ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
SHA25695fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
SHA512f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b
-
memory/1172-130-0x0000000000000000-mapping.dmp
-
memory/1228-141-0x00000000014F0000-0x00000000014F1000-memory.dmpFilesize
4KB
-
memory/1228-145-0x0000000001940000-0x0000000001941000-memory.dmpFilesize
4KB
-
memory/1228-148-0x0000000001950000-0x0000000001951000-memory.dmpFilesize
4KB
-
memory/1228-146-0x0000000000400000-0x0000000001280000-memory.dmpFilesize
14.5MB
-
memory/1228-142-0x0000000001910000-0x0000000001911000-memory.dmpFilesize
4KB
-
memory/1228-143-0x0000000001920000-0x0000000001921000-memory.dmpFilesize
4KB
-
memory/1228-144-0x0000000001930000-0x0000000001931000-memory.dmpFilesize
4KB
-
memory/1228-140-0x00000000014E0000-0x00000000014E1000-memory.dmpFilesize
4KB
-
memory/1228-139-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1348-117-0x0000000000000000-mapping.dmp
-
memory/1664-118-0x0000000000000000-mapping.dmp
-
memory/1824-119-0x0000000000000000-mapping.dmp
-
memory/2152-134-0x0000000000000000-mapping.dmp
-
memory/2224-123-0x0000000000000000-mapping.dmp
-
memory/2332-136-0x0000000000000000-mapping.dmp
-
memory/2672-122-0x0000000000000000-mapping.dmp
-
memory/2744-150-0x0000000000000000-mapping.dmp
-
memory/2808-151-0x0000000000000000-mapping.dmp
-
memory/3228-135-0x0000000000000000-mapping.dmp
-
memory/3724-131-0x0000000000000000-mapping.dmp
-
memory/3820-126-0x0000000000000000-mapping.dmp
-
memory/3976-127-0x0000000000000000-mapping.dmp