0204588ca4e01c306d247a6dfc7ec1e3a29014e08d2ee0ce73d756ebbc429b6b

Analysis

max time kernel
146s
max time network
125s
platform
windows7_x64
resource
win7v20210410
submitted
11-05-2021 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InjCht.exe
Size

6.4MB
MD5

bd2068cfbffbe0eeb388f40ba17724d2
SHA1

f8200558ef6bbf31474023d913642fed52b97e2f
SHA256

0204588ca4e01c306d247a6dfc7ec1e3a29014e08d2ee0ce73d756ebbc429b6b
SHA512

7a2e59c0bcd170636da3cc069cb6bb0fcf788dbe6d91ab48a70c10f7b0b950df737ecae1cc8d00cd6feb6f3d8a1c160dfe9ede6a73dfc8d47a9aa532bf46fae0

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

drvmngr.exe

pid process

1676 drvmngr.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 6 IoCs

Processes:

InjCht.exe

pid process

1088 InjCht.exe
1088 InjCht.exe
1088 InjCht.exe
1088 InjCht.exe
1088 InjCht.exe
1088 InjCht.exe

pid	process
1676	drvmngr.exe

Drops file in Windows directory 4 IoCs

Processes:

InjCht.exedrvmngr.execmd.exe

description	ioc	process
File created	C:\Windows\parameters.ini	InjCht.exe
File created	C:\Windows\drvmngr.exe	InjCht.exe
File opened for modification	C:\Windows\parameters.ini	drvmngr.exe
File created	C:\Windows\gpu_name.txt	cmd.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies data under HKEY_USERS 1 IoCs

Processes:

WMIC.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe
Runs net.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

InjCht.exedrvmngr.exe

pid	process
1088	InjCht.exe
1088	InjCht.exe
1088	InjCht.exe
1088	InjCht.exe
1088	InjCht.exe
1088	InjCht.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe
1676	drvmngr.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

drvmngr.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1676	drvmngr.exe
Token: SeAssignPrimaryTokenPrivilege	856	WMIC.exe
Token: SeIncreaseQuotaPrivilege	856	WMIC.exe
Token: SeSecurityPrivilege	856	WMIC.exe
Token: SeTakeOwnershipPrivilege	856	WMIC.exe
Token: SeLoadDriverPrivilege	856	WMIC.exe
Token: SeSystemtimePrivilege	856	WMIC.exe
Token: SeBackupPrivilege	856	WMIC.exe
Token: SeRestorePrivilege	856	WMIC.exe
Token: SeShutdownPrivilege	856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	856	WMIC.exe
Token: SeUndockPrivilege	856	WMIC.exe
Token: SeManageVolumePrivilege	856	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	856	WMIC.exe
Token: SeIncreaseQuotaPrivilege	856	WMIC.exe
Token: SeSecurityPrivilege	856	WMIC.exe
Token: SeTakeOwnershipPrivilege	856	WMIC.exe
Token: SeLoadDriverPrivilege	856	WMIC.exe
Token: SeSystemtimePrivilege	856	WMIC.exe
Token: SeBackupPrivilege	856	WMIC.exe
Token: SeRestorePrivilege	856	WMIC.exe
Token: SeShutdownPrivilege	856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	856	WMIC.exe
Token: SeUndockPrivilege	856	WMIC.exe
Token: SeManageVolumePrivilege	856	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

drvmngr.exe

pid process

1676 drvmngr.exe

pid	process
1676	drvmngr.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

InjCht.execmd.exenet.execmd.execmd.execmd.execmd.exenet.exedrvmngr.execmd.exe

description	pid	process	target process
PID 1088 wrote to memory of 1800	1088	InjCht.exe	cmd.exe
PID 1088 wrote to memory of 1800	1088	InjCht.exe	cmd.exe
PID 1088 wrote to memory of 1800	1088	InjCht.exe	cmd.exe
PID 1088 wrote to memory of 1800	1088	InjCht.exe	cmd.exe
PID 1800 wrote to memory of 1384	1800	cmd.exe	net.exe
PID 1800 wrote to memory of 1384	1800	cmd.exe	net.exe
PID 1800 wrote to memory of 1384	1800	cmd.exe	net.exe
PID 1800 wrote to memory of 1384	1800	cmd.exe	net.exe
PID 1384 wrote to memory of 1408	1384	net.exe	net1.exe
PID 1384 wrote to memory of 1408	1384	net.exe	net1.exe
PID 1384 wrote to memory of 1408	1384	net.exe	net1.exe
PID 1384 wrote to memory of 1408	1384	net.exe	net1.exe
PID 1088 wrote to memory of 1348	1088	InjCht.exe	cmd.exe
PID 1088 wrote to memory of 1348	1088	InjCht.exe	cmd.exe
PID 1088 wrote to memory of 1348	1088	InjCht.exe	cmd.exe
PID 1088 wrote to memory of 1348	1088	InjCht.exe	cmd.exe
PID 1348 wrote to memory of 1632	1348	cmd.exe	sc.exe
PID 1348 wrote to memory of 1632	1348	cmd.exe	sc.exe
PID 1348 wrote to memory of 1632	1348	cmd.exe	sc.exe
PID 1348 wrote to memory of 1632	1348	cmd.exe	sc.exe
PID 1088 wrote to memory of 1640	1088	InjCht.exe	cmd.exe
PID 1088 wrote to memory of 1640	1088	InjCht.exe	cmd.exe
PID 1088 wrote to memory of 1640	1088	InjCht.exe	cmd.exe
PID 1088 wrote to memory of 1640	1088	InjCht.exe	cmd.exe
PID 1640 wrote to memory of 1692	1640	cmd.exe	sc.exe
PID 1640 wrote to memory of 1692	1640	cmd.exe	sc.exe
PID 1640 wrote to memory of 1692	1640	cmd.exe	sc.exe
PID 1640 wrote to memory of 1692	1640	cmd.exe	sc.exe
PID 1088 wrote to memory of 308	1088	InjCht.exe	cmd.exe
PID 1088 wrote to memory of 308	1088	InjCht.exe	cmd.exe
PID 1088 wrote to memory of 308	1088	InjCht.exe	cmd.exe
PID 1088 wrote to memory of 308	1088	InjCht.exe	cmd.exe
PID 308 wrote to memory of 556	308	cmd.exe	sc.exe
PID 308 wrote to memory of 556	308	cmd.exe	sc.exe
PID 308 wrote to memory of 556	308	cmd.exe	sc.exe
PID 308 wrote to memory of 556	308	cmd.exe	sc.exe
PID 1088 wrote to memory of 712	1088	InjCht.exe	cmd.exe
PID 1088 wrote to memory of 712	1088	InjCht.exe	cmd.exe
PID 1088 wrote to memory of 712	1088	InjCht.exe	cmd.exe
PID 1088 wrote to memory of 712	1088	InjCht.exe	cmd.exe
PID 712 wrote to memory of 1832	712	cmd.exe	net.exe
PID 712 wrote to memory of 1832	712	cmd.exe	net.exe
PID 712 wrote to memory of 1832	712	cmd.exe	net.exe
PID 712 wrote to memory of 1832	712	cmd.exe	net.exe
PID 1832 wrote to memory of 1736	1832	net.exe	net1.exe
PID 1832 wrote to memory of 1736	1832	net.exe	net1.exe
PID 1832 wrote to memory of 1736	1832	net.exe	net1.exe
PID 1832 wrote to memory of 1736	1832	net.exe	net1.exe
PID 1676 wrote to memory of 1620	1676	drvmngr.exe	cmd.exe
PID 1676 wrote to memory of 1620	1676	drvmngr.exe	cmd.exe
PID 1676 wrote to memory of 1620	1676	drvmngr.exe	cmd.exe
PID 1676 wrote to memory of 1620	1676	drvmngr.exe	cmd.exe
PID 1620 wrote to memory of 856	1620	cmd.exe	WMIC.exe
PID 1620 wrote to memory of 856	1620	cmd.exe	WMIC.exe
PID 1620 wrote to memory of 856	1620	cmd.exe	WMIC.exe
PID 1620 wrote to memory of 856	1620	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\InjCht.exe
"C:\Users\Admin\AppData\Local\Temp\InjCht.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C net stop DriverService
2⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\net.exe
net stop DriverService
3⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DriverService
4⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C Sc delete DriverService
2⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\sc.exe
Sc delete DriverService
3⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C Sc create DriverService binpath= C:\Windows\drvmngr.exe start= auto DisplayName= DriversService
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\sc.exe
Sc create DriverService binpath= C:\Windows\drvmngr.exe start= auto DisplayName= DriversService
3⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C sc description DriverService ServiceManagerForDriver
2⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\sc.exe
sc description DriverService ServiceManagerForDriver
3⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C net start DriverService
2⤵
- Suspicious use of WriteProcessMemory
PID:712

C:\Windows\SysWOW64\net.exe
net start DriverService
3⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start DriverService
4⤵
PID:1736

C:\Windows\drvmngr.exe
C:\Windows\drvmngr.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /c wmic path win32_VideoController get name > C:\Windows\gpu_name.txt
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\drvmngr.exe
MD5
029ea8bea38c49c59fc0ee2be5e82e18

SHA1
64e3cacb07ab01579fa2697460417bcac70bcbf3

SHA256
3e3dbcb1f2dbd39f66cffa8fcf461c44b04b01783cdf2d5e3618e3c467743ee9

SHA512
8ed8b4c9f71b65a4f095485a34fe314dbfce3c7929d913cc10578f9971fae5d57182fadcda2d3a7dc0b75a7ff62fbcf67f00320e736c810cbddc56170e5fb56a

Download Submit
C:\Windows\drvmngr.exe
MD5
029ea8bea38c49c59fc0ee2be5e82e18

SHA1
64e3cacb07ab01579fa2697460417bcac70bcbf3

SHA256
3e3dbcb1f2dbd39f66cffa8fcf461c44b04b01783cdf2d5e3618e3c467743ee9

SHA512
8ed8b4c9f71b65a4f095485a34fe314dbfce3c7929d913cc10578f9971fae5d57182fadcda2d3a7dc0b75a7ff62fbcf67f00320e736c810cbddc56170e5fb56a

Download Submit
C:\Windows\parameters.ini
MD5
7a99d07a5ecc6a7358fb34b13c7fecd5

SHA1
b1954987bffde4a8a844b3b16a421ebaf2673838

SHA256
4710c22494cbe7629cf1064f7a8beb9028556b7b2f611a7f968a6b968cd5f286

SHA512
d1aeae80ab519991e8a5b9882c6b10b04aeba2e3c037d4822c8a4ceee735ae1e3118b0e9cd74c129f147fe7ac15a61511dfdbb527e69c4c41dd8527a836286de

Download Submit
\Users\Admin\AppData\Local\Temp\nsc35B1.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsc35B1.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsc35B1.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsc35B1.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsc35B1.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsc35B1.tmp\nsProcess.dll
MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
memory/308-73-0x0000000000000000-mapping.dmp

Download
memory/556-74-0x0000000000000000-mapping.dmp

Download
memory/712-76-0x0000000000000000-mapping.dmp

Download
memory/856-92-0x0000000000000000-mapping.dmp

Download
memory/1088-60-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1348-67-0x0000000000000000-mapping.dmp

Download
memory/1384-64-0x0000000000000000-mapping.dmp

Download
memory/1408-65-0x0000000000000000-mapping.dmp

Download
memory/1620-91-0x0000000000000000-mapping.dmp

Download
memory/1632-68-0x0000000000000000-mapping.dmp

Download
memory/1640-70-0x0000000000000000-mapping.dmp

Download
memory/1676-86-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1676-82-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1676-83-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1676-84-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1676-85-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1676-87-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1676-88-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1676-89-0x0000000000400000-0x0000000001280000-memory.dmp

Filesize
14.5MB

Download
memory/1676-94-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1692-71-0x0000000000000000-mapping.dmp

Download
memory/1736-78-0x0000000000000000-mapping.dmp

Download
memory/1800-63-0x0000000000000000-mapping.dmp

Download
memory/1832-77-0x0000000000000000-mapping.dmp

Download