0204588ca4e01c306d247a6dfc7ec1e3a29014e08d2ee0ce73d756ebbc429b6b

Analysis

max time kernel
147s
max time network
121s
platform
windows10_x64
resource
win10v20210408
submitted
11-05-2021 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InjCht.exe
Size

6.4MB
MD5

bd2068cfbffbe0eeb388f40ba17724d2
SHA1

f8200558ef6bbf31474023d913642fed52b97e2f
SHA256

0204588ca4e01c306d247a6dfc7ec1e3a29014e08d2ee0ce73d756ebbc429b6b
SHA512

7a2e59c0bcd170636da3cc069cb6bb0fcf788dbe6d91ab48a70c10f7b0b950df737ecae1cc8d00cd6feb6f3d8a1c160dfe9ede6a73dfc8d47a9aa532bf46fae0

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 1 IoCs

Processes:

drvmngr.exe

pid process

2120 drvmngr.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
2120	drvmngr.exe

Loads dropped DLL 11 IoCs

Processes:

InjCht.exe

pid	process
852	InjCht.exe
852	InjCht.exe
852	InjCht.exe
852	InjCht.exe
852	InjCht.exe
852	InjCht.exe
852	InjCht.exe
852	InjCht.exe
852	InjCht.exe
852	InjCht.exe
852	InjCht.exe

Drops file in Windows directory 4 IoCs

Processes:

InjCht.exedrvmngr.execmd.exe

description	ioc	process
File created	C:\Windows\parameters.ini	InjCht.exe
File created	C:\Windows\drvmngr.exe	InjCht.exe
File opened for modification	C:\Windows\parameters.ini	drvmngr.exe
File created	C:\Windows\gpu_name.txt	cmd.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies data under HKEY_USERS 1 IoCs

Processes:

WMIC.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe
Runs net.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

InjCht.exedrvmngr.exe

pid	process
852	InjCht.exe
852	InjCht.exe
852	InjCht.exe
852	InjCht.exe
852	InjCht.exe
852	InjCht.exe
852	InjCht.exe
852	InjCht.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe
2120	drvmngr.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

drvmngr.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2120	drvmngr.exe
Token: SeAssignPrimaryTokenPrivilege	3600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3600	WMIC.exe
Token: SeSecurityPrivilege	3600	WMIC.exe
Token: SeTakeOwnershipPrivilege	3600	WMIC.exe
Token: SeLoadDriverPrivilege	3600	WMIC.exe
Token: SeSystemtimePrivilege	3600	WMIC.exe
Token: SeBackupPrivilege	3600	WMIC.exe
Token: SeRestorePrivilege	3600	WMIC.exe
Token: SeShutdownPrivilege	3600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3600	WMIC.exe
Token: SeUndockPrivilege	3600	WMIC.exe
Token: SeManageVolumePrivilege	3600	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3600	WMIC.exe
Token: SeSecurityPrivilege	3600	WMIC.exe
Token: SeTakeOwnershipPrivilege	3600	WMIC.exe
Token: SeLoadDriverPrivilege	3600	WMIC.exe
Token: SeSystemtimePrivilege	3600	WMIC.exe
Token: SeBackupPrivilege	3600	WMIC.exe
Token: SeRestorePrivilege	3600	WMIC.exe
Token: SeShutdownPrivilege	3600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3600	WMIC.exe
Token: SeUndockPrivilege	3600	WMIC.exe
Token: SeManageVolumePrivilege	3600	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

drvmngr.exe

pid process

2120 drvmngr.exe

pid	process
2120	drvmngr.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

InjCht.execmd.exenet.execmd.execmd.execmd.execmd.exenet.exedrvmngr.execmd.exe

description	pid	process	target process
PID 852 wrote to memory of 3184	852	InjCht.exe	cmd.exe
PID 852 wrote to memory of 3184	852	InjCht.exe	cmd.exe
PID 852 wrote to memory of 3184	852	InjCht.exe	cmd.exe
PID 3184 wrote to memory of 1868	3184	cmd.exe	net.exe
PID 3184 wrote to memory of 1868	3184	cmd.exe	net.exe
PID 3184 wrote to memory of 1868	3184	cmd.exe	net.exe
PID 1868 wrote to memory of 988	1868	net.exe	net1.exe
PID 1868 wrote to memory of 988	1868	net.exe	net1.exe
PID 1868 wrote to memory of 988	1868	net.exe	net1.exe
PID 852 wrote to memory of 2824	852	InjCht.exe	cmd.exe
PID 852 wrote to memory of 2824	852	InjCht.exe	cmd.exe
PID 852 wrote to memory of 2824	852	InjCht.exe	cmd.exe
PID 2824 wrote to memory of 3988	2824	cmd.exe	sc.exe
PID 2824 wrote to memory of 3988	2824	cmd.exe	sc.exe
PID 2824 wrote to memory of 3988	2824	cmd.exe	sc.exe
PID 852 wrote to memory of 2428	852	InjCht.exe	cmd.exe
PID 852 wrote to memory of 2428	852	InjCht.exe	cmd.exe
PID 852 wrote to memory of 2428	852	InjCht.exe	cmd.exe
PID 2428 wrote to memory of 4056	2428	cmd.exe	sc.exe
PID 2428 wrote to memory of 4056	2428	cmd.exe	sc.exe
PID 2428 wrote to memory of 4056	2428	cmd.exe	sc.exe
PID 852 wrote to memory of 3708	852	InjCht.exe	cmd.exe
PID 852 wrote to memory of 3708	852	InjCht.exe	cmd.exe
PID 852 wrote to memory of 3708	852	InjCht.exe	cmd.exe
PID 3708 wrote to memory of 1324	3708	cmd.exe	sc.exe
PID 3708 wrote to memory of 1324	3708	cmd.exe	sc.exe
PID 3708 wrote to memory of 1324	3708	cmd.exe	sc.exe
PID 852 wrote to memory of 2196	852	InjCht.exe	cmd.exe
PID 852 wrote to memory of 2196	852	InjCht.exe	cmd.exe
PID 852 wrote to memory of 2196	852	InjCht.exe	cmd.exe
PID 2196 wrote to memory of 1032	2196	cmd.exe	net.exe
PID 2196 wrote to memory of 1032	2196	cmd.exe	net.exe
PID 2196 wrote to memory of 1032	2196	cmd.exe	net.exe
PID 1032 wrote to memory of 1880	1032	net.exe	net1.exe
PID 1032 wrote to memory of 1880	1032	net.exe	net1.exe
PID 1032 wrote to memory of 1880	1032	net.exe	net1.exe
PID 2120 wrote to memory of 3880	2120	drvmngr.exe	cmd.exe
PID 2120 wrote to memory of 3880	2120	drvmngr.exe	cmd.exe
PID 2120 wrote to memory of 3880	2120	drvmngr.exe	cmd.exe
PID 3880 wrote to memory of 3600	3880	cmd.exe	WMIC.exe
PID 3880 wrote to memory of 3600	3880	cmd.exe	WMIC.exe
PID 3880 wrote to memory of 3600	3880	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\InjCht.exe
"C:\Users\Admin\AppData\Local\Temp\InjCht.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C net stop DriverService
2⤵
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SysWOW64\net.exe
net stop DriverService
3⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DriverService
4⤵
PID:988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C Sc delete DriverService
2⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\sc.exe
Sc delete DriverService
3⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C Sc create DriverService binpath= C:\Windows\drvmngr.exe start= auto DisplayName= DriversService
2⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\sc.exe
Sc create DriverService binpath= C:\Windows\drvmngr.exe start= auto DisplayName= DriversService
3⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C sc description DriverService ServiceManagerForDriver
2⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SysWOW64\sc.exe
sc description DriverService ServiceManagerForDriver
3⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C net start DriverService
2⤵
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\net.exe
net start DriverService
3⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start DriverService
4⤵
PID:1880

C:\Windows\drvmngr.exe
C:\Windows\drvmngr.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c wmic path win32_VideoController get name > C:\Windows\gpu_name.txt
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\drvmngr.exe
MD5
029ea8bea38c49c59fc0ee2be5e82e18

SHA1
64e3cacb07ab01579fa2697460417bcac70bcbf3

SHA256
3e3dbcb1f2dbd39f66cffa8fcf461c44b04b01783cdf2d5e3618e3c467743ee9

SHA512
8ed8b4c9f71b65a4f095485a34fe314dbfce3c7929d913cc10578f9971fae5d57182fadcda2d3a7dc0b75a7ff62fbcf67f00320e736c810cbddc56170e5fb56a

Download Submit
C:\Windows\drvmngr.exe
MD5
029ea8bea38c49c59fc0ee2be5e82e18

SHA1
64e3cacb07ab01579fa2697460417bcac70bcbf3

SHA256
3e3dbcb1f2dbd39f66cffa8fcf461c44b04b01783cdf2d5e3618e3c467743ee9

SHA512
8ed8b4c9f71b65a4f095485a34fe314dbfce3c7929d913cc10578f9971fae5d57182fadcda2d3a7dc0b75a7ff62fbcf67f00320e736c810cbddc56170e5fb56a

Download Submit
C:\Windows\parameters.ini
MD5
7a99d07a5ecc6a7358fb34b13c7fecd5

SHA1
b1954987bffde4a8a844b3b16a421ebaf2673838

SHA256
4710c22494cbe7629cf1064f7a8beb9028556b7b2f611a7f968a6b968cd5f286

SHA512
d1aeae80ab519991e8a5b9882c6b10b04aeba2e3c037d4822c8a4ceee735ae1e3118b0e9cd74c129f147fe7ac15a61511dfdbb527e69c4c41dd8527a836286de

Download Submit
\Users\Admin\AppData\Local\Temp\nsb9590.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsb9590.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsb9590.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsb9590.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsb9590.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsb9590.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsb9590.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsb9590.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsb9590.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsb9590.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsb9590.tmp\nsProcess.dll
MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
memory/988-119-0x0000000000000000-mapping.dmp

Download
memory/1032-135-0x0000000000000000-mapping.dmp

Download
memory/1324-131-0x0000000000000000-mapping.dmp

Download
memory/1868-118-0x0000000000000000-mapping.dmp

Download
memory/1880-136-0x0000000000000000-mapping.dmp

Download
memory/2120-142-0x0000000001850000-0x0000000001851000-memory.dmp

Filesize
4KB

Download
memory/2120-146-0x0000000000400000-0x0000000001280000-memory.dmp

Filesize
14.5MB

Download
memory/2120-150-0x0000000001890000-0x0000000001891000-memory.dmp

Filesize
4KB

Download
memory/2120-145-0x0000000001880000-0x0000000001881000-memory.dmp

Filesize
4KB

Download
memory/2120-144-0x0000000001870000-0x0000000001871000-memory.dmp

Filesize
4KB

Download
memory/2120-143-0x0000000001860000-0x0000000001861000-memory.dmp

Filesize
4KB

Download
memory/2120-141-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/2120-140-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/2120-139-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2196-134-0x0000000000000000-mapping.dmp

Download
memory/2428-126-0x0000000000000000-mapping.dmp

Download
memory/2824-122-0x0000000000000000-mapping.dmp

Download
memory/3184-117-0x0000000000000000-mapping.dmp

Download
memory/3600-151-0x0000000000000000-mapping.dmp

Download
memory/3708-130-0x0000000000000000-mapping.dmp

Download
memory/3880-149-0x0000000000000000-mapping.dmp

Download
memory/3988-123-0x0000000000000000-mapping.dmp

Download
memory/4056-127-0x0000000000000000-mapping.dmp

Download