Analysis
-
max time kernel
147s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-05-2021 09:02
Static task
static1
Behavioral task
behavioral1
Sample
f7e4a28f_by_Libranalysis.exe
Resource
win7v20210410
General
-
Target
f7e4a28f_by_Libranalysis.exe
-
Size
3.5MB
-
MD5
f7e4a28f1ed37123d6e0851e573cd640
-
SHA1
8068ea253bafbdbdf2647f264d5a8d5405e8772c
-
SHA256
3a2c441a96936c089c1444f4cd50436593fcd43a18c80a1699fc6b2d62dd6907
-
SHA512
5a370cb4c0e592141dea9c6b2494548105ad108666353f383e06253171df988781dab6c19bebafb5d1107348ffec92cd329cad4aef02ad974eda258b0d4f531d
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
csvr.exepsi.exepsi.exepid Process 1280 csvr.exe 3992 psi.exe 2056 psi.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\51y31y5315yq.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\51y31y5315yq.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
psi.execmd.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA psi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
psi.exeexplorer.exepid Process 2056 psi.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
psi.exedescription pid Process procid_target PID 3992 set thread context of 2056 3992 psi.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exepsi.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 psi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString psi.exe -
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid Process 1160 timeout.exe 3808 timeout.exe 3708 timeout.exe 1236 timeout.exe 1540 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid Process 796 taskkill.exe 3700 taskkill.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Modifies registry class 2 IoCs
Processes:
cmd.exef7e4a28f_by_Libranalysis.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings f7e4a28f_by_Libranalysis.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
explorer.exepid Process 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
psi.exeexplorer.exepid Process 2056 psi.exe 2056 psi.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
psi.exetaskkill.exetaskkill.exeexplorer.exedescription pid Process Token: SeDebugPrivilege 2056 psi.exe Token: SeRestorePrivilege 2056 psi.exe Token: SeBackupPrivilege 2056 psi.exe Token: SeLoadDriverPrivilege 2056 psi.exe Token: SeCreatePagefilePrivilege 2056 psi.exe Token: SeShutdownPrivilege 2056 psi.exe Token: SeTakeOwnershipPrivilege 2056 psi.exe Token: SeChangeNotifyPrivilege 2056 psi.exe Token: SeCreateTokenPrivilege 2056 psi.exe Token: SeMachineAccountPrivilege 2056 psi.exe Token: SeSecurityPrivilege 2056 psi.exe Token: SeAssignPrimaryTokenPrivilege 2056 psi.exe Token: SeCreateGlobalPrivilege 2056 psi.exe Token: 33 2056 psi.exe Token: SeDebugPrivilege 796 taskkill.exe Token: SeDebugPrivilege 3700 taskkill.exe Token: SeDebugPrivilege 3924 explorer.exe Token: SeRestorePrivilege 3924 explorer.exe Token: SeBackupPrivilege 3924 explorer.exe Token: SeLoadDriverPrivilege 3924 explorer.exe Token: SeCreatePagefilePrivilege 3924 explorer.exe Token: SeShutdownPrivilege 3924 explorer.exe Token: SeTakeOwnershipPrivilege 3924 explorer.exe Token: SeChangeNotifyPrivilege 3924 explorer.exe Token: SeCreateTokenPrivilege 3924 explorer.exe Token: SeMachineAccountPrivilege 3924 explorer.exe Token: SeSecurityPrivilege 3924 explorer.exe Token: SeAssignPrimaryTokenPrivilege 3924 explorer.exe Token: SeCreateGlobalPrivilege 3924 explorer.exe Token: 33 3924 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f7e4a28f_by_Libranalysis.exeWScript.execmd.exeWScript.execmd.exepsi.exepsi.exeexplorer.exedescription pid Process procid_target PID 488 wrote to memory of 3172 488 f7e4a28f_by_Libranalysis.exe 75 PID 488 wrote to memory of 3172 488 f7e4a28f_by_Libranalysis.exe 75 PID 488 wrote to memory of 3172 488 f7e4a28f_by_Libranalysis.exe 75 PID 3172 wrote to memory of 800 3172 WScript.exe 76 PID 3172 wrote to memory of 800 3172 WScript.exe 76 PID 3172 wrote to memory of 800 3172 WScript.exe 76 PID 800 wrote to memory of 1236 800 cmd.exe 78 PID 800 wrote to memory of 1236 800 cmd.exe 78 PID 800 wrote to memory of 1236 800 cmd.exe 78 PID 800 wrote to memory of 192 800 cmd.exe 79 PID 800 wrote to memory of 192 800 cmd.exe 79 PID 800 wrote to memory of 192 800 cmd.exe 79 PID 800 wrote to memory of 1280 800 cmd.exe 82 PID 800 wrote to memory of 1280 800 cmd.exe 82 PID 800 wrote to memory of 1280 800 cmd.exe 82 PID 800 wrote to memory of 1540 800 cmd.exe 83 PID 800 wrote to memory of 1540 800 cmd.exe 83 PID 800 wrote to memory of 1540 800 cmd.exe 83 PID 800 wrote to memory of 2208 800 cmd.exe 85 PID 800 wrote to memory of 2208 800 cmd.exe 85 PID 800 wrote to memory of 2208 800 cmd.exe 85 PID 800 wrote to memory of 1160 800 cmd.exe 86 PID 800 wrote to memory of 1160 800 cmd.exe 86 PID 800 wrote to memory of 1160 800 cmd.exe 86 PID 2208 wrote to memory of 2040 2208 WScript.exe 87 PID 2208 wrote to memory of 2040 2208 WScript.exe 87 PID 2208 wrote to memory of 2040 2208 WScript.exe 87 PID 2040 wrote to memory of 3852 2040 cmd.exe 89 PID 2040 wrote to memory of 3852 2040 cmd.exe 89 PID 2040 wrote to memory of 3852 2040 cmd.exe 89 PID 2040 wrote to memory of 3808 2040 cmd.exe 90 PID 2040 wrote to memory of 3808 2040 cmd.exe 90 PID 2040 wrote to memory of 3808 2040 cmd.exe 90 PID 2040 wrote to memory of 3992 2040 cmd.exe 91 PID 2040 wrote to memory of 3992 2040 cmd.exe 91 PID 2040 wrote to memory of 3992 2040 cmd.exe 91 PID 3992 wrote to memory of 2056 3992 psi.exe 92 PID 3992 wrote to memory of 2056 3992 psi.exe 92 PID 3992 wrote to memory of 2056 3992 psi.exe 92 PID 3992 wrote to memory of 2056 3992 psi.exe 92 PID 3992 wrote to memory of 2056 3992 psi.exe 92 PID 2040 wrote to memory of 796 2040 cmd.exe 93 PID 2040 wrote to memory of 796 2040 cmd.exe 93 PID 2040 wrote to memory of 796 2040 cmd.exe 93 PID 2040 wrote to memory of 3700 2040 cmd.exe 95 PID 2040 wrote to memory of 3700 2040 cmd.exe 95 PID 2040 wrote to memory of 3700 2040 cmd.exe 95 PID 2056 wrote to memory of 3924 2056 psi.exe 96 PID 2056 wrote to memory of 3924 2056 psi.exe 96 PID 2056 wrote to memory of 3924 2056 psi.exe 96 PID 2040 wrote to memory of 764 2040 cmd.exe 97 PID 2040 wrote to memory of 764 2040 cmd.exe 97 PID 2040 wrote to memory of 764 2040 cmd.exe 97 PID 2040 wrote to memory of 3708 2040 cmd.exe 98 PID 2040 wrote to memory of 3708 2040 cmd.exe 98 PID 2040 wrote to memory of 3708 2040 cmd.exe 98 PID 3924 wrote to memory of 800 3924 explorer.exe 76 PID 3924 wrote to memory of 800 3924 explorer.exe 76 PID 3924 wrote to memory of 1160 3924 explorer.exe 86 PID 3924 wrote to memory of 1160 3924 explorer.exe 86 PID 3924 wrote to memory of 2040 3924 explorer.exe 87 PID 3924 wrote to memory of 2040 3924 explorer.exe 87 PID 3924 wrote to memory of 3708 3924 explorer.exe 98 PID 3924 wrote to memory of 3708 3924 explorer.exe 98 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 3852 attrib.exe 764 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7e4a28f_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\f7e4a28f_by_Libranalysis.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\site1\conf\pe.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\site1\conf\uiy.bat" "3⤵
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
PID:1236
-
-
C:\Windows\SysWOW64\PING.EXEping dhgfg sgudy4⤵
- Runs ping.exe
PID:192
-
-
C:\site1\conf\csvr.exe"csvr.exe" e -p1vartanderkoolermaster lol.rar4⤵
- Executes dropped EXE
PID:1280
-
-
C:\Windows\SysWOW64\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:1540
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\site1\conf\biling.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\site1\conf\site.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\site1\conf"6⤵
- Views/modifies file attributes
PID:3852
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
PID:3808
-
-
C:\site1\conf\psi.exepsi.exe /start6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\site1\conf\psi.exepsi.exe /start7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe8⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im csvr.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:796
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im csvr.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\site1\conf\psi.exe"6⤵
- Views/modifies file attributes
PID:764
-
-
C:\Windows\SysWOW64\timeout.exetimeout 46⤵
- Delays execution with timeout.exe
PID:3708
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 74⤵
- Delays execution with timeout.exe
PID:1160
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e349fbe030e2524e041f3f60d110b7c7
SHA1763bfa5803bda9d740ff2e31c350e745397308f9
SHA25647a1389daec3f031b2232e7e0dcec00b84f0e4e83bff64ccdcd6b9dbd41e64d8
SHA512ed583faa84bae3f70b0acf89f7b6da08b34633a0bcb766480375ce18c5a26bb15891406f3657eacbb6367d14c97a79bbbdddc39fcb6410eeec33735b34b10129
-
MD5
70f8a68b9e1e00708c64e1d1fec715f4
SHA163247e2afb4b30892d1d23a903393043abc5a214
SHA25604cff1c0dbbc09f19df77f4b1d2481440c7f408260e95e661ec33ee542bf3cd7
SHA512dd49ac3beefd21484a6e90d8a9d250e63cd2e78bd7fe3916a668316d6b84ec47bb3e6ba680e5a13200e68648d508da0fa5ee4294c425d3f041cee60e86ef4501
-
MD5
397a93800d56a2308bffc872d4a08032
SHA16f5334d51195a521e8a03f0e05ac777b96c77bc4
SHA256efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720
SHA5127fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb
-
MD5
397a93800d56a2308bffc872d4a08032
SHA16f5334d51195a521e8a03f0e05ac777b96c77bc4
SHA256efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720
SHA5127fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb
-
MD5
b022334d0c60338f90e47e2478873d7a
SHA119c094781ad40ef0efa617cb1fb92d127bdecb7b
SHA256c95053b468dd6b1623432f7676b81bbb43480959537da737fe270f4a8d195ca3
SHA51234e9bc989e52a53e96a6d0e9c11b5d3c8367f3c16ef73101d63dfc3a9464d559430717df109d32dd1dfcdc67763e8824699701785787cbf0a6a38fdf20a7b16c
-
MD5
7c1588678299109e5bdf37f40102ef99
SHA1f1e513bef9fc691d5f2eba139c6805e32f5268ee
SHA256a760c1fe14b0202ba3ec08ea035a003600930a61672a1741210580807c7f2d78
SHA5126ba93ae483503abce54c013a31624d5b96b7bbf5726cdcb9a7665736732f8f68a498e336767609025595c685b793849571030f90e5690534c7d630c7c89931c7
-
MD5
7c1588678299109e5bdf37f40102ef99
SHA1f1e513bef9fc691d5f2eba139c6805e32f5268ee
SHA256a760c1fe14b0202ba3ec08ea035a003600930a61672a1741210580807c7f2d78
SHA5126ba93ae483503abce54c013a31624d5b96b7bbf5726cdcb9a7665736732f8f68a498e336767609025595c685b793849571030f90e5690534c7d630c7c89931c7
-
MD5
7c1588678299109e5bdf37f40102ef99
SHA1f1e513bef9fc691d5f2eba139c6805e32f5268ee
SHA256a760c1fe14b0202ba3ec08ea035a003600930a61672a1741210580807c7f2d78
SHA5126ba93ae483503abce54c013a31624d5b96b7bbf5726cdcb9a7665736732f8f68a498e336767609025595c685b793849571030f90e5690534c7d630c7c89931c7
-
MD5
8b653c0a3c307777b9cdc2ec28aac98b
SHA1936f2c75461b8a98b55e4d88ccc3e41088e2d584
SHA256f37a565dfd33a94efbb04d04bd8dd1f60b1d42bc9427d3fff4060b51fd318e2f
SHA51216ca9304fea272ec3b3539024df6496119d26774812f9b0119acef33b2837fa60a91ef0389c84718c51a3483339be671dc548904b39bc35057d868c7e0452cdf
-
MD5
f6eb567c6e72344762fe0f1e4223990b
SHA19a200a0c123c22cbca10e6d16f97eeb63835ab2d
SHA2562ab47d3082c64105d769c62bf96a8c5d05cd19dba6d7728da291041dbeea4a65
SHA5120f49fef4d52d192ece9d228df8fd3acdf9c801c9f6039c0aa6c717d8710a87c41593fbfe1aa2ce45806f5dcd4e8c12562e2a2a20734a16fab88dc661dacd4805