Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-05-2021 01:02
Static task
static1
Behavioral task
behavioral1
Sample
a3a799eb_by_Libranalysis.exe
Resource
win7v20210408
General
-
Target
a3a799eb_by_Libranalysis.exe
-
Size
802KB
-
MD5
a3a799eb1435896baea3a8e079c8dd02
-
SHA1
cb0ce4c57cd8e4561a88ce20e80888d097b00900
-
SHA256
55c12cb22033e12af48c4bb80b660e4ace8ed2364e7147979e30355bab7d5469
-
SHA512
7cf21f437cb33fb2fe03b496309509266db8863650d175072f57b278e96a82b508651cdbc61aa08334858ffe18e251039a3c3d421d97a3749ab21ae16c89a3d9
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
g1agecw7e19_1.exe7u7i3i3c5yu.exepid Process 3720 g1agecw7e19_1.exe 3512 7u7i3i3c5yu.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\g1agecw7e19.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\g1agecw7e19.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\g1agecw7e19.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
a3a799eb_by_Libranalysis.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a3a799eb_by_Libranalysis.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc Process File opened for modification C:\ProgramData\Google Updater 2.09\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
Processes:
a3a799eb_by_Libranalysis.exeexplorer.exepid Process 724 a3a799eb_by_Libranalysis.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
a3a799eb_by_Libranalysis.exeg1agecw7e19_1.exedescription pid Process procid_target PID 3772 set thread context of 724 3772 a3a799eb_by_Libranalysis.exe 72 PID 3720 set thread context of 0 3720 g1agecw7e19_1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exea3a799eb_by_Libranalysis.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a3a799eb_by_Libranalysis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a3a799eb_by_Libranalysis.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\g1agecw7e19_1.exe:14EDFC78 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\g1agecw7e19_1.exe:14EDFC78 explorer.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
explorer.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 1532 powershell.exe 3912 powershell.exe 204 powershell.exe 1556 powershell.exe 1556 powershell.exe 3912 powershell.exe 1532 powershell.exe 204 powershell.exe 1556 powershell.exe 3912 powershell.exe 204 powershell.exe 1532 powershell.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe 152 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
a3a799eb_by_Libranalysis.exepid Process 724 a3a799eb_by_Libranalysis.exe 724 a3a799eb_by_Libranalysis.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
a3a799eb_by_Libranalysis.exepid Process 724 a3a799eb_by_Libranalysis.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
a3a799eb_by_Libranalysis.exeexplorer.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 724 a3a799eb_by_Libranalysis.exe Token: SeRestorePrivilege 724 a3a799eb_by_Libranalysis.exe Token: SeBackupPrivilege 724 a3a799eb_by_Libranalysis.exe Token: SeLoadDriverPrivilege 724 a3a799eb_by_Libranalysis.exe Token: SeCreatePagefilePrivilege 724 a3a799eb_by_Libranalysis.exe Token: SeShutdownPrivilege 724 a3a799eb_by_Libranalysis.exe Token: SeTakeOwnershipPrivilege 724 a3a799eb_by_Libranalysis.exe Token: SeChangeNotifyPrivilege 724 a3a799eb_by_Libranalysis.exe Token: SeCreateTokenPrivilege 724 a3a799eb_by_Libranalysis.exe Token: SeMachineAccountPrivilege 724 a3a799eb_by_Libranalysis.exe Token: SeSecurityPrivilege 724 a3a799eb_by_Libranalysis.exe Token: SeAssignPrimaryTokenPrivilege 724 a3a799eb_by_Libranalysis.exe Token: SeCreateGlobalPrivilege 724 a3a799eb_by_Libranalysis.exe Token: 33 724 a3a799eb_by_Libranalysis.exe Token: SeDebugPrivilege 152 explorer.exe Token: SeRestorePrivilege 152 explorer.exe Token: SeBackupPrivilege 152 explorer.exe Token: SeLoadDriverPrivilege 152 explorer.exe Token: SeCreatePagefilePrivilege 152 explorer.exe Token: SeShutdownPrivilege 152 explorer.exe Token: SeTakeOwnershipPrivilege 152 explorer.exe Token: SeChangeNotifyPrivilege 152 explorer.exe Token: SeCreateTokenPrivilege 152 explorer.exe Token: SeMachineAccountPrivilege 152 explorer.exe Token: SeSecurityPrivilege 152 explorer.exe Token: SeAssignPrimaryTokenPrivilege 152 explorer.exe Token: SeCreateGlobalPrivilege 152 explorer.exe Token: 33 152 explorer.exe Token: SeDebugPrivilege 3912 powershell.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 204 powershell.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeIncreaseQuotaPrivilege 204 powershell.exe Token: SeSecurityPrivilege 204 powershell.exe Token: SeTakeOwnershipPrivilege 204 powershell.exe Token: SeLoadDriverPrivilege 204 powershell.exe Token: SeSystemProfilePrivilege 204 powershell.exe Token: SeSystemtimePrivilege 204 powershell.exe Token: SeProfSingleProcessPrivilege 204 powershell.exe Token: SeIncBasePriorityPrivilege 204 powershell.exe Token: SeCreatePagefilePrivilege 204 powershell.exe Token: SeBackupPrivilege 204 powershell.exe Token: SeRestorePrivilege 204 powershell.exe Token: SeShutdownPrivilege 204 powershell.exe Token: SeDebugPrivilege 204 powershell.exe Token: SeSystemEnvironmentPrivilege 204 powershell.exe Token: SeRemoteShutdownPrivilege 204 powershell.exe Token: SeUndockPrivilege 204 powershell.exe Token: SeManageVolumePrivilege 204 powershell.exe Token: 33 204 powershell.exe Token: 34 204 powershell.exe Token: 35 204 powershell.exe Token: 36 204 powershell.exe Token: SeIncreaseQuotaPrivilege 3912 powershell.exe Token: SeSecurityPrivilege 3912 powershell.exe Token: SeTakeOwnershipPrivilege 3912 powershell.exe Token: SeLoadDriverPrivilege 3912 powershell.exe Token: SeSystemProfilePrivilege 3912 powershell.exe Token: SeSystemtimePrivilege 3912 powershell.exe Token: SeProfSingleProcessPrivilege 3912 powershell.exe Token: SeIncBasePriorityPrivilege 3912 powershell.exe Token: SeCreatePagefilePrivilege 3912 powershell.exe Token: SeBackupPrivilege 3912 powershell.exe Token: SeRestorePrivilege 3912 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
7u7i3i3c5yu.exepid Process 3512 7u7i3i3c5yu.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
a3a799eb_by_Libranalysis.exea3a799eb_by_Libranalysis.exeexplorer.exe7u7i3i3c5yu.exedescription pid Process procid_target PID 3772 wrote to memory of 724 3772 a3a799eb_by_Libranalysis.exe 72 PID 3772 wrote to memory of 724 3772 a3a799eb_by_Libranalysis.exe 72 PID 3772 wrote to memory of 724 3772 a3a799eb_by_Libranalysis.exe 72 PID 3772 wrote to memory of 724 3772 a3a799eb_by_Libranalysis.exe 72 PID 3772 wrote to memory of 724 3772 a3a799eb_by_Libranalysis.exe 72 PID 724 wrote to memory of 152 724 a3a799eb_by_Libranalysis.exe 77 PID 724 wrote to memory of 152 724 a3a799eb_by_Libranalysis.exe 77 PID 724 wrote to memory of 152 724 a3a799eb_by_Libranalysis.exe 77 PID 152 wrote to memory of 3720 152 explorer.exe 81 PID 152 wrote to memory of 3720 152 explorer.exe 81 PID 152 wrote to memory of 3720 152 explorer.exe 81 PID 152 wrote to memory of 3512 152 explorer.exe 82 PID 152 wrote to memory of 3512 152 explorer.exe 82 PID 152 wrote to memory of 3512 152 explorer.exe 82 PID 3512 wrote to memory of 1532 3512 7u7i3i3c5yu.exe 83 PID 3512 wrote to memory of 1532 3512 7u7i3i3c5yu.exe 83 PID 3512 wrote to memory of 3912 3512 7u7i3i3c5yu.exe 84 PID 3512 wrote to memory of 3912 3512 7u7i3i3c5yu.exe 84 PID 3512 wrote to memory of 1556 3512 7u7i3i3c5yu.exe 90 PID 3512 wrote to memory of 1556 3512 7u7i3i3c5yu.exe 90 PID 3512 wrote to memory of 204 3512 7u7i3i3c5yu.exe 87 PID 3512 wrote to memory of 204 3512 7u7i3i3c5yu.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3a799eb_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\a3a799eb_by_Libranalysis.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\a3a799eb_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\a3a799eb_by_Libranalysis.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:152 -
C:\Users\Admin\AppData\Local\Temp\g1agecw7e19_1.exe/suac4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3720
-
-
C:\Users\Admin\AppData\Local\Temp\7u7i3i3c5yu.exe"C:\Users\Admin\AppData\Local\Temp\7u7i3i3c5yu.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData\Google Updater 2.09\'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
MD5
a1e8c8d29544019391fa9a0d54eeda4b
SHA19f9ed881bbd249be72492a04dfe24c7a58ecae2c
SHA25685cf180bc2bbb5b5a5628b7184419789bbbc6908a390b6a1dc16dd5cb3f022a6
SHA5129727004b88e177a81f619cc0d9b1766c1a5853b9260fa3970837e5d59e337aeec4e7923729ae77be4455572b9459fd75da7df20075d57596a3eca20bbb33da8c
-
MD5
a1e8c8d29544019391fa9a0d54eeda4b
SHA19f9ed881bbd249be72492a04dfe24c7a58ecae2c
SHA25685cf180bc2bbb5b5a5628b7184419789bbbc6908a390b6a1dc16dd5cb3f022a6
SHA5129727004b88e177a81f619cc0d9b1766c1a5853b9260fa3970837e5d59e337aeec4e7923729ae77be4455572b9459fd75da7df20075d57596a3eca20bbb33da8c
-
MD5
e1d80047794ddb8c4450784eec9feeda
SHA197b97dd61473c50a8ca9367e347a40b227c92038
SHA256b0465ca19c5674b36c035734ab1da30652fafc01f8b97511b5f82a2c796cc861
SHA5127f45fe180d07e0addd3464b77cfa6be05157bc2c6b4de1032290732c904b5d2424628c67681bb9ba067a1de843a0171016fb51b9ab3f36fe7da9490aeafa6dbe
-
MD5
07f2ddc571ace474d3d7c0e5efd051a2
SHA1ddb49e4e422c5a7a6e9db9c92776c2531bf10ca8
SHA2564524311e34beb91833ab812e17dc231724539c892dfeacd24ccdd8c2951a1b8f
SHA5124d453dfe4d4b642a71917efd75f2f4aebf8d3e964f3be589a643694d633ed5f7934c1a392559a264ba870746da122735dc7999ad4cc40d58f19a60d04e20ae3e
-
MD5
07f2ddc571ace474d3d7c0e5efd051a2
SHA1ddb49e4e422c5a7a6e9db9c92776c2531bf10ca8
SHA2564524311e34beb91833ab812e17dc231724539c892dfeacd24ccdd8c2951a1b8f
SHA5124d453dfe4d4b642a71917efd75f2f4aebf8d3e964f3be589a643694d633ed5f7934c1a392559a264ba870746da122735dc7999ad4cc40d58f19a60d04e20ae3e
-
MD5
a3a799eb1435896baea3a8e079c8dd02
SHA1cb0ce4c57cd8e4561a88ce20e80888d097b00900
SHA25655c12cb22033e12af48c4bb80b660e4ace8ed2364e7147979e30355bab7d5469
SHA5127cf21f437cb33fb2fe03b496309509266db8863650d175072f57b278e96a82b508651cdbc61aa08334858ffe18e251039a3c3d421d97a3749ab21ae16c89a3d9
-
MD5
a3a799eb1435896baea3a8e079c8dd02
SHA1cb0ce4c57cd8e4561a88ce20e80888d097b00900
SHA25655c12cb22033e12af48c4bb80b660e4ace8ed2364e7147979e30355bab7d5469
SHA5127cf21f437cb33fb2fe03b496309509266db8863650d175072f57b278e96a82b508651cdbc61aa08334858ffe18e251039a3c3d421d97a3749ab21ae16c89a3d9