2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
9s
max time network
35s
platform
windows7_x64
resource
win7v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
Size

165KB
MD5

1407b521eded12eca22dc4a12421be59
SHA1

031cf6f7f62cbea5753b3d6cc7ee113f69aa43a3
SHA256

79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249
SHA512

79ed739a0ad7f9b45150f491dc9e1cd9f8d4b828fc0ff82bdc23307c4e31efefb862d163ded840438759805b3a792b3fa569d3cce13e4702987a107bc85d3406

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe,C:\\Windows\\system32\\userinit.exe"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exe

pid process

1344 bcdedit.exe

pid	process
1344	bcdedit.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1352 reg.exe
Runs net.exe

pid	process
1352	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe

pid	process
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exeshutdown.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
Token: SeShutdownPrivilege	1912	shutdown.exe
Token: SeRemoteShutdownPrivilege	1912	shutdown.exe
Token: 33	1176	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1176	AUDIODG.EXE
Token: 33	1176	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1176	AUDIODG.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exenet.exe

description	pid	process	target process
PID 2000 wrote to memory of 1352	2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	reg.exe
PID 2000 wrote to memory of 1352	2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	reg.exe
PID 2000 wrote to memory of 1352	2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	reg.exe
PID 2000 wrote to memory of 1344	2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	bcdedit.exe
PID 2000 wrote to memory of 1344	2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	bcdedit.exe
PID 2000 wrote to memory of 1344	2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	bcdedit.exe
PID 2000 wrote to memory of 1624	2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	reg.exe
PID 2000 wrote to memory of 1624	2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	reg.exe
PID 2000 wrote to memory of 1624	2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	reg.exe
PID 2000 wrote to memory of 1544	2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 2000 wrote to memory of 1544	2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 2000 wrote to memory of 1544	2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 2000 wrote to memory of 1912	2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	shutdown.exe
PID 2000 wrote to memory of 1912	2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	shutdown.exe
PID 2000 wrote to memory of 1912	2000	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	shutdown.exe
PID 1544 wrote to memory of 1836	1544	net.exe	net1.exe
PID 1544 wrote to memory of 1836	1544	net.exe	net1.exe
PID 1544 wrote to memory of 1836	1544	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe"
1⤵
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\system32\reg.exe
  "reg.exe" delete HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend /f
  2⤵
  - Modifies registry key
  PID:1352
- C:\Windows\system32\bcdedit.exe
  "bcdedit.exe" /set {default} safeboot network
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1344
- C:\Windows\system32\reg.exe
  "reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe","C:\Windows\system32\userinit.exe" /f
  2⤵
  - Modifies WinLogon for persistence
  PID:1624
- C:\Windows\system32\net.exe
  "net.exe" user Admin ""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user Admin ""
    3⤵
    PID:1836
- C:\Windows\system32\shutdown.exe
  "shutdown.exe" /r /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1912

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:760

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x180
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/760-67-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download
memory/760-69-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1344-62-0x0000000000000000-mapping.dmp

Download
memory/1352-61-0x0000000000000000-mapping.dmp

Download
memory/1544-64-0x0000000000000000-mapping.dmp

Download
memory/1624-63-0x0000000000000000-mapping.dmp

Download
memory/1836-66-0x0000000000000000-mapping.dmp

Download
memory/1912-65-0x0000000000000000-mapping.dmp

Download
memory/2000-59-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/2000-68-0x000000001AEA0000-0x000000001AEA2000-memory.dmp

Filesize
8KB

Download