Overview

overview

10

Static

static

8

0x00030000...22.exe

windows7_x64

0x00030000...22.exe

windows10_x64

10

0x00030000...35.exe

windows7_x64

10

0x00030000...35.exe

windows10_x64

7

0x00030000...41.exe

windows7_x64

8

0x00030000...41.exe

windows10_x64

8

0x00030000...61.exe

windows7_x64

10

0x00030000...61.exe

windows10_x64

10

0x00030000...51.exe

windows7_x64

10

0x00030000...51.exe

windows10_x64

10

0x00030000...56.exe

windows7_x64

10

0x00030000...56.exe

windows10_x64

10

0x00030000...88.exe

windows7_x64

1

0x00030000...88.exe

windows10_x64

1

0x00040000...27.exe

windows7_x64

10

0x00040000...27.exe

windows10_x64

10

0x00040000...63.exe

windows7_x64

0x00040000...63.exe

windows10_x64

10

Resubmissions

08-07-2021 11:17

210708-5s29gx8mxn 10

08-07-2021 11:17

210708-lndt9d354a 10

Analysis

  • max time kernel
    1790s
  • max time network
    1711s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    08-07-2021 11:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0x00030000000130dc-135.exe

  • Size

    680KB

  • MD5

    7837314688b7989de1e8d94f598eb2dd

  • SHA1

    889ae8ce433d5357f8ea2aff64daaba563dc94e3

  • SHA256

    d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247

  • SHA512

    3df0c24a9f51a82716abb8e87ff44fdb6686183423d1f2f7d6bfb4cd03c3a18490f2c7987c29f3e1b2d25c48d428c2e73033998a872b185f70bb68a7aedb3e7c

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 29 IoCs
  • Modifies registry class 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:864
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:608
    • C:\Users\Admin\AppData\Local\Temp\0x00030000000130dc-135.exe
      "C:\Users\Admin\AppData\Local\Temp\0x00030000000130dc-135.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Windows\SysWOW64\rUNdlL32.eXe
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
        2⤵
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1756

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\axhub.dat
      MD5

      13abe7637d904829fbb37ecda44a1670

      SHA1

      de26b60d2c0b1660220caf3f4a11dfabaa0e7b9f

      SHA256

      7a20b34c0f9b516007d40a570eafb782028c5613138e8b9697ca398b0b3420d6

      SHA512

      6e02ca1282f3d1bbbb684046eb5dcef412366a0ed2276c1f22d2f16b978647c0e35a8d728a0349f022295b0aba30139b2b8bb75b92aa5fdcc18aae9dcf357d77

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\axhub.dll
      MD5

      89c739ae3bbee8c40a52090ad0641d31

      SHA1

      d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

      SHA256

      10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

      SHA512

      cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

      Download Submit
    • \Users\Admin\AppData\Local\Temp\axhub.dll
      MD5

      89c739ae3bbee8c40a52090ad0641d31

      SHA1

      d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

      SHA256

      10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

      SHA512

      cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

      Download Submit
    • \Users\Admin\AppData\Local\Temp\axhub.dll
      MD5

      89c739ae3bbee8c40a52090ad0641d31

      SHA1

      d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

      SHA256

      10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

      SHA512

      cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

      Download Submit
    • \Users\Admin\AppData\Local\Temp\axhub.dll
      MD5

      89c739ae3bbee8c40a52090ad0641d31

      SHA1

      d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

      SHA256

      10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

      SHA512

      cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

      Download Submit
    • \Users\Admin\AppData\Local\Temp\axhub.dll
      MD5

      89c739ae3bbee8c40a52090ad0641d31

      SHA1

      d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

      SHA256

      10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

      SHA512

      cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

      Download Submit
    • memory/608-68-0x00000000FF07246C-mapping.dmp
      Download
    • memory/608-74-0x0000000000490000-0x0000000000501000-memory.dmp
      Filesize

      452KB

      Download
    • memory/608-75-0x0000000001CB0000-0x0000000001CCB000-memory.dmp
      Filesize

      108KB

      Download
    • memory/608-76-0x0000000002EC0000-0x0000000002FC6000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/864-72-0x0000000002470000-0x00000000024E1000-memory.dmp
      Filesize

      452KB

      Download
    • memory/864-71-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1088-59-0x00000000753B1000-0x00000000753B3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1756-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1756-69-0x0000000002160000-0x0000000002261000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1756-70-0x0000000000880000-0x00000000008DD000-memory.dmp
      Filesize

      372KB

      Download