6d444fc9baf9b6d7bd7cd76a73297d3a597378b67a722631d2b75582fde2c81e

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7v20210410
submitted
28-07-2021 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf6b7c2d9e35525f679075bae5219cc6.exe
Size

846KB
MD5

bf6b7c2d9e35525f679075bae5219cc6
SHA1

d5443425dfbe68dcf9b7925a4acaa900a2564759
SHA256

6d444fc9baf9b6d7bd7cd76a73297d3a597378b67a722631d2b75582fde2c81e
SHA512

452acfaa452276666104c544aff2184e2a497de55caa0eeae9387c0a24b778f0b613164935fc58af3b212e065d838bcfc10618bae5b0fe76263d275c5e9b8ae6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

run.exerun2.exerun.exerun.exeMicrosoftApi.exeMicrosoftApi.exe

pid process

1120 run.exe
1516 run2.exe
1980 run.exe
1620 run.exe
1184 MicrosoftApi.exe
572 MicrosoftApi.exe

pid	process
1120	run.exe
1516	run2.exe
1980	run.exe
1620	run.exe
1184	MicrosoftApi.exe
572	MicrosoftApi.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftApi.exeMicrosoftApi.exerun2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	run2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	run2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftApi.exe

Loads dropped DLL 3 IoCs

Processes:

bf6b7c2d9e35525f679075bae5219cc6.exerun2.exe

pid process

2040 bf6b7c2d9e35525f679075bae5219cc6.exe
2040 bf6b7c2d9e35525f679075bae5219cc6.exe
1516 run2.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

run.exe

description pid process target process

PID 1120 set thread context of 1620 1120 run.exe run.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1052 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1156 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MicrosoftApi.exe

pid process

572 MicrosoftApi.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

run.exeMicrosoftApi.exe

description pid process

Token: SeDebugPrivilege 1120 run.exe
Token: SeDebugPrivilege 572 MicrosoftApi.exe

description	pid	process	target process
PID 1120 set thread context of 1620	1120	run.exe	run.exe

pid	process
1052	schtasks.exe

pid	process
1156	timeout.exe

pid	process
572	MicrosoftApi.exe

description	pid	process
Token: SeDebugPrivilege	1120	run.exe
Token: SeDebugPrivilege	572	MicrosoftApi.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

bf6b7c2d9e35525f679075bae5219cc6.exe

pid	process
2040	bf6b7c2d9e35525f679075bae5219cc6.exe
2040	bf6b7c2d9e35525f679075bae5219cc6.exe
2040	bf6b7c2d9e35525f679075bae5219cc6.exe
2040	bf6b7c2d9e35525f679075bae5219cc6.exe
2040	bf6b7c2d9e35525f679075bae5219cc6.exe
2040	bf6b7c2d9e35525f679075bae5219cc6.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

bf6b7c2d9e35525f679075bae5219cc6.exe

pid	process
2040	bf6b7c2d9e35525f679075bae5219cc6.exe
2040	bf6b7c2d9e35525f679075bae5219cc6.exe
2040	bf6b7c2d9e35525f679075bae5219cc6.exe
2040	bf6b7c2d9e35525f679075bae5219cc6.exe
2040	bf6b7c2d9e35525f679075bae5219cc6.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

bf6b7c2d9e35525f679075bae5219cc6.exerun.exerun2.exeMicrosoftApi.execmd.exetaskeng.exe

description	pid	process	target process
PID 2040 wrote to memory of 1120	2040	bf6b7c2d9e35525f679075bae5219cc6.exe	run.exe
PID 2040 wrote to memory of 1120	2040	bf6b7c2d9e35525f679075bae5219cc6.exe	run.exe
PID 2040 wrote to memory of 1120	2040	bf6b7c2d9e35525f679075bae5219cc6.exe	run.exe
PID 2040 wrote to memory of 1120	2040	bf6b7c2d9e35525f679075bae5219cc6.exe	run.exe
PID 2040 wrote to memory of 1516	2040	bf6b7c2d9e35525f679075bae5219cc6.exe	run2.exe
PID 2040 wrote to memory of 1516	2040	bf6b7c2d9e35525f679075bae5219cc6.exe	run2.exe
PID 2040 wrote to memory of 1516	2040	bf6b7c2d9e35525f679075bae5219cc6.exe	run2.exe
PID 2040 wrote to memory of 1516	2040	bf6b7c2d9e35525f679075bae5219cc6.exe	run2.exe
PID 1120 wrote to memory of 1980	1120	run.exe	run.exe
PID 1120 wrote to memory of 1980	1120	run.exe	run.exe
PID 1120 wrote to memory of 1980	1120	run.exe	run.exe
PID 1120 wrote to memory of 1980	1120	run.exe	run.exe
PID 1120 wrote to memory of 1620	1120	run.exe	run.exe
PID 1120 wrote to memory of 1620	1120	run.exe	run.exe
PID 1120 wrote to memory of 1620	1120	run.exe	run.exe
PID 1120 wrote to memory of 1620	1120	run.exe	run.exe
PID 1120 wrote to memory of 1620	1120	run.exe	run.exe
PID 1120 wrote to memory of 1620	1120	run.exe	run.exe
PID 1120 wrote to memory of 1620	1120	run.exe	run.exe
PID 1120 wrote to memory of 1620	1120	run.exe	run.exe
PID 1120 wrote to memory of 1620	1120	run.exe	run.exe
PID 1120 wrote to memory of 1620	1120	run.exe	run.exe
PID 1516 wrote to memory of 1184	1516	run2.exe	MicrosoftApi.exe
PID 1516 wrote to memory of 1184	1516	run2.exe	MicrosoftApi.exe
PID 1516 wrote to memory of 1184	1516	run2.exe	MicrosoftApi.exe
PID 1184 wrote to memory of 1980	1184	MicrosoftApi.exe	cmd.exe
PID 1184 wrote to memory of 1980	1184	MicrosoftApi.exe	cmd.exe
PID 1184 wrote to memory of 1980	1184	MicrosoftApi.exe	cmd.exe
PID 1980 wrote to memory of 1156	1980	cmd.exe	timeout.exe
PID 1980 wrote to memory of 1156	1980	cmd.exe	timeout.exe
PID 1980 wrote to memory of 1156	1980	cmd.exe	timeout.exe
PID 1980 wrote to memory of 1052	1980	cmd.exe	schtasks.exe
PID 1980 wrote to memory of 1052	1980	cmd.exe	schtasks.exe
PID 1980 wrote to memory of 1052	1980	cmd.exe	schtasks.exe
PID 524 wrote to memory of 572	524	taskeng.exe	MicrosoftApi.exe
PID 524 wrote to memory of 572	524	taskeng.exe	MicrosoftApi.exe
PID 524 wrote to memory of 572	524	taskeng.exe	MicrosoftApi.exe

C:\Users\Admin\AppData\Local\Temp\bf6b7c2d9e35525f679075bae5219cc6.exe
"C:\Users\Admin\AppData\Local\Temp\bf6b7c2d9e35525f679075bae5219cc6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Public\run.exe
C:\Users\Public\run.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Public\run.exe
C:\Users\Public\run.exe
3⤵
- Executes dropped EXE
PID:1980

C:\Users\Public\run.exe
C:\Users\Public\run.exe
3⤵
- Executes dropped EXE
PID:1620

C:\Users\Public\run2.exe
C:\Users\Public\run2.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
"C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE58E.tmp.cmd""
4⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\system32\timeout.exe
timeout 4
5⤵
- Delays execution with timeout.exe
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /f /sc MINUTE /mo 1 /tn "MicrosoftApi" /tr "'C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"'
5⤵
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\taskeng.exe
taskeng.exe {1ECA5694-462B-41DF-AFE6-6BE9192C72A1} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE58E.tmp.cmd
MD5
ff4638e0e9581555dec5b136eda35a0c

SHA1
a651575b64ea9e46522db1acf9dfbe1c16e65d35

SHA256
38e4bb078ef414cbc6c331e6b8efbfc64ca9bacc11bc501e4937d43fd01dbb0d

SHA512
e860075a8969a79e3e350f6f6e4cad9ec3ac7fce1dfd7cc9ad3c9fb0f5535d1c58b1530399f89ae915cc692e03e94e72123b08bd81cd6468a4900f64d76aa1ca

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
MD5
26f150c36d61887868aeb35388c27e28

SHA1
0ea0fc500f236e979b3f030d118f4fb998b67f76

SHA256
07c45a329f4ea2cfe7671123eb2aed8f48a8e1643c5a913fc51c18f01ca9945f

SHA512
b3dc9b6563b9b729df9cd51362740357d9837b88f1b11bbddce4bde1aeab3e8a153472ba5a61e86df318deff4d4ccb8ab696ee79885e7204420692ce88c0795b

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
MD5
26f150c36d61887868aeb35388c27e28

SHA1
0ea0fc500f236e979b3f030d118f4fb998b67f76

SHA256
07c45a329f4ea2cfe7671123eb2aed8f48a8e1643c5a913fc51c18f01ca9945f

SHA512
b3dc9b6563b9b729df9cd51362740357d9837b88f1b11bbddce4bde1aeab3e8a153472ba5a61e86df318deff4d4ccb8ab696ee79885e7204420692ce88c0795b

Download Submit
C:\Users\Public\run.exe
MD5
848b1ba08b8b8ef14ea675aabe5fca3b

SHA1
779594fbaa056b965a6f2bdeb236dd7d219b777d

SHA256
f39587daf3182dc632684a65c67081516371a602e4783c9a73292974952e0097

SHA512
a93652bdfe8427292400bf88530193abfb98ecd04c7b4c9b270eb9140222b290108dcec21d799b261ad3ec3f309e05bc3f4832b635adda6ff4ddd78e0f145a1c

Download Submit
C:\Users\Public\run.exe
MD5
848b1ba08b8b8ef14ea675aabe5fca3b

SHA1
779594fbaa056b965a6f2bdeb236dd7d219b777d

SHA256
f39587daf3182dc632684a65c67081516371a602e4783c9a73292974952e0097

SHA512
a93652bdfe8427292400bf88530193abfb98ecd04c7b4c9b270eb9140222b290108dcec21d799b261ad3ec3f309e05bc3f4832b635adda6ff4ddd78e0f145a1c

Download Submit
C:\Users\Public\run.exe
MD5
848b1ba08b8b8ef14ea675aabe5fca3b

SHA1
779594fbaa056b965a6f2bdeb236dd7d219b777d

SHA256
f39587daf3182dc632684a65c67081516371a602e4783c9a73292974952e0097

SHA512
a93652bdfe8427292400bf88530193abfb98ecd04c7b4c9b270eb9140222b290108dcec21d799b261ad3ec3f309e05bc3f4832b635adda6ff4ddd78e0f145a1c

Download Submit
C:\Users\Public\run.exe
MD5
848b1ba08b8b8ef14ea675aabe5fca3b

SHA1
779594fbaa056b965a6f2bdeb236dd7d219b777d

SHA256
f39587daf3182dc632684a65c67081516371a602e4783c9a73292974952e0097

SHA512
a93652bdfe8427292400bf88530193abfb98ecd04c7b4c9b270eb9140222b290108dcec21d799b261ad3ec3f309e05bc3f4832b635adda6ff4ddd78e0f145a1c

Download Submit
C:\Users\Public\run2.exe
MD5
26f150c36d61887868aeb35388c27e28

SHA1
0ea0fc500f236e979b3f030d118f4fb998b67f76

SHA256
07c45a329f4ea2cfe7671123eb2aed8f48a8e1643c5a913fc51c18f01ca9945f

SHA512
b3dc9b6563b9b729df9cd51362740357d9837b88f1b11bbddce4bde1aeab3e8a153472ba5a61e86df318deff4d4ccb8ab696ee79885e7204420692ce88c0795b

Download Submit
C:\Users\Public\run2.exe
MD5
26f150c36d61887868aeb35388c27e28

SHA1
0ea0fc500f236e979b3f030d118f4fb998b67f76

SHA256
07c45a329f4ea2cfe7671123eb2aed8f48a8e1643c5a913fc51c18f01ca9945f

SHA512
b3dc9b6563b9b729df9cd51362740357d9837b88f1b11bbddce4bde1aeab3e8a153472ba5a61e86df318deff4d4ccb8ab696ee79885e7204420692ce88c0795b

Download Submit
\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
MD5
26f150c36d61887868aeb35388c27e28

SHA1
0ea0fc500f236e979b3f030d118f4fb998b67f76

SHA256
07c45a329f4ea2cfe7671123eb2aed8f48a8e1643c5a913fc51c18f01ca9945f

SHA512
b3dc9b6563b9b729df9cd51362740357d9837b88f1b11bbddce4bde1aeab3e8a153472ba5a61e86df318deff4d4ccb8ab696ee79885e7204420692ce88c0795b

Download Submit
\Users\Public\run.exe
MD5
848b1ba08b8b8ef14ea675aabe5fca3b

SHA1
779594fbaa056b965a6f2bdeb236dd7d219b777d

SHA256
f39587daf3182dc632684a65c67081516371a602e4783c9a73292974952e0097

SHA512
a93652bdfe8427292400bf88530193abfb98ecd04c7b4c9b270eb9140222b290108dcec21d799b261ad3ec3f309e05bc3f4832b635adda6ff4ddd78e0f145a1c

Download Submit
\Users\Public\run2.exe
MD5
26f150c36d61887868aeb35388c27e28

SHA1
0ea0fc500f236e979b3f030d118f4fb998b67f76

SHA256
07c45a329f4ea2cfe7671123eb2aed8f48a8e1643c5a913fc51c18f01ca9945f

SHA512
b3dc9b6563b9b729df9cd51362740357d9837b88f1b11bbddce4bde1aeab3e8a153472ba5a61e86df318deff4d4ccb8ab696ee79885e7204420692ce88c0795b

Download Submit
memory/572-96-0x0000000000890000-0x0000000000892000-memory.dmp

Filesize
8KB

Download
memory/572-94-0x000000013FA30000-0x000000013FA31000-memory.dmp

Filesize
4KB

Download
memory/572-92-0x0000000000000000-mapping.dmp

Download
memory/1052-91-0x0000000000000000-mapping.dmp

Download
memory/1120-63-0x0000000000000000-mapping.dmp

Download
memory/1120-73-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/1120-69-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1120-75-0x00000000001C0000-0x00000000001CE000-memory.dmp

Filesize
56KB

Download
memory/1156-90-0x0000000000000000-mapping.dmp

Download
memory/1184-84-0x0000000000000000-mapping.dmp

Download
memory/1184-86-0x000000013FC40000-0x000000013FC41000-memory.dmp

Filesize
4KB

Download
memory/1516-71-0x000000013F680000-0x000000013F681000-memory.dmp

Filesize
4KB

Download
memory/1516-67-0x0000000000000000-mapping.dmp

Download
memory/1620-82-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1620-77-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1620-78-0x000000000044003F-mapping.dmp

Download
memory/1980-88-0x0000000000000000-mapping.dmp

Download
memory/2040-61-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/2040-60-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download