54f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3

Analysis

max time kernel
33s
max time network
20s
platform
windows7_x64
resource
win7v20210410
submitted
13-08-2021 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2AD561E9BB9F780F56D5E7A280574432.exe
Size

375KB
MD5

2ad561e9bb9f780f56d5e7a280574432
SHA1

e6bc833d62ef0ec1e08674a0a8707e3ce2f09007
SHA256

54f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3
SHA512

8b74c1f6df444ce101102e3b036e2f77c9e0b1ebb085db2de8e45905ab10b47c845040548901632c130c4db6b4403a5905d864c461cb9bed6cd5fe49fc0ce064

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\putty.exe\","	2AD561E9BB9F780F56D5E7A280574432.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
1980	powershell.exe
1980	powershell.exe
1488	powershell.exe
1488	powershell.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
2004	2AD561E9BB9F780F56D5E7A280574432.exe
1156	powershell.exe
1156	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeIncreaseQuotaPrivilege	1980	powershell.exe
Token: SeSecurityPrivilege	1980	powershell.exe
Token: SeTakeOwnershipPrivilege	1980	powershell.exe
Token: SeLoadDriverPrivilege	1980	powershell.exe
Token: SeSystemProfilePrivilege	1980	powershell.exe
Token: SeSystemtimePrivilege	1980	powershell.exe
Token: SeProfSingleProcessPrivilege	1980	powershell.exe
Token: SeIncBasePriorityPrivilege	1980	powershell.exe
Token: SeCreatePagefilePrivilege	1980	powershell.exe
Token: SeBackupPrivilege	1980	powershell.exe
Token: SeRestorePrivilege	1980	powershell.exe
Token: SeShutdownPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeSystemEnvironmentPrivilege	1980	powershell.exe
Token: SeRemoteShutdownPrivilege	1980	powershell.exe
Token: SeUndockPrivilege	1980	powershell.exe
Token: SeManageVolumePrivilege	1980	powershell.exe
Token: 33	1980	powershell.exe
Token: 34	1980	powershell.exe
Token: 35	1980	powershell.exe
Token: SeIncreaseQuotaPrivilege	1980	powershell.exe
Token: SeSecurityPrivilege	1980	powershell.exe
Token: SeTakeOwnershipPrivilege	1980	powershell.exe
Token: SeLoadDriverPrivilege	1980	powershell.exe
Token: SeSystemProfilePrivilege	1980	powershell.exe
Token: SeSystemtimePrivilege	1980	powershell.exe
Token: SeProfSingleProcessPrivilege	1980	powershell.exe
Token: SeIncBasePriorityPrivilege	1980	powershell.exe
Token: SeCreatePagefilePrivilege	1980	powershell.exe
Token: SeBackupPrivilege	1980	powershell.exe
Token: SeRestorePrivilege	1980	powershell.exe
Token: SeShutdownPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeSystemEnvironmentPrivilege	1980	powershell.exe
Token: SeRemoteShutdownPrivilege	1980	powershell.exe
Token: SeUndockPrivilege	1980	powershell.exe
Token: SeManageVolumePrivilege	1980	powershell.exe
Token: 33	1980	powershell.exe
Token: 34	1980	powershell.exe
Token: 35	1980	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeIncreaseQuotaPrivilege	1488	powershell.exe
Token: SeSecurityPrivilege	1488	powershell.exe
Token: SeTakeOwnershipPrivilege	1488	powershell.exe
Token: SeLoadDriverPrivilege	1488	powershell.exe
Token: SeSystemProfilePrivilege	1488	powershell.exe
Token: SeSystemtimePrivilege	1488	powershell.exe
Token: SeProfSingleProcessPrivilege	1488	powershell.exe
Token: SeIncBasePriorityPrivilege	1488	powershell.exe
Token: SeCreatePagefilePrivilege	1488	powershell.exe
Token: SeBackupPrivilege	1488	powershell.exe
Token: SeRestorePrivilege	1488	powershell.exe
Token: SeShutdownPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeSystemEnvironmentPrivilege	1488	powershell.exe
Token: SeRemoteShutdownPrivilege	1488	powershell.exe
Token: SeUndockPrivilege	1488	powershell.exe
Token: SeManageVolumePrivilege	1488	powershell.exe
Token: 33	1488	powershell.exe
Token: 34	1488	powershell.exe
Token: 35	1488	powershell.exe
Token: SeIncreaseQuotaPrivilege	1488	powershell.exe
Token: SeSecurityPrivilege	1488	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1980	2004	2AD561E9BB9F780F56D5E7A280574432.exe	26
PID 2004 wrote to memory of 1980	2004	2AD561E9BB9F780F56D5E7A280574432.exe	26
PID 2004 wrote to memory of 1980	2004	2AD561E9BB9F780F56D5E7A280574432.exe	26
PID 2004 wrote to memory of 1980	2004	2AD561E9BB9F780F56D5E7A280574432.exe	26
PID 2004 wrote to memory of 1488	2004	2AD561E9BB9F780F56D5E7A280574432.exe	32
PID 2004 wrote to memory of 1488	2004	2AD561E9BB9F780F56D5E7A280574432.exe	32
PID 2004 wrote to memory of 1488	2004	2AD561E9BB9F780F56D5E7A280574432.exe	32
PID 2004 wrote to memory of 1488	2004	2AD561E9BB9F780F56D5E7A280574432.exe	32
PID 2004 wrote to memory of 1700	2004	2AD561E9BB9F780F56D5E7A280574432.exe	34
PID 2004 wrote to memory of 1700	2004	2AD561E9BB9F780F56D5E7A280574432.exe	34
PID 2004 wrote to memory of 1700	2004	2AD561E9BB9F780F56D5E7A280574432.exe	34
PID 2004 wrote to memory of 1700	2004	2AD561E9BB9F780F56D5E7A280574432.exe	34
PID 2004 wrote to memory of 1728	2004	2AD561E9BB9F780F56D5E7A280574432.exe	35
PID 2004 wrote to memory of 1728	2004	2AD561E9BB9F780F56D5E7A280574432.exe	35
PID 2004 wrote to memory of 1728	2004	2AD561E9BB9F780F56D5E7A280574432.exe	35
PID 2004 wrote to memory of 1728	2004	2AD561E9BB9F780F56D5E7A280574432.exe	35
PID 2004 wrote to memory of 944	2004	2AD561E9BB9F780F56D5E7A280574432.exe	36
PID 2004 wrote to memory of 944	2004	2AD561E9BB9F780F56D5E7A280574432.exe	36
PID 2004 wrote to memory of 944	2004	2AD561E9BB9F780F56D5E7A280574432.exe	36
PID 2004 wrote to memory of 944	2004	2AD561E9BB9F780F56D5E7A280574432.exe	36
PID 2004 wrote to memory of 1316	2004	2AD561E9BB9F780F56D5E7A280574432.exe	37
PID 2004 wrote to memory of 1316	2004	2AD561E9BB9F780F56D5E7A280574432.exe	37
PID 2004 wrote to memory of 1316	2004	2AD561E9BB9F780F56D5E7A280574432.exe	37
PID 2004 wrote to memory of 1316	2004	2AD561E9BB9F780F56D5E7A280574432.exe	37
PID 2004 wrote to memory of 828	2004	2AD561E9BB9F780F56D5E7A280574432.exe	38
PID 2004 wrote to memory of 828	2004	2AD561E9BB9F780F56D5E7A280574432.exe	38
PID 2004 wrote to memory of 828	2004	2AD561E9BB9F780F56D5E7A280574432.exe	38
PID 2004 wrote to memory of 828	2004	2AD561E9BB9F780F56D5E7A280574432.exe	38
PID 2004 wrote to memory of 1800	2004	2AD561E9BB9F780F56D5E7A280574432.exe	39
PID 2004 wrote to memory of 1800	2004	2AD561E9BB9F780F56D5E7A280574432.exe	39
PID 2004 wrote to memory of 1800	2004	2AD561E9BB9F780F56D5E7A280574432.exe	39
PID 2004 wrote to memory of 1800	2004	2AD561E9BB9F780F56D5E7A280574432.exe	39
PID 2004 wrote to memory of 1748	2004	2AD561E9BB9F780F56D5E7A280574432.exe	40
PID 2004 wrote to memory of 1748	2004	2AD561E9BB9F780F56D5E7A280574432.exe	40
PID 2004 wrote to memory of 1748	2004	2AD561E9BB9F780F56D5E7A280574432.exe	40
PID 2004 wrote to memory of 1748	2004	2AD561E9BB9F780F56D5E7A280574432.exe	40
PID 2004 wrote to memory of 1768	2004	2AD561E9BB9F780F56D5E7A280574432.exe	41
PID 2004 wrote to memory of 1768	2004	2AD561E9BB9F780F56D5E7A280574432.exe	41
PID 2004 wrote to memory of 1768	2004	2AD561E9BB9F780F56D5E7A280574432.exe	41
PID 2004 wrote to memory of 1768	2004	2AD561E9BB9F780F56D5E7A280574432.exe	41
PID 2004 wrote to memory of 1724	2004	2AD561E9BB9F780F56D5E7A280574432.exe	42
PID 2004 wrote to memory of 1724	2004	2AD561E9BB9F780F56D5E7A280574432.exe	42
PID 2004 wrote to memory of 1724	2004	2AD561E9BB9F780F56D5E7A280574432.exe	42
PID 2004 wrote to memory of 1724	2004	2AD561E9BB9F780F56D5E7A280574432.exe	42
PID 2004 wrote to memory of 1896	2004	2AD561E9BB9F780F56D5E7A280574432.exe	43
PID 2004 wrote to memory of 1896	2004	2AD561E9BB9F780F56D5E7A280574432.exe	43
PID 2004 wrote to memory of 1896	2004	2AD561E9BB9F780F56D5E7A280574432.exe	43
PID 2004 wrote to memory of 1896	2004	2AD561E9BB9F780F56D5E7A280574432.exe	43
PID 2004 wrote to memory of 1884	2004	2AD561E9BB9F780F56D5E7A280574432.exe	44
PID 2004 wrote to memory of 1884	2004	2AD561E9BB9F780F56D5E7A280574432.exe	44
PID 2004 wrote to memory of 1884	2004	2AD561E9BB9F780F56D5E7A280574432.exe	44
PID 2004 wrote to memory of 1884	2004	2AD561E9BB9F780F56D5E7A280574432.exe	44
PID 1700 wrote to memory of 1156	1700	WScript.exe	45
PID 1700 wrote to memory of 1156	1700	WScript.exe	45
PID 1700 wrote to memory of 1156	1700	WScript.exe	45
PID 1700 wrote to memory of 1156	1700	WScript.exe	45

C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
"C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ikjuwwswk.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\putty.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1156
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:1728
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:944
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:1316
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:828
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:1748
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1156-138-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/1156-117-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/1156-139-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/1156-116-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1156-119-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1156-130-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1156-125-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/1156-122-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/1156-121-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/1156-120-0x0000000004912000-0x0000000004913000-memory.dmp

Filesize
4KB

Download
memory/1156-118-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/1488-107-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/1488-95-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/1488-96-0x00000000048F2000-0x00000000048F3000-memory.dmp

Filesize
4KB

Download
memory/1488-94-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/1488-93-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1488-92-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/1488-104-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1488-91-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/1980-72-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/1980-86-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1980-87-0x0000000006640000-0x0000000006641000-memory.dmp

Filesize
4KB

Download
memory/1980-69-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1980-85-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1980-78-0x0000000006180000-0x0000000006181000-memory.dmp

Filesize
4KB

Download
memory/1980-68-0x0000000002070000-0x0000000002CBA000-memory.dmp

Filesize
12.3MB

Download
memory/1980-64-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/1980-65-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1980-77-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1980-67-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/1980-66-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/2004-109-0x0000000004F20000-0x0000000004F95000-memory.dmp

Filesize
468KB

Download
memory/2004-60-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2004-108-0x0000000001F80000-0x0000000001FC6000-memory.dmp

Filesize
280KB

Download
memory/2004-62-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download