Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en -
submitted
02-09-2021 10:21
Static task
static1
Behavioral task
behavioral1
Sample
198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe
Resource
win10-en
General
-
Target
198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe
-
Size
3.9MB
-
MD5
1172133c5174fcc69b7376efe3cdf91d
-
SHA1
7492a278541a7161eb4deb3829deb9bccffe91a7
-
SHA256
198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8
-
SHA512
41315d272ac32c052944860ba97e966a8e0a7aad4e17a9c1ba6ae5e8ee2fc522c5f5187665541e1858be0c4bc8f71d9940c6623f190cc46e5445abb723ed3404
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
192.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Program Files\\7-Zip\\Zip.exe" 192.exe -
Executes dropped EXE 4 IoCs
Processes:
YahooD.exeY!Disruption.exe192.exeZip.exepid process 5064 YahooD.exe 5112 Y!Disruption.exe 3852 192.exe 4260 Zip.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
192.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation 192.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
192.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\7zip = "C:\\Users\\Admin\\AppData\\Roaming\\Program Files\\7-Zip\\Zip.exe" 192.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Zip.exedescription pid process target process PID 4260 set thread context of 3268 4260 Zip.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
192.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 192.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 3268 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
192.exeZip.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 3852 192.exe Token: SeSecurityPrivilege 3852 192.exe Token: SeTakeOwnershipPrivilege 3852 192.exe Token: SeLoadDriverPrivilege 3852 192.exe Token: SeSystemProfilePrivilege 3852 192.exe Token: SeSystemtimePrivilege 3852 192.exe Token: SeProfSingleProcessPrivilege 3852 192.exe Token: SeIncBasePriorityPrivilege 3852 192.exe Token: SeCreatePagefilePrivilege 3852 192.exe Token: SeBackupPrivilege 3852 192.exe Token: SeRestorePrivilege 3852 192.exe Token: SeShutdownPrivilege 3852 192.exe Token: SeDebugPrivilege 3852 192.exe Token: SeSystemEnvironmentPrivilege 3852 192.exe Token: SeChangeNotifyPrivilege 3852 192.exe Token: SeRemoteShutdownPrivilege 3852 192.exe Token: SeUndockPrivilege 3852 192.exe Token: SeManageVolumePrivilege 3852 192.exe Token: SeImpersonatePrivilege 3852 192.exe Token: SeCreateGlobalPrivilege 3852 192.exe Token: 33 3852 192.exe Token: 34 3852 192.exe Token: 35 3852 192.exe Token: 36 3852 192.exe Token: SeIncreaseQuotaPrivilege 4260 Zip.exe Token: SeSecurityPrivilege 4260 Zip.exe Token: SeTakeOwnershipPrivilege 4260 Zip.exe Token: SeLoadDriverPrivilege 4260 Zip.exe Token: SeSystemProfilePrivilege 4260 Zip.exe Token: SeSystemtimePrivilege 4260 Zip.exe Token: SeProfSingleProcessPrivilege 4260 Zip.exe Token: SeIncBasePriorityPrivilege 4260 Zip.exe Token: SeCreatePagefilePrivilege 4260 Zip.exe Token: SeBackupPrivilege 4260 Zip.exe Token: SeRestorePrivilege 4260 Zip.exe Token: SeShutdownPrivilege 4260 Zip.exe Token: SeDebugPrivilege 4260 Zip.exe Token: SeSystemEnvironmentPrivilege 4260 Zip.exe Token: SeChangeNotifyPrivilege 4260 Zip.exe Token: SeRemoteShutdownPrivilege 4260 Zip.exe Token: SeUndockPrivilege 4260 Zip.exe Token: SeManageVolumePrivilege 4260 Zip.exe Token: SeImpersonatePrivilege 4260 Zip.exe Token: SeCreateGlobalPrivilege 4260 Zip.exe Token: 33 4260 Zip.exe Token: 34 4260 Zip.exe Token: 35 4260 Zip.exe Token: 36 4260 Zip.exe Token: SeIncreaseQuotaPrivilege 3268 iexplore.exe Token: SeSecurityPrivilege 3268 iexplore.exe Token: SeTakeOwnershipPrivilege 3268 iexplore.exe Token: SeLoadDriverPrivilege 3268 iexplore.exe Token: SeSystemProfilePrivilege 3268 iexplore.exe Token: SeSystemtimePrivilege 3268 iexplore.exe Token: SeProfSingleProcessPrivilege 3268 iexplore.exe Token: SeIncBasePriorityPrivilege 3268 iexplore.exe Token: SeCreatePagefilePrivilege 3268 iexplore.exe Token: SeBackupPrivilege 3268 iexplore.exe Token: SeRestorePrivilege 3268 iexplore.exe Token: SeShutdownPrivilege 3268 iexplore.exe Token: SeDebugPrivilege 3268 iexplore.exe Token: SeSystemEnvironmentPrivilege 3268 iexplore.exe Token: SeChangeNotifyPrivilege 3268 iexplore.exe Token: SeRemoteShutdownPrivilege 3268 iexplore.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Y!Disruption.exeiexplore.exepid process 5112 Y!Disruption.exe 5112 Y!Disruption.exe 3268 iexplore.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exeYahooD.exe192.execmd.execmd.exeZip.exedescription pid process target process PID 4476 wrote to memory of 5064 4476 198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe YahooD.exe PID 4476 wrote to memory of 5064 4476 198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe YahooD.exe PID 4476 wrote to memory of 5112 4476 198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe Y!Disruption.exe PID 4476 wrote to memory of 5112 4476 198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe Y!Disruption.exe PID 4476 wrote to memory of 5112 4476 198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe Y!Disruption.exe PID 5064 wrote to memory of 3852 5064 YahooD.exe 192.exe PID 5064 wrote to memory of 3852 5064 YahooD.exe 192.exe PID 5064 wrote to memory of 3852 5064 YahooD.exe 192.exe PID 3852 wrote to memory of 3992 3852 192.exe cmd.exe PID 3852 wrote to memory of 3992 3852 192.exe cmd.exe PID 3852 wrote to memory of 3992 3852 192.exe cmd.exe PID 3852 wrote to memory of 1928 3852 192.exe cmd.exe PID 3852 wrote to memory of 1928 3852 192.exe cmd.exe PID 3852 wrote to memory of 1928 3852 192.exe cmd.exe PID 3992 wrote to memory of 4300 3992 cmd.exe attrib.exe PID 3992 wrote to memory of 4300 3992 cmd.exe attrib.exe PID 3992 wrote to memory of 4300 3992 cmd.exe attrib.exe PID 1928 wrote to memory of 4276 1928 cmd.exe attrib.exe PID 1928 wrote to memory of 4276 1928 cmd.exe attrib.exe PID 1928 wrote to memory of 4276 1928 cmd.exe attrib.exe PID 3852 wrote to memory of 4260 3852 192.exe Zip.exe PID 3852 wrote to memory of 4260 3852 192.exe Zip.exe PID 3852 wrote to memory of 4260 3852 192.exe Zip.exe PID 4260 wrote to memory of 3268 4260 Zip.exe iexplore.exe PID 4260 wrote to memory of 3268 4260 Zip.exe iexplore.exe PID 4260 wrote to memory of 3268 4260 Zip.exe iexplore.exe PID 4260 wrote to memory of 3268 4260 Zip.exe iexplore.exe PID 4260 wrote to memory of 3268 4260 Zip.exe iexplore.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4300 attrib.exe 4276 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe"C:\Users\Admin\AppData\Local\Temp\198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\YahooD.exe"C:\Users\Admin\AppData\Local\Temp\YahooD.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\192.exeC:\Users\Admin\AppData\Local\Temp\192.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h5⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\Program Files\7-Zip\Zip.exe"C:\Users\Admin\AppData\Roaming\Program Files\7-Zip\Zip.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Y!Disruption.exe"C:\Users\Admin\AppData\Local\Temp\Y!Disruption.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\192.exeMD5
1fd8280bcea9dad2648bd791eaf7c6c2
SHA1db71d7e856b0b18ca46ca9542f7aae5faaf2ab42
SHA2563ae9046697489f5359a7b5e01f2edc1bdaa7ba428c995e2aca33c0c4943d0c32
SHA512bebce9cd7e7f1c6789abfd8cfd2510276a25550da6bd713f3fa4aa9e2c8378d8856476891608a3abb024fb3735cd381b6b99b621bae8a26fc3b28690a7fa2503
-
C:\Users\Admin\AppData\Local\Temp\192.exeMD5
1fd8280bcea9dad2648bd791eaf7c6c2
SHA1db71d7e856b0b18ca46ca9542f7aae5faaf2ab42
SHA2563ae9046697489f5359a7b5e01f2edc1bdaa7ba428c995e2aca33c0c4943d0c32
SHA512bebce9cd7e7f1c6789abfd8cfd2510276a25550da6bd713f3fa4aa9e2c8378d8856476891608a3abb024fb3735cd381b6b99b621bae8a26fc3b28690a7fa2503
-
C:\Users\Admin\AppData\Local\Temp\Y!Disruption.exeMD5
b36656b020dc4650336938ee68584478
SHA1e41ba229c62e47b7a202ceba28d707e37ce5420d
SHA256b7502d34e6f0fb5adf94e52b1b3054a8ecef9008fec02419219891a7677fffea
SHA5126915577524aa980f45ec2bc1d5b52fa9b31ae6e63ebf403b6b900a2ca53cb741a2a43b7871a373de49e4d75bf75548a94caff18c4177aea4795dc1a0cd95ca3b
-
C:\Users\Admin\AppData\Local\Temp\Y!Disruption.exeMD5
b36656b020dc4650336938ee68584478
SHA1e41ba229c62e47b7a202ceba28d707e37ce5420d
SHA256b7502d34e6f0fb5adf94e52b1b3054a8ecef9008fec02419219891a7677fffea
SHA5126915577524aa980f45ec2bc1d5b52fa9b31ae6e63ebf403b6b900a2ca53cb741a2a43b7871a373de49e4d75bf75548a94caff18c4177aea4795dc1a0cd95ca3b
-
C:\Users\Admin\AppData\Local\Temp\YahooD.exeMD5
3e07cdbbaef9e033dc30a360a7896403
SHA15beee4f051cf330e8f024eb2be3645630a7133f4
SHA256d8d52d1a8ae209b1ae09281e2eacf4a0f2c9fb0625220897eca41b4d26adabf0
SHA512dd8025bc22b646757b046d83c339849ce1949f9af06720e6016278050445bc379dc57e0bbfb57ffef05152f61446c0df2574098712c13ef609d0f298929fdf0d
-
C:\Users\Admin\AppData\Local\Temp\YahooD.exeMD5
3e07cdbbaef9e033dc30a360a7896403
SHA15beee4f051cf330e8f024eb2be3645630a7133f4
SHA256d8d52d1a8ae209b1ae09281e2eacf4a0f2c9fb0625220897eca41b4d26adabf0
SHA512dd8025bc22b646757b046d83c339849ce1949f9af06720e6016278050445bc379dc57e0bbfb57ffef05152f61446c0df2574098712c13ef609d0f298929fdf0d
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batMD5
b774ae3fb1da087e1f83b4f7b2060e5a
SHA197eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701
-
C:\Users\Admin\AppData\Roaming\Program Files\7-Zip\Zip.exeMD5
1fd8280bcea9dad2648bd791eaf7c6c2
SHA1db71d7e856b0b18ca46ca9542f7aae5faaf2ab42
SHA2563ae9046697489f5359a7b5e01f2edc1bdaa7ba428c995e2aca33c0c4943d0c32
SHA512bebce9cd7e7f1c6789abfd8cfd2510276a25550da6bd713f3fa4aa9e2c8378d8856476891608a3abb024fb3735cd381b6b99b621bae8a26fc3b28690a7fa2503
-
C:\Users\Admin\AppData\Roaming\Program Files\7-Zip\Zip.exeMD5
1fd8280bcea9dad2648bd791eaf7c6c2
SHA1db71d7e856b0b18ca46ca9542f7aae5faaf2ab42
SHA2563ae9046697489f5359a7b5e01f2edc1bdaa7ba428c995e2aca33c0c4943d0c32
SHA512bebce9cd7e7f1c6789abfd8cfd2510276a25550da6bd713f3fa4aa9e2c8378d8856476891608a3abb024fb3735cd381b6b99b621bae8a26fc3b28690a7fa2503
-
memory/1928-131-0x0000000000000000-mapping.dmp
-
memory/3268-139-0x000000000049F92C-mapping.dmp
-
memory/3268-138-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/3852-129-0x0000000002380000-0x0000000002381000-memory.dmpFilesize
4KB
-
memory/3852-122-0x0000000000000000-mapping.dmp
-
memory/3992-130-0x0000000000000000-mapping.dmp
-
memory/4260-142-0x0000000000540000-0x00000000005EE000-memory.dmpFilesize
696KB
-
memory/4260-135-0x0000000000000000-mapping.dmp
-
memory/4276-134-0x0000000000000000-mapping.dmp
-
memory/4300-133-0x0000000000000000-mapping.dmp
-
memory/4476-115-0x0000000001350000-0x0000000001352000-memory.dmpFilesize
8KB
-
memory/5064-128-0x00000000025B0000-0x00000000025B2000-memory.dmpFilesize
8KB
-
memory/5064-116-0x0000000000000000-mapping.dmp
-
memory/5112-118-0x0000000000000000-mapping.dmp