Overview

overview

10

Static

static

10

Fri191454c4b4.exe

windows7_x64

8

Fri191454c4b4.exe

windows10_x64

8

Fri1921f7a9d3.exe

windows7_x64

10

Fri1921f7a9d3.exe

windows10_x64

10

Fri192902b3c24.exe

windows7_x64

10

Fri192902b3c24.exe

windows10_x64

10

Fri192b9eeaa03b.exe

windows7_x64

10

Fri192b9eeaa03b.exe

windows10_x64

10

Fri192c305b4a.exe

windows7_x64

10

Fri192c305b4a.exe

windows10_x64

10

Fri192f077...dd.exe

windows7_x64

10

Fri192f077...dd.exe

windows10_x64

10

Fri195cd4d...97.exe

windows7_x64

10

Fri195cd4d...97.exe

windows10_x64

10

Fri19870e2...44.exe

windows7_x64

10

Fri19870e2...44.exe

windows10_x64

10

Fri19927b4...d1.exe

windows7_x64

10

Fri19927b4...d1.exe

windows10_x64

10

Fri19ca03f05489b.exe

windows7_x64

6

Fri19ca03f05489b.exe

windows10_x64

6

Fri19d30056588.exe

windows7_x64

10

Fri19d30056588.exe

windows10_x64

10

libcurl.dll

windows7_x64

3

libcurl.dll

windows10_x64

3

libcurlpp.dll

windows7_x64

libcurlpp.dll

windows10_x64

3

libgcc_s_dw2-1.dll

windows7_x64

libgcc_s_dw2-1.dll

windows10_x64

3

libstdc++-6.dll

windows7_x64

3

libstdc++-6.dll

windows10_x64

3

libwinpthread-1.dll

windows7_x64

1

libwinpthread-1.dll

windows10_x64

1

Analysis

  • max time kernel
    170s
  • max time network
    175s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    10-09-2021 21:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fri1921f7a9d3.exe

  • Size

    99KB

  • MD5

    a1c7ed2563212e0aba70af8a654962fd

  • SHA1

    987e944110921327adaba51d557dbf20dee886d5

  • SHA256

    a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592

  • SHA512

    60d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 18 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of UnmapMainImage
    PID:2304
    • C:\Users\Admin\AppData\Local\Temp\Fri1921f7a9d3.exe
      "C:\Users\Admin\AppData\Local\Temp\Fri1921f7a9d3.exe"
      2⤵
        PID:4068
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Browser
      1⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:1204
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s WpnService
      1⤵
        PID:2580
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2552
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
        1⤵
          PID:2340
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
          1⤵
            PID:2316
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:1784
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s SENS
            1⤵
              PID:1392
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s UserManager
              1⤵
                PID:1256
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s Themes
                1⤵
                  PID:1192
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                  1⤵
                    PID:1064
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                    1⤵
                      PID:988
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                      1⤵
                        PID:68
                      • C:\Windows\system32\rundll32.exe
                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                        1⤵
                        • Process spawned unexpected child process
                        • Suspicious use of WriteProcessMemory
                        PID:2572
                        • C:\Windows\SysWOW64\rundll32.exe
                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                          2⤵
                          • Loads dropped DLL
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2856

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Persistence

                      Privilege Escalation

                      Defense Evasion

                      Credential Access

                      Discovery

                      System Information Discovery

                      2
                      T1082

                      Query Registry

                      1
                      T1012

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\sqlite.dat
                        MD5

                        6e9ed92baacc787e1b961f9bc928a4d8

                        SHA1

                        4d53985b183d83e118c7832a6c11c271bb7c7618

                        SHA256

                        7b806eaf11f226592d49725c85fc1acc066706492830fbb1900e3bbb0a778d22

                        SHA512

                        a9747ed7ce0371841116ddd6c1abc020edd9092c4cd84bc36e8fe7c71d4bd71267a05319351e05319c21731038be76718e338c4e28cafcc532558b742400e53d

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\sqlite.dll
                        MD5

                        14ef50a8355a8ddbffbd19aff9936836

                        SHA1

                        7c44952baa2433c554228dbd50613d7bf347ada5

                        SHA256

                        fde50eea631c01d46cbb95b6f4c2a7c834ce77184552f788242c5811ed76b8f9

                        SHA512

                        ccddf7b0610bcae4395a6aae7c32d03f23a40328b68d9f0246361e1af0d401ee444f178310910d15e7dbd3706a89ae4e5b7adbd972e1f50cd5a77515612f76dc

                        Download Submit
                      • \Users\Admin\AppData\Local\Temp\sqlite.dll
                        MD5

                        14ef50a8355a8ddbffbd19aff9936836

                        SHA1

                        7c44952baa2433c554228dbd50613d7bf347ada5

                        SHA256

                        fde50eea631c01d46cbb95b6f4c2a7c834ce77184552f788242c5811ed76b8f9

                        SHA512

                        ccddf7b0610bcae4395a6aae7c32d03f23a40328b68d9f0246361e1af0d401ee444f178310910d15e7dbd3706a89ae4e5b7adbd972e1f50cd5a77515612f76dc

                        Download Submit
                      • memory/68-153-0x000001EBE6D40000-0x000001EBE6DB4000-memory.dmp
                        Filesize

                        464KB

                        Download
                      • memory/988-158-0x000001BB51500000-0x000001BB51574000-memory.dmp
                        Filesize

                        464KB

                        Download
                      • memory/1064-157-0x0000019A16800000-0x0000019A16874000-memory.dmp
                        Filesize

                        464KB

                        Download
                      • memory/1192-161-0x0000027006070000-0x00000270060E4000-memory.dmp
                        Filesize

                        464KB

                        Download
                      • memory/1204-126-0x00007FF73D7C4060-mapping.dmp
                        Download
                      • memory/1204-168-0x0000026920400000-0x0000026920506000-memory.dmp
                        Filesize

                        1.0MB

                        Download
                      • memory/1204-167-0x000002691DB90000-0x000002691DBAB000-memory.dmp
                        Filesize

                        108KB

                        Download
                      • memory/1204-154-0x000002691DA90000-0x000002691DB04000-memory.dmp
                        Filesize

                        464KB

                        Download
                      • memory/1256-162-0x0000021AEA800000-0x0000021AEA874000-memory.dmp
                        Filesize

                        464KB

                        Download
                      • memory/1256-146-0x0000021AE9DA0000-0x0000021AE9DA2000-memory.dmp
                        Filesize

                        8KB

                        Download
                      • memory/1392-159-0x0000021926D60000-0x0000021926DD4000-memory.dmp
                        Filesize

                        464KB

                        Download
                      • memory/1784-160-0x000001E35FED0000-0x000001E35FF44000-memory.dmp
                        Filesize

                        464KB

                        Download
                      • memory/2316-155-0x00000233C2E40000-0x00000233C2EB4000-memory.dmp
                        Filesize

                        464KB

                        Download
                      • memory/2340-156-0x0000020954DD0000-0x0000020954E44000-memory.dmp
                        Filesize

                        464KB

                        Download
                      • memory/2552-163-0x000001B265A20000-0x000001B265A94000-memory.dmp
                        Filesize

                        464KB

                        Download
                      • memory/2580-164-0x0000029250470000-0x00000292504E4000-memory.dmp
                        Filesize

                        464KB

                        Download
                      • memory/2612-152-0x000002C20A980000-0x000002C20A9F4000-memory.dmp
                        Filesize

                        464KB

                        Download
                      • memory/2612-151-0x000002C20A690000-0x000002C20A6DD000-memory.dmp
                        Filesize

                        308KB

                        Download
                      • memory/2856-122-0x0000000004DDC000-0x0000000004EDD000-memory.dmp
                        Filesize

                        1.0MB

                        Download
                      • memory/2856-123-0x0000000004F50000-0x0000000004FAF000-memory.dmp
                        Filesize

                        380KB

                        Download
                      • memory/2856-119-0x0000000000000000-mapping.dmp
                        Download