e7677cc256fd579f656584413a3c227d7063b5791b333ffef200610a3adee6a3

Analysis

max time kernel
150s
max time network
138s
platform
windows10_x64
resource
win10-en
submitted
14-09-2021 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SplashtopSOS.exe
Size

7.9MB
MD5

89d8445240fd9d438583429458d76756
SHA1

c7f83b6f86002b6d92c20019dcf11d8fc7690259
SHA256

e7677cc256fd579f656584413a3c227d7063b5791b333ffef200610a3adee6a3
SHA512

ad5859344694a5d51eecbdc2b2e8fc52596cf738a7d677a53caf7b76d3db6c20d72e7647c44fa952cb98b7c527df332110be79167db9ea87b5a79f818c8b05d6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3544	Launcher.exe
3864	SRManagerSOS.exe
2180	SRServerSOS.exe
4024	SRFeatureSOS.exe
1664	SRUtilitySOS.exe

Loads dropped DLL 9 IoCs

pid	Process
3864	SRManagerSOS.exe
3864	SRManagerSOS.exe
3864	SRManagerSOS.exe
3864	SRManagerSOS.exe
2180	SRServerSOS.exe
2180	SRServerSOS.exe
4024	SRFeatureSOS.exe
4024	SRFeatureSOS.exe
4024	SRFeatureSOS.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_BDD4A3CA13696E12BB45668760AFF4D4	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_BDD4A3CA13696E12BB45668760AFF4D4	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	SRManagerSOS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3936	schtasks.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	SRManagerSOS.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness	SRManagerSOS.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	SRManagerSOS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
3864	SRManagerSOS.exe
3864	SRManagerSOS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3908	SplashtopSOS.exe
3908	SplashtopSOS.exe
2180	SRServerSOS.exe
2180	SRServerSOS.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 3988	3908	SplashtopSOS.exe	69
PID 3908 wrote to memory of 3988	3908	SplashtopSOS.exe	69
PID 3988 wrote to memory of 3944	3988	cmd.exe	71
PID 3988 wrote to memory of 3944	3988	cmd.exe	71
PID 3908 wrote to memory of 2892	3908	SplashtopSOS.exe	72
PID 3908 wrote to memory of 2892	3908	SplashtopSOS.exe	72
PID 2892 wrote to memory of 3936	2892	cmd.exe	74
PID 2892 wrote to memory of 3936	2892	cmd.exe	74
PID 3908 wrote to memory of 3156	3908	SplashtopSOS.exe	75
PID 3908 wrote to memory of 3156	3908	SplashtopSOS.exe	75
PID 3156 wrote to memory of 3852	3156	cmd.exe	77
PID 3156 wrote to memory of 3852	3156	cmd.exe	77
PID 3908 wrote to memory of 780	3908	SplashtopSOS.exe	78
PID 3908 wrote to memory of 780	3908	SplashtopSOS.exe	78
PID 780 wrote to memory of 788	780	cmd.exe	80
PID 780 wrote to memory of 788	780	cmd.exe	80
PID 3908 wrote to memory of 3160	3908	SplashtopSOS.exe	83
PID 3908 wrote to memory of 3160	3908	SplashtopSOS.exe	83
PID 3160 wrote to memory of 2892	3160	cmd.exe	85
PID 3160 wrote to memory of 2892	3160	cmd.exe	85
PID 3544 wrote to memory of 3864	3544	Launcher.exe	86
PID 3544 wrote to memory of 3864	3544	Launcher.exe	86
PID 3544 wrote to memory of 3864	3544	Launcher.exe	86
PID 3864 wrote to memory of 2180	3864	SRManagerSOS.exe	87
PID 3864 wrote to memory of 2180	3864	SRManagerSOS.exe	87
PID 3864 wrote to memory of 2180	3864	SRManagerSOS.exe	87
PID 3864 wrote to memory of 4024	3864	SRManagerSOS.exe	88
PID 3864 wrote to memory of 4024	3864	SRManagerSOS.exe	88
PID 3864 wrote to memory of 4024	3864	SRManagerSOS.exe	88
PID 4024 wrote to memory of 1664	4024	SRFeatureSOS.exe	89
PID 4024 wrote to memory of 1664	4024	SRFeatureSOS.exe	89
PID 4024 wrote to memory of 1664	4024	SRFeatureSOS.exe	89

C:\Users\Admin\AppData\Local\Temp\SplashtopSOS.exe
"C:\Users\Admin\AppData\Local\Temp\SplashtopSOS.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c expand *.cab /f:* .\
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\system32\expand.exe
    expand *.cab /f:* .\
    3⤵
    - Drops file in Windows directory
    PID:3944
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\system32\schtasks.exe
    schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
    3⤵
    - Creates scheduled task(s)
    PID:3936
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
    3⤵
    PID:3852
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn ASOS1
    3⤵
    PID:788
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /f /tn ASOS1
    3⤵
    PID:2892

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe SRManagerSOS.exe 1
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
  "SRManagerSOS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
    SRServerSOS.exe -s
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2180
- - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
    "C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
      SRUtilitySOS.exe -r
      4⤵
      Executes dropped EXE
      PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads