79ff327848f9254764561866a5b26ed55aa24453aea69b1f42dbcad5ac140b00

Analysis

max time kernel
69s
max time network
47s
platform
windows7_x64
resource
win7-en
submitted
15-09-2021 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Operational Instructions BSC BBC.pdf.exe
Size

1.1MB
MD5

636ca0dbbfd6a5c2915781a46d5db5e0
SHA1

16a0e21f57cc447b8024999bbd67553c2ffb5e6e
SHA256

79ff327848f9254764561866a5b26ed55aa24453aea69b1f42dbcad5ac140b00
SHA512

fac6d0431ed20e56b7ae7d98342fe58bcc215bbccb5cd39c76585b95827c0216ce84e85c55e0055c16c8b901d6a6ceaf75780ea253daf3fd74f07d9840bbc086

Score

9^/10

Malware Config

Signatures

Nirsoft 13 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

pid process

1524 AdvancedRun.exe
1028 AdvancedRun.exe
1464 AdvancedRun.exe
1196 AdvancedRun.exe

pid	process
1524	AdvancedRun.exe
1028	AdvancedRun.exe
1464	AdvancedRun.exe
1196	AdvancedRun.exe

Loads dropped DLL 8 IoCs

Processes:

Operational Instructions BSC BBC.pdf.exeAdvancedRun.exeAdvancedRun.exe

pid	process
1636	Operational Instructions BSC BBC.pdf.exe
1636	Operational Instructions BSC BBC.pdf.exe
1524	AdvancedRun.exe
1524	AdvancedRun.exe
1636	Operational Instructions BSC BBC.pdf.exe
1636	Operational Instructions BSC BBC.pdf.exe
1464	AdvancedRun.exe
1464	AdvancedRun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

pid	process
1216	powershell.exe
1524	AdvancedRun.exe
1524	AdvancedRun.exe
1028	AdvancedRun.exe
1028	AdvancedRun.exe
1464	AdvancedRun.exe
1464	AdvancedRun.exe
1196	AdvancedRun.exe
1196	AdvancedRun.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Operational Instructions BSC BBC.pdf.exepowershell.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

description	pid	process
Token: SeDebugPrivilege	1636	Operational Instructions BSC BBC.pdf.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	1524	AdvancedRun.exe
Token: SeImpersonatePrivilege	1524	AdvancedRun.exe
Token: SeDebugPrivilege	1028	AdvancedRun.exe
Token: SeImpersonatePrivilege	1028	AdvancedRun.exe
Token: SeDebugPrivilege	1464	AdvancedRun.exe
Token: SeImpersonatePrivilege	1464	AdvancedRun.exe
Token: SeDebugPrivilege	1196	AdvancedRun.exe
Token: SeImpersonatePrivilege	1196	AdvancedRun.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Operational Instructions BSC BBC.pdf.exeAdvancedRun.exeAdvancedRun.exe

description	pid	process	target process
PID 1636 wrote to memory of 1216	1636	Operational Instructions BSC BBC.pdf.exe	powershell.exe
PID 1636 wrote to memory of 1216	1636	Operational Instructions BSC BBC.pdf.exe	powershell.exe
PID 1636 wrote to memory of 1216	1636	Operational Instructions BSC BBC.pdf.exe	powershell.exe
PID 1636 wrote to memory of 1216	1636	Operational Instructions BSC BBC.pdf.exe	powershell.exe
PID 1636 wrote to memory of 1524	1636	Operational Instructions BSC BBC.pdf.exe	AdvancedRun.exe
PID 1636 wrote to memory of 1524	1636	Operational Instructions BSC BBC.pdf.exe	AdvancedRun.exe
PID 1636 wrote to memory of 1524	1636	Operational Instructions BSC BBC.pdf.exe	AdvancedRun.exe
PID 1636 wrote to memory of 1524	1636	Operational Instructions BSC BBC.pdf.exe	AdvancedRun.exe
PID 1524 wrote to memory of 1028	1524	AdvancedRun.exe	AdvancedRun.exe
PID 1524 wrote to memory of 1028	1524	AdvancedRun.exe	AdvancedRun.exe
PID 1524 wrote to memory of 1028	1524	AdvancedRun.exe	AdvancedRun.exe
PID 1524 wrote to memory of 1028	1524	AdvancedRun.exe	AdvancedRun.exe
PID 1636 wrote to memory of 1464	1636	Operational Instructions BSC BBC.pdf.exe	AdvancedRun.exe
PID 1636 wrote to memory of 1464	1636	Operational Instructions BSC BBC.pdf.exe	AdvancedRun.exe
PID 1636 wrote to memory of 1464	1636	Operational Instructions BSC BBC.pdf.exe	AdvancedRun.exe
PID 1636 wrote to memory of 1464	1636	Operational Instructions BSC BBC.pdf.exe	AdvancedRun.exe
PID 1464 wrote to memory of 1196	1464	AdvancedRun.exe	AdvancedRun.exe
PID 1464 wrote to memory of 1196	1464	AdvancedRun.exe	AdvancedRun.exe
PID 1464 wrote to memory of 1196	1464	AdvancedRun.exe	AdvancedRun.exe
PID 1464 wrote to memory of 1196	1464	AdvancedRun.exe	AdvancedRun.exe

C:\Users\Admin\AppData\Local\Temp\Operational Instructions BSC BBC.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Operational Instructions BSC BBC.pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 20
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 1524
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 1464
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/1028-76-0x0000000000000000-mapping.dmp

Download
memory/1196-86-0x0000000000000000-mapping.dmp

Download
memory/1216-59-0x0000000002380000-0x0000000002FCA000-memory.dmp

Filesize
12.3MB

Download
memory/1216-57-0x0000000000000000-mapping.dmp

Download
memory/1216-58-0x0000000076161000-0x0000000076163000-memory.dmp

Filesize
8KB

Download
memory/1216-61-0x0000000002380000-0x0000000002FCA000-memory.dmp

Filesize
12.3MB

Download
memory/1216-60-0x0000000002380000-0x0000000002FCA000-memory.dmp

Filesize
12.3MB

Download
memory/1464-81-0x0000000000000000-mapping.dmp

Download
memory/1524-70-0x0000000000000000-mapping.dmp

Download
memory/1636-67-0x00000000012B0000-0x00000000012BC000-memory.dmp

Filesize
48KB

Download
memory/1636-53-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download
memory/1636-56-0x0000000000D60000-0x0000000000DA8000-memory.dmp

Filesize
288KB

Download
memory/1636-66-0x0000000004960000-0x0000000004987000-memory.dmp

Filesize
156KB

Download
memory/1636-55-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads