Analysis
-
max time kernel
117s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-10-2021 15:33
Static task
static1
Behavioral task
behavioral1
Sample
Software updated by Dylox.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Software updated by Dylox.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Software-update-patc_828811790.exe
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
Software-update-patc_828811790.exe
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
open this if the doesn't work.exe
Resource
win7-en-20210920
Behavioral task
behavioral6
Sample
open this if the doesn't work.exe
Resource
win10-en-20211014
General
-
Target
open this if the doesn't work.exe
-
Size
225KB
-
MD5
75dc0b7ee8ecf84a04ae6dd0ace2f54d
-
SHA1
4185141db5402579321714059282892a932661cf
-
SHA256
06f18fc3c26ff3b6b028d3745e020bc973b3892c0a77096b5d1371dc82989298
-
SHA512
57de91590f724f26eec8d24deaaa1f6cb5eb23ee0fe727152de89abbff9503bffd2ea91d60be280c482df942e51b196de8c73a71e6194c2019d0563eb5cd0d05
Malware Config
Extracted
raccoon
580b491e2149e767dbb79725a6a0395d016c0b15
-
url4cnc
http://telegin.top/jabbahatt121
http://ttmirror.top/jabbahatt121
http://teletele.top/jabbahatt121
http://telegalive.top/jabbahatt121
http://toptelete.top/jabbahatt121
http://telegraf.top/jabbahatt121
https://t.me/jabbahatt121
Signatures
-
Nirsoft 7 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exe Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepid process 1220 AdvancedRun.exe 1972 AdvancedRun.exe -
Loads dropped DLL 4 IoCs
Processes:
open this if the doesn't work.exeAdvancedRun.exepid process 792 open this if the doesn't work.exe 792 open this if the doesn't work.exe 1220 AdvancedRun.exe 1220 AdvancedRun.exe -
Processes:
open this if the doesn't work.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths open this if the doesn't work.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions open this if the doesn't work.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe = "0" open this if the doesn't work.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection open this if the doesn't work.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" open this if the doesn't work.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" open this if the doesn't work.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features open this if the doesn't work.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" open this if the doesn't work.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
open this if the doesn't work.exedescription pid process target process PID 792 set thread context of 1660 792 open this if the doesn't work.exe open this if the doesn't work.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1688 1660 WerFault.exe open this if the doesn't work.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepowershell.exeopen this if the doesn't work.exeWerFault.exepid process 1220 AdvancedRun.exe 1220 AdvancedRun.exe 1972 AdvancedRun.exe 1972 AdvancedRun.exe 1484 powershell.exe 792 open this if the doesn't work.exe 792 open this if the doesn't work.exe 1688 WerFault.exe 1688 WerFault.exe 1688 WerFault.exe 1688 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
open this if the doesn't work.exeAdvancedRun.exeAdvancedRun.exepowershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 792 open this if the doesn't work.exe Token: SeDebugPrivilege 1220 AdvancedRun.exe Token: SeImpersonatePrivilege 1220 AdvancedRun.exe Token: SeDebugPrivilege 1972 AdvancedRun.exe Token: SeImpersonatePrivilege 1972 AdvancedRun.exe Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 1688 WerFault.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
open this if the doesn't work.exeAdvancedRun.exeopen this if the doesn't work.exedescription pid process target process PID 792 wrote to memory of 1220 792 open this if the doesn't work.exe AdvancedRun.exe PID 792 wrote to memory of 1220 792 open this if the doesn't work.exe AdvancedRun.exe PID 792 wrote to memory of 1220 792 open this if the doesn't work.exe AdvancedRun.exe PID 792 wrote to memory of 1220 792 open this if the doesn't work.exe AdvancedRun.exe PID 1220 wrote to memory of 1972 1220 AdvancedRun.exe AdvancedRun.exe PID 1220 wrote to memory of 1972 1220 AdvancedRun.exe AdvancedRun.exe PID 1220 wrote to memory of 1972 1220 AdvancedRun.exe AdvancedRun.exe PID 1220 wrote to memory of 1972 1220 AdvancedRun.exe AdvancedRun.exe PID 792 wrote to memory of 1484 792 open this if the doesn't work.exe powershell.exe PID 792 wrote to memory of 1484 792 open this if the doesn't work.exe powershell.exe PID 792 wrote to memory of 1484 792 open this if the doesn't work.exe powershell.exe PID 792 wrote to memory of 1484 792 open this if the doesn't work.exe powershell.exe PID 792 wrote to memory of 1660 792 open this if the doesn't work.exe open this if the doesn't work.exe PID 792 wrote to memory of 1660 792 open this if the doesn't work.exe open this if the doesn't work.exe PID 792 wrote to memory of 1660 792 open this if the doesn't work.exe open this if the doesn't work.exe PID 792 wrote to memory of 1660 792 open this if the doesn't work.exe open this if the doesn't work.exe PID 792 wrote to memory of 1660 792 open this if the doesn't work.exe open this if the doesn't work.exe PID 792 wrote to memory of 1660 792 open this if the doesn't work.exe open this if the doesn't work.exe PID 792 wrote to memory of 1660 792 open this if the doesn't work.exe open this if the doesn't work.exe PID 792 wrote to memory of 1660 792 open this if the doesn't work.exe open this if the doesn't work.exe PID 792 wrote to memory of 1660 792 open this if the doesn't work.exe open this if the doesn't work.exe PID 792 wrote to memory of 1660 792 open this if the doesn't work.exe open this if the doesn't work.exe PID 792 wrote to memory of 1660 792 open this if the doesn't work.exe open this if the doesn't work.exe PID 1660 wrote to memory of 1688 1660 open this if the doesn't work.exe WerFault.exe PID 1660 wrote to memory of 1688 1660 open this if the doesn't work.exe WerFault.exe PID 1660 wrote to memory of 1688 1660 open this if the doesn't work.exe WerFault.exe PID 1660 wrote to memory of 1688 1660 open this if the doesn't work.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"1⤵
- Loads dropped DLL
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exe" /SpecialRun 4101d8 12203⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 4923⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\a9e30b76-e07f-43ca-b2c8-3834c29f65fa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/792-56-0x0000000076B61000-0x0000000076B63000-memory.dmpFilesize
8KB
-
memory/792-60-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/792-59-0x0000000000210000-0x0000000000213000-memory.dmpFilesize
12KB
-
memory/792-57-0x0000000000520000-0x0000000000521000-memory.dmpFilesize
4KB
-
memory/792-54-0x0000000000FE0000-0x0000000000FE1000-memory.dmpFilesize
4KB
-
memory/792-61-0x0000000005BC0000-0x0000000005CA6000-memory.dmpFilesize
920KB
-
memory/1220-64-0x0000000000000000-mapping.dmp
-
memory/1484-73-0x0000000000000000-mapping.dmp
-
memory/1484-78-0x00000000024D0000-0x000000000311A000-memory.dmpFilesize
12.3MB
-
memory/1484-80-0x00000000024D0000-0x000000000311A000-memory.dmpFilesize
12.3MB
-
memory/1484-81-0x00000000024D0000-0x000000000311A000-memory.dmpFilesize
12.3MB
-
memory/1660-75-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/1660-76-0x000000000043E9BE-mapping.dmp
-
memory/1660-79-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/1688-82-0x0000000000000000-mapping.dmp
-
memory/1688-83-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/1972-70-0x0000000000000000-mapping.dmp