Overview

overview

10

Static

static

022e3c30a1...66.exe

windows7_x64

10

022e3c30a1...66.exe

windows10_x64

10

4d27dca0a1...ef.exe

windows7_x64

10

4d27dca0a1...ef.exe

windows10_x64

10

578a3a7a2b...b3.exe

windows7_x64

10

578a3a7a2b...b3.exe

windows10_x64

10

9c4880a98c...82.exe

windows7_x64

10

9c4880a98c...82.exe

windows10_x64

10

a1dad4a83d...c4.exe

windows7_x64

10

a1dad4a83d...c4.exe

windows10_x64

10

acf1b7d80f...e0.exe

windows7_x64

10

acf1b7d80f...e0.exe

windows10_x64

10

cbf31d825a...d2.exe

windows7_x64

10

cbf31d825a...d2.exe

windows10_x64

10

db76a117db...12.exe

windows7_x64

10

db76a117db...12.exe

windows10_x64

10

e2ffb8aeeb...f6.exe

windows7_x64

10

e2ffb8aeeb...f6.exe

windows10_x64

7

f2196668f4...cb.exe

windows7_x64

10

f2196668f4...cb.exe

windows10_x64

10

Analysis

  • max time kernel
    167s
  • max time network
    158s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    08-11-2021 17:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe

  • Size

    834KB

  • MD5

    2c25a0926e5228d2205b3b8c8ef4d7f4

  • SHA1

    5f8a9d364dc3d03a5b11fd5be0629d0fb5a8c409

  • SHA256

    e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6

  • SHA512

    cafe8fae74d414015118b838b5e4b30183733d5e833c5db84a56bd2d5cf728cad08d2bbefbeadc86b15b7dbf6dc25fcabdffa8ff4fb346dc0f66376087a28468

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
    1⤵
      PID:1096
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
      1⤵
        PID:316
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Themes
        1⤵
          PID:1184
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s SENS
          1⤵
          • Modifies registry class
          PID:1396
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s UserManager
          1⤵
            PID:1388
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
            1⤵
              PID:344
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
              1⤵
                PID:1884
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s BITS
                1⤵
                • Suspicious use of SetThreadContext
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:756
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k SystemNetworkService
                  2⤵
                  • Drops file in System32 directory
                  • Checks processor information in registry
                  • Modifies data under HKEY_USERS
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:924
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s Browser
                1⤵
                  PID:2960
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s WpnService
                  1⤵
                    PID:2652
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2636
                    • C:\Windows\system32\wbem\WMIADAP.EXE
                      wmiadap.exe /F /T /R
                      2⤵
                        PID:800
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
                      1⤵
                        PID:2588
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                        1⤵
                          PID:2520
                        • C:\Users\Admin\AppData\Local\Temp\e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
                          "C:\Users\Admin\AppData\Local\Temp\e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe"
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3144
                          • C:\Windows\SysWOW64\rundll32.exe
                            "C:\Windows\System32\rundll32.exe" sqlite.dll,global
                            2⤵
                            • Loads dropped DLL
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2188

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Initial Access

                        Execution

                        Persistence

                        Privilege Escalation

                        Defense Evasion

                        Credential Access

                        Discovery

                        System Information Discovery

                        2
                        T1082

                        Query Registry

                        1
                        T1012

                        Lateral Movement

                        Collection

                        Exfiltration

                        Command and Control

                        Impact

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\sqlite.dat
                          MD5

                          bbd4ce7a3b397979f6725781367e2671

                          SHA1

                          1627f36916b4a3e2384a3aa2b0af35ba9e785093

                          SHA256

                          c13e0dd5f82062a4659f6fa989b00a2d109644156675aa63e7670288723a9fe4

                          SHA512

                          b0a5708673f3077eaad552ea664f16b569b653be55865221506b537b41c77ec9b5610d3f67b996e7f2da0bd08da274dc01c9e7db2ce1ed706c18812093d76b65

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\sqlite.dll
                          MD5

                          d2c3e38d64273ea56d503bb3fb2a8b5d

                          SHA1

                          177da7d99381bbc83ede6b50357f53944240d862

                          SHA256

                          25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

                          SHA512

                          2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

                          Download Submit
                        • \Users\Admin\AppData\Local\Temp\sqlite.dll
                          MD5

                          d2c3e38d64273ea56d503bb3fb2a8b5d

                          SHA1

                          177da7d99381bbc83ede6b50357f53944240d862

                          SHA256

                          25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

                          SHA512

                          2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

                          Download Submit
                        • memory/316-161-0x0000028DA2A40000-0x0000028DA2AB2000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/316-139-0x0000028DA1B80000-0x0000028DA1B82000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/316-140-0x0000028DA1B80000-0x0000028DA1B82000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/316-183-0x0000028DA1B80000-0x0000028DA1B82000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/316-197-0x0000028DA2AC0000-0x0000028DA2B32000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/344-132-0x00000254AEAE0000-0x00000254AEAE2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/344-131-0x00000254AEAE0000-0x00000254AEAE2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/344-188-0x00000254AF8B0000-0x00000254AF922000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/344-157-0x00000254AF230000-0x00000254AF2A2000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/344-179-0x00000254AEAE0000-0x00000254AEAE2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/756-174-0x000001CFC89B0000-0x000001CFC89B1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/756-154-0x000001CFC8F10000-0x000001CFC8F82000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/756-124-0x000001CFC89A0000-0x000001CFC89A2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/756-177-0x000001CFC62E0000-0x000001CFC62E4000-memory.dmp
                          Filesize

                          16KB

                          Download
                        • memory/756-175-0x000001CFC89B0000-0x000001CFC89B4000-memory.dmp
                          Filesize

                          16KB

                          Download
                        • memory/756-153-0x000001CFC8E50000-0x000001CFC8E9D000-memory.dmp
                          Filesize

                          308KB

                          Download
                        • memory/756-125-0x000001CFC89A0000-0x000001CFC89A2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/756-173-0x000001CFC89C0000-0x000001CFC89C4000-memory.dmp
                          Filesize

                          16KB

                          Download
                        • memory/800-172-0x0000000000000000-mapping.dmp
                          Download
                        • memory/924-129-0x000001EE9D4A0000-0x000001EE9D4A2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/924-126-0x00007FF79C134060-mapping.dmp
                          Download
                        • memory/924-156-0x000001EE9BB60000-0x000001EE9BBD2000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/924-171-0x000001EE9E400000-0x000001EE9E505000-memory.dmp
                          Filesize

                          1.0MB

                          Download
                        • memory/924-170-0x000001EE9D4D0000-0x000001EE9D4EB000-memory.dmp
                          Filesize

                          108KB

                          Download
                        • memory/924-169-0x000001EE9D4A0000-0x000001EE9D4A2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/924-168-0x000001EE9D4A0000-0x000001EE9D4A2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/924-130-0x000001EE9D4A0000-0x000001EE9D4A2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1096-137-0x000002AC426C0000-0x000002AC426C2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1096-195-0x000002AC42F20000-0x000002AC42F92000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/1096-160-0x000002AC42EA0000-0x000002AC42F12000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/1096-182-0x000002AC426C0000-0x000002AC426C2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1096-138-0x000002AC426C0000-0x000002AC426C2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1184-164-0x000001E506B70000-0x000001E506BE2000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/1184-189-0x000001E5074B0000-0x000001E507522000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/1184-187-0x000001E506740000-0x000001E506742000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1184-146-0x000001E506740000-0x000001E506742000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1184-145-0x000001E506740000-0x000001E506742000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1388-147-0x00000167E8D90000-0x00000167E8D92000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1388-193-0x00000167E8E60000-0x00000167E8ED2000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/1388-191-0x00000167E8D90000-0x00000167E8D92000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1388-165-0x00000167E8D10000-0x00000167E8D82000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/1388-148-0x00000167E8D90000-0x00000167E8D92000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1396-199-0x0000024B33340000-0x0000024B333B2000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/1396-162-0x0000024B32770000-0x0000024B327E2000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/1396-184-0x0000024B325B0000-0x0000024B325B2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1396-142-0x0000024B325B0000-0x0000024B325B2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1396-141-0x0000024B325B0000-0x0000024B325B2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1884-163-0x0000024404D40000-0x0000024404DB2000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/1884-185-0x0000024404020000-0x0000024404022000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1884-144-0x0000024404020000-0x0000024404022000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1884-143-0x0000024404020000-0x0000024404022000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1884-201-0x0000024404E30000-0x0000024404EA2000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/2188-122-0x0000000004484000-0x0000000004585000-memory.dmp
                          Filesize

                          1.0MB

                          Download
                        • memory/2188-123-0x0000000004410000-0x000000000446D000-memory.dmp
                          Filesize

                          372KB

                          Download
                        • memory/2188-118-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2520-158-0x000001EB04C60000-0x000001EB04CD2000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/2520-133-0x000001EB04470000-0x000001EB04472000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2520-180-0x000001EB04470000-0x000001EB04472000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2520-134-0x000001EB04470000-0x000001EB04472000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2520-190-0x000001EB04F00000-0x000001EB04F72000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/2588-135-0x00000279C24F0000-0x00000279C24F2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2588-192-0x00000279C32C0000-0x00000279C3332000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/2588-159-0x00000279C3240000-0x00000279C32B2000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/2588-181-0x00000279C24F0000-0x00000279C24F2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2588-136-0x00000279C24F0000-0x00000279C24F2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2636-194-0x0000020535870000-0x0000020535872000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2636-149-0x0000020535870000-0x0000020535872000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2636-166-0x0000020536940000-0x00000205369B2000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/2636-150-0x0000020535870000-0x0000020535872000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2636-196-0x0000020536F30000-0x0000020536FA2000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/2652-167-0x0000018DAFB60000-0x0000018DAFBD2000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/2652-152-0x0000018DAF4D0000-0x0000018DAF4D2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2652-151-0x0000018DAF4D0000-0x0000018DAF4D2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2652-200-0x0000018DAFC80000-0x0000018DAFCF2000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/2652-198-0x0000018DAF4D0000-0x0000018DAF4D2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2960-155-0x0000023DA1500000-0x0000023DA1572000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/2960-178-0x0000023DA0A80000-0x0000023DA0A82000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2960-128-0x0000023DA0A80000-0x0000023DA0A82000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2960-127-0x0000023DA0A80000-0x0000023DA0A82000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2960-186-0x0000023DA18C0000-0x0000023DA1932000-memory.dmp
                          Filesize

                          456KB

                          Download
                        • memory/3144-116-0x0000000000020000-0x0000000000021000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3144-117-0x0000000000020000-0x0000000000021000-memory.dmp
                          Filesize

                          4KB

                          Download