Overview

overview

10

Static

static

f4eb00edcb...d2.exe

windows7_x64

10

f4eb00edcb...d2.exe

windows10_x64

10

ee4355899a...0b.exe

windows7_x64

1

ee4355899a...0b.exe

windows10_x64

1

e5d61c0b7d...0f.exe

windows7_x64

10

e5d61c0b7d...0f.exe

windows10_x64

10

e2ffb8aeeb...f6.exe

windows7_x64

10

e2ffb8aeeb...f6.exe

windows10_x64

7

d965344c14...19.exe

windows7_x64

10

d965344c14...19.exe

windows10_x64

10

d097ca2583...22.exe

windows7_x64

10

d097ca2583...22.exe

windows10_x64

10

ca14b87b56...83.exe

windows7_x64

10

ca14b87b56...83.exe

windows10_x64

10

bc6dfe9ae5...09.exe

windows7_x64

3

bc6dfe9ae5...09.exe

windows10_x64

3

b645101f39...21.exe

windows7_x64

10

b645101f39...21.exe

windows10_x64

10

9c4880a98c...82.exe

windows7_x64

10

9c4880a98c...82.exe

windows10_x64

10

96c9fde298...34.exe

windows7_x64

10

96c9fde298...34.exe

windows10_x64

10

88e993e974...2f.exe

windows7_x64

10

88e993e974...2f.exe

windows10_x64

10

809ed9e2d0...41.exe

windows7_x64

10

809ed9e2d0...41.exe

windows10_x64

10

7dc7ca2414...84.exe

windows7_x64

10

7dc7ca2414...84.exe

windows10_x64

10

775338ae18...e4.exe

windows7_x64

10

775338ae18...e4.exe

windows10_x64

10

5cb26af890...00.exe

windows7_x64

10

5cb26af890...00.exe

windows10_x64

10

Analysis

  • max time kernel
    174s
  • max time network
    191s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    10-11-2021 15:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5cb26af89016d92b17fac85ae007d21027b3032174425c2bb6753241d62b2b00.exe

  • Size

    92KB

  • MD5

    bc1448e17d086d57f635c7079c1bc773

  • SHA1

    1db1cb05523982e613b2e7977472f3adda47c1a2

  • SHA256

    5cb26af89016d92b17fac85ae007d21027b3032174425c2bb6753241d62b2b00

  • SHA512

    5b9c65f7e766560e2ccbc6a2aeba3dbbc1eeaca77eb57f2511155dcc86149d448d9780c9328562ff353aba8e4f90adc5c84ac9dcce509efe99cde56768c2f867

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 18 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Schedule
    1⤵
      PID:1032
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Themes
      1⤵
        PID:1236
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
        1⤵
          PID:1928
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s SENS
          1⤵
            PID:1480
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
            1⤵
              PID:2436
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
              1⤵
                PID:2480
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
                1⤵
                  PID:2728
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s Browser
                  1⤵
                    PID:2668
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s WpnService
                    1⤵
                      PID:2756
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                      1⤵
                        PID:1320
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                        1⤵
                          PID:1124
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s BITS
                          1⤵
                          • Suspicious use of SetThreadContext
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:3916
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k SystemNetworkService
                            2⤵
                            • Drops file in System32 directory
                            • Checks processor information in registry
                            • Modifies data under HKEY_USERS
                            • Modifies registry class
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:1344
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                          1⤵
                          • Modifies registry class
                          PID:1020
                        • C:\Users\Admin\AppData\Local\Temp\5cb26af89016d92b17fac85ae007d21027b3032174425c2bb6753241d62b2b00.exe
                          "C:\Users\Admin\AppData\Local\Temp\5cb26af89016d92b17fac85ae007d21027b3032174425c2bb6753241d62b2b00.exe"
                          1⤵
                            PID:2704
                          • C:\Windows\system32\rundll32.exe
                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                            1⤵
                            • Process spawned unexpected child process
                            • Suspicious use of WriteProcessMemory
                            PID:1288
                            • C:\Windows\SysWOW64\rundll32.exe
                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                              2⤵
                              • Loads dropped DLL
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:3956

                          Network

                          MITRE ATT&CK Matrix ATT&CK v6

                          Initial Access

                          Execution

                          Persistence

                          Privilege Escalation

                          Defense Evasion

                          Credential Access

                          Discovery

                          System Information Discovery

                          2
                          T1082

                          Query Registry

                          1
                          T1012

                          Lateral Movement

                          Collection

                          Exfiltration

                          Command and Control

                          Impact

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\sqlite.dat
                            MD5

                            d2ea63e70f5d51810958b2893048ebae

                            SHA1

                            5c3d28bf01f169685b09014544cf67cc3a610e2e

                            SHA256

                            c5f36825e9c601d5550b02717dbeeeadf1b947806c613d4ff15ed43fbdf2023d

                            SHA512

                            749062d7ed13d600a28f0a07a5b0682252e45c7a0b693ee88815941c099f97e651b275b9cc47ed905875a2a3dd09a26da8d89963514e836aebfdfe8e060d53c3

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\sqlite.dll
                            MD5

                            d2c3e38d64273ea56d503bb3fb2a8b5d

                            SHA1

                            177da7d99381bbc83ede6b50357f53944240d862

                            SHA256

                            25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

                            SHA512

                            2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

                            Download Submit
                          • \Users\Admin\AppData\Local\Temp\sqlite.dll
                            MD5

                            d2c3e38d64273ea56d503bb3fb2a8b5d

                            SHA1

                            177da7d99381bbc83ede6b50357f53944240d862

                            SHA256

                            25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

                            SHA512

                            2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

                            Download Submit
                          • memory/1020-178-0x0000027EA63C0000-0x0000027EA63C2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1020-190-0x0000027EA6A10000-0x0000027EA6A82000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1020-132-0x0000027EA63C0000-0x0000027EA63C2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1020-157-0x0000027EA6440000-0x0000027EA64B2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1020-131-0x0000027EA63C0000-0x0000027EA63C2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1032-182-0x000002E3E2ED0000-0x000002E3E2ED2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1032-161-0x000002E3E3720000-0x000002E3E3792000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1032-194-0x000002E3E3850000-0x000002E3E38C2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1032-139-0x000002E3E2ED0000-0x000002E3E2ED2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1032-140-0x000002E3E2ED0000-0x000002E3E2ED2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1124-160-0x0000023D9B860000-0x0000023D9B8D2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1124-181-0x0000023D9B0F0000-0x0000023D9B0F2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1124-193-0x0000023D9B960000-0x0000023D9B9D2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1124-138-0x0000023D9B0F0000-0x0000023D9B0F2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1124-137-0x0000023D9B0F0000-0x0000023D9B0F2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1236-146-0x00000230B8800000-0x00000230B8802000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1236-185-0x00000230B8800000-0x00000230B8802000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1236-164-0x00000230B8F60000-0x00000230B8FD2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1236-197-0x00000230B9540000-0x00000230B95B2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1236-145-0x00000230B8800000-0x00000230B8802000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1320-165-0x000001F89AA10000-0x000001F89AA82000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1320-148-0x000001F89AA90000-0x000001F89AA92000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1320-186-0x000001F89AA90000-0x000001F89AA92000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1320-198-0x000001F89AB50000-0x000001F89ABC2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1320-147-0x000001F89AA90000-0x000001F89AA92000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1344-169-0x000001AF25AC0000-0x000001AF25AC2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1344-170-0x000001AF25AF0000-0x000001AF25B0B000-memory.dmp
                            Filesize

                            108KB

                            Download
                          • memory/1344-129-0x000001AF25AC0000-0x000001AF25AC2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1344-126-0x00007FF6A87E4060-mapping.dmp
                            Download
                          • memory/1344-168-0x000001AF25AC0000-0x000001AF25AC2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1344-130-0x000001AF25AC0000-0x000001AF25AC2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1344-171-0x000001AF26990000-0x000001AF26A95000-memory.dmp
                            Filesize

                            1.0MB

                            Download
                          • memory/1344-155-0x000001AF24170000-0x000001AF241E2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1480-183-0x000001F20A5F0000-0x000001F20A5F2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1480-195-0x000001F20AC40000-0x000001F20ACB2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1480-141-0x000001F20A5F0000-0x000001F20A5F2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1480-162-0x000001F20A570000-0x000001F20A5E2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1480-142-0x000001F20A5F0000-0x000001F20A5F2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1928-184-0x0000025F5D5B0000-0x0000025F5D5B2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1928-143-0x0000025F5D5B0000-0x0000025F5D5B2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1928-196-0x0000025F5E3C0000-0x0000025F5E432000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1928-144-0x0000025F5D5B0000-0x0000025F5D5B2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1928-163-0x0000025F5E340000-0x0000025F5E3B2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2436-136-0x00000230DD6F0000-0x00000230DD6F2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2436-192-0x00000230DE3B0000-0x00000230DE422000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2436-135-0x00000230DD6F0000-0x00000230DD6F2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2436-159-0x00000230DD950000-0x00000230DD9C2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2436-180-0x00000230DD6F0000-0x00000230DD6F2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2480-158-0x0000026F5DC50000-0x0000026F5DCC2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2480-134-0x0000026F5D440000-0x0000026F5D442000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2480-191-0x0000026F5E2B0000-0x0000026F5E322000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2480-133-0x0000026F5D440000-0x0000026F5D442000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2480-179-0x0000026F5D440000-0x0000026F5D442000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2668-127-0x0000017D90420000-0x0000017D90422000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2668-189-0x0000017D91130000-0x0000017D911A2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2668-128-0x0000017D90420000-0x0000017D90422000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2668-156-0x0000017D90D70000-0x0000017D90DE2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2668-177-0x0000017D90420000-0x0000017D90422000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2728-150-0x000001A6EB480000-0x000001A6EB482000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2728-187-0x000001A6EB480000-0x000001A6EB482000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2728-199-0x000001A6EBD70000-0x000001A6EBDE2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2728-149-0x000001A6EB480000-0x000001A6EB482000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2728-166-0x000001A6EB540000-0x000001A6EB5B2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2756-151-0x000001CB48100000-0x000001CB48102000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2756-152-0x000001CB48100000-0x000001CB48102000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2756-200-0x000001CB48A30000-0x000001CB48AA2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2756-188-0x000001CB48100000-0x000001CB48102000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2756-167-0x000001CB48940000-0x000001CB489B2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/3916-124-0x00000233F3690000-0x00000233F3692000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/3916-174-0x00000233F36A0000-0x00000233F36A4000-memory.dmp
                            Filesize

                            16KB

                            Download
                          • memory/3916-172-0x00000233F36B0000-0x00000233F36B4000-memory.dmp
                            Filesize

                            16KB

                            Download
                          • memory/3916-154-0x00000233F39D0000-0x00000233F3A42000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/3916-153-0x00000233F3640000-0x00000233F368D000-memory.dmp
                            Filesize

                            308KB

                            Download
                          • memory/3916-125-0x00000233F3690000-0x00000233F3692000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/3916-176-0x00000233F35C0000-0x00000233F35C4000-memory.dmp
                            Filesize

                            16KB

                            Download
                          • memory/3916-173-0x00000233F36A0000-0x00000233F36A1000-memory.dmp
                            Filesize

                            4KB

                            Download
                          • memory/3956-119-0x0000000000000000-mapping.dmp
                            Download
                          • memory/3956-122-0x0000000004AA2000-0x0000000004BA3000-memory.dmp
                            Filesize

                            1.0MB

                            Download
                          • memory/3956-123-0x0000000004970000-0x00000000049CD000-memory.dmp
                            Filesize

                            372KB

                            Download