Overview

overview

10

Static

static

10

7zS850A099...ed.exe

windows7_x64

10

7zS850A099...ed.exe

windows10-2004_x64

10

7zS850A099...1a.exe

windows7_x64

8

7zS850A099...1a.exe

windows10-2004_x64

8

7zS850A099...b7.exe

windows7_x64

10

7zS850A099...b7.exe

windows10-2004_x64

10

7zS850A099...5e.exe

windows7_x64

10

7zS850A099...5e.exe

windows10-2004_x64

1

7zS850A099...a0.exe

windows7_x64

10

7zS850A099...a0.exe

windows10-2004_x64

10

7zS850A099...95.exe

windows7_x64

7

7zS850A099...95.exe

windows10-2004_x64

7

7zS850A099...cb.exe

windows7_x64

10

7zS850A099...cb.exe

windows10-2004_x64

1

7zS850A099...58.exe

windows7_x64

10

7zS850A099...58.exe

windows10-2004_x64

10

7zS850A099...7f.exe

windows7_x64

10

7zS850A099...7f.exe

windows10-2004_x64

10

7zS850A099...32.exe

windows7_x64

10

7zS850A099...32.exe

windows10-2004_x64

10

7zS850A099...c3.exe

windows7_x64

8

7zS850A099...c3.exe

windows10-2004_x64

10

7zS850A099...e9.exe

windows7_x64

6

7zS850A099...e9.exe

windows10-2004_x64

1

7zS850A099...8c.exe

windows7_x64

10

7zS850A099...8c.exe

windows10-2004_x64

1

7zS850A099...8c.exe

windows7_x64

7

7zS850A099...8c.exe

windows10-2004_x64

8

7zS850A099...ll.exe

windows7_x64

10

7zS850A099...ll.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20-01-2022 18:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7zS850A099E/61e74fd2175cb_Tue23956aa60ed.exe

  • Size

    312KB

  • MD5

    e5a07be6c167ccf605ba9e6a0608e141

  • SHA1

    d50547756f224ebaf38efc1b2e5134b6caa272ba

  • SHA256

    449fb91c32af2d722f418ab4ee0747d0b7457ba69496b2d8f894e6045d69e1e4

  • SHA512

    b66a844121bd42707aab3200f5e2a01765bd00ea3b958e09baeca9cd6856005a17474e72a9635184046d92205be3baf6677951fd8eb42ccebe687efb8b30f13b

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Blocklisted process makes network request 6 IoCs
  • Loads dropped DLL 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 16 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:460
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:868
        • C:\Windows\system32\wbem\WMIADAP.EXE
          wmiadap.exe /F /T /R
          3⤵
            PID:1956
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Drops file in System32 directory
          • Checks processor information in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          PID:1852
      • C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"
        1⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1792
        • C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe" -a
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:556
      • C:\Windows\system32\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1716
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
          2⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1380

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\db.dat
        MD5

        4d0511c6b3fced567deda83f81c485fc

        SHA1

        a76a47f933f27e65fa3b6568c37a15b0dbc01b24

        SHA256

        27f01767425e7e0c2b00e364197be6efce57a0a9d14915fed5b18c74b4ed4f4a

        SHA512

        f5c778c316a9df4c42866cacad962682cd7db99b97e003841865003c162570eabcf88d922e16d1e9fdad0d40702c34c87c3a7e940f297711823063126de1e28b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\db.dll
        MD5

        bdb8b28711203da9fe039a930a69334d

        SHA1

        e23c19dbf7031fb94d23bb8256fd7008503e699b

        SHA256

        73883debf40f04a57103800651142e8232bfc67f9e3535ad25f7c2687143fe65

        SHA512

        4cc5397b4f6505557533f2d8d9a55c793e00e4c2687ac3710f4a3ee2439365597d973d0199661714a727f37acaf5548e6ccc747fde40794ea2c3879dd70e87a9

        Download Submit
      • \Users\Admin\AppData\Local\Temp\db.dll
        MD5

        bdb8b28711203da9fe039a930a69334d

        SHA1

        e23c19dbf7031fb94d23bb8256fd7008503e699b

        SHA256

        73883debf40f04a57103800651142e8232bfc67f9e3535ad25f7c2687143fe65

        SHA512

        4cc5397b4f6505557533f2d8d9a55c793e00e4c2687ac3710f4a3ee2439365597d973d0199661714a727f37acaf5548e6ccc747fde40794ea2c3879dd70e87a9

        Download Submit
      • \Users\Admin\AppData\Local\Temp\db.dll
        MD5

        bdb8b28711203da9fe039a930a69334d

        SHA1

        e23c19dbf7031fb94d23bb8256fd7008503e699b

        SHA256

        73883debf40f04a57103800651142e8232bfc67f9e3535ad25f7c2687143fe65

        SHA512

        4cc5397b4f6505557533f2d8d9a55c793e00e4c2687ac3710f4a3ee2439365597d973d0199661714a727f37acaf5548e6ccc747fde40794ea2c3879dd70e87a9

        Download Submit
      • \Users\Admin\AppData\Local\Temp\db.dll
        MD5

        bdb8b28711203da9fe039a930a69334d

        SHA1

        e23c19dbf7031fb94d23bb8256fd7008503e699b

        SHA256

        73883debf40f04a57103800651142e8232bfc67f9e3535ad25f7c2687143fe65

        SHA512

        4cc5397b4f6505557533f2d8d9a55c793e00e4c2687ac3710f4a3ee2439365597d973d0199661714a727f37acaf5548e6ccc747fde40794ea2c3879dd70e87a9

        Download Submit
      • \Users\Admin\AppData\Local\Temp\db.dll
        MD5

        bdb8b28711203da9fe039a930a69334d

        SHA1

        e23c19dbf7031fb94d23bb8256fd7008503e699b

        SHA256

        73883debf40f04a57103800651142e8232bfc67f9e3535ad25f7c2687143fe65

        SHA512

        4cc5397b4f6505557533f2d8d9a55c793e00e4c2687ac3710f4a3ee2439365597d973d0199661714a727f37acaf5548e6ccc747fde40794ea2c3879dd70e87a9

        Download Submit
      • memory/868-66-0x0000000000830000-0x000000000087D000-memory.dmp
        Filesize

        308KB

        Download
      • memory/868-67-0x0000000001B80000-0x0000000001BF2000-memory.dmp
        Filesize

        456KB

        Download
      • memory/1380-64-0x0000000002000000-0x0000000002101000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1380-65-0x00000000008C0000-0x000000000091D000-memory.dmp
        Filesize

        372KB

        Download
      • memory/1792-54-0x0000000075471000-0x0000000075473000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1852-63-0x0000000000060000-0x00000000000AD000-memory.dmp
        Filesize

        308KB

        Download
      • memory/1852-68-0x0000000000420000-0x0000000000492000-memory.dmp
        Filesize

        456KB

        Download
      • memory/1852-69-0x000007FEFB611000-0x000007FEFB613000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1852-71-0x00000000029A0000-0x0000000002AA5000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1852-70-0x0000000001C10000-0x0000000001C2B000-memory.dmp
        Filesize

        108KB

        Download