Overview

overview

10

Static

static

10

7zS850A099...ed.exe

windows7_x64

10

7zS850A099...ed.exe

windows10-2004_x64

10

7zS850A099...1a.exe

windows7_x64

8

7zS850A099...1a.exe

windows10-2004_x64

8

7zS850A099...b7.exe

windows7_x64

10

7zS850A099...b7.exe

windows10-2004_x64

10

7zS850A099...5e.exe

windows7_x64

10

7zS850A099...5e.exe

windows10-2004_x64

1

7zS850A099...a0.exe

windows7_x64

10

7zS850A099...a0.exe

windows10-2004_x64

10

7zS850A099...95.exe

windows7_x64

7

7zS850A099...95.exe

windows10-2004_x64

7

7zS850A099...cb.exe

windows7_x64

10

7zS850A099...cb.exe

windows10-2004_x64

1

7zS850A099...58.exe

windows7_x64

10

7zS850A099...58.exe

windows10-2004_x64

10

7zS850A099...7f.exe

windows7_x64

10

7zS850A099...7f.exe

windows10-2004_x64

10

7zS850A099...32.exe

windows7_x64

10

7zS850A099...32.exe

windows10-2004_x64

10

7zS850A099...c3.exe

windows7_x64

8

7zS850A099...c3.exe

windows10-2004_x64

10

7zS850A099...e9.exe

windows7_x64

6

7zS850A099...e9.exe

windows10-2004_x64

1

7zS850A099...8c.exe

windows7_x64

10

7zS850A099...8c.exe

windows10-2004_x64

1

7zS850A099...8c.exe

windows7_x64

7

7zS850A099...8c.exe

windows10-2004_x64

8

7zS850A099...ll.exe

windows7_x64

10

7zS850A099...ll.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20-01-2022 18:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7zS850A099E/61e74fd2175cb_Tue23956aa60ed.exe

  • Size

    312KB

  • MD5

    e5a07be6c167ccf605ba9e6a0608e141

  • SHA1

    d50547756f224ebaf38efc1b2e5134b6caa272ba

  • SHA256

    449fb91c32af2d722f418ab4ee0747d0b7457ba69496b2d8f894e6045d69e1e4

  • SHA512

    b66a844121bd42707aab3200f5e2a01765bd00ea3b958e09baeca9cd6856005a17474e72a9635184046d92205be3baf6677951fd8eb42ccebe687efb8b30f13b

Score
10/10
persistence

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe" -a
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:2240
    • C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe" -a
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1888
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 6b75b5e120efb18bf363a734cec961f4 J6v8hJj9zU2k/m5PH3DSew.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:2488
  • C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
      2⤵
      • Loads dropped DLL
      PID:828
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 604
        3⤵
        • Drops file in Windows directory
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1300
  • C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
      2⤵
      • Loads dropped DLL
      PID:3772
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 600
        3⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:692
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 828 -ip 828
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:3888
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3772 -ip 3772
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:3804
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
    1⤵
      PID:3064

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\db.dat
      MD5

      4d0511c6b3fced567deda83f81c485fc

      SHA1

      a76a47f933f27e65fa3b6568c37a15b0dbc01b24

      SHA256

      27f01767425e7e0c2b00e364197be6efce57a0a9d14915fed5b18c74b4ed4f4a

      SHA512

      f5c778c316a9df4c42866cacad962682cd7db99b97e003841865003c162570eabcf88d922e16d1e9fdad0d40702c34c87c3a7e940f297711823063126de1e28b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\db.dat
      MD5

      4d0511c6b3fced567deda83f81c485fc

      SHA1

      a76a47f933f27e65fa3b6568c37a15b0dbc01b24

      SHA256

      27f01767425e7e0c2b00e364197be6efce57a0a9d14915fed5b18c74b4ed4f4a

      SHA512

      f5c778c316a9df4c42866cacad962682cd7db99b97e003841865003c162570eabcf88d922e16d1e9fdad0d40702c34c87c3a7e940f297711823063126de1e28b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\db.dll
      MD5

      bdb8b28711203da9fe039a930a69334d

      SHA1

      e23c19dbf7031fb94d23bb8256fd7008503e699b

      SHA256

      73883debf40f04a57103800651142e8232bfc67f9e3535ad25f7c2687143fe65

      SHA512

      4cc5397b4f6505557533f2d8d9a55c793e00e4c2687ac3710f4a3ee2439365597d973d0199661714a727f37acaf5548e6ccc747fde40794ea2c3879dd70e87a9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\db.dll
      MD5

      bdb8b28711203da9fe039a930a69334d

      SHA1

      e23c19dbf7031fb94d23bb8256fd7008503e699b

      SHA256

      73883debf40f04a57103800651142e8232bfc67f9e3535ad25f7c2687143fe65

      SHA512

      4cc5397b4f6505557533f2d8d9a55c793e00e4c2687ac3710f4a3ee2439365597d973d0199661714a727f37acaf5548e6ccc747fde40794ea2c3879dd70e87a9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\db.dll
      MD5

      bdb8b28711203da9fe039a930a69334d

      SHA1

      e23c19dbf7031fb94d23bb8256fd7008503e699b

      SHA256

      73883debf40f04a57103800651142e8232bfc67f9e3535ad25f7c2687143fe65

      SHA512

      4cc5397b4f6505557533f2d8d9a55c793e00e4c2687ac3710f4a3ee2439365597d973d0199661714a727f37acaf5548e6ccc747fde40794ea2c3879dd70e87a9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\db.dll
      MD5

      bdb8b28711203da9fe039a930a69334d

      SHA1

      e23c19dbf7031fb94d23bb8256fd7008503e699b

      SHA256

      73883debf40f04a57103800651142e8232bfc67f9e3535ad25f7c2687143fe65

      SHA512

      4cc5397b4f6505557533f2d8d9a55c793e00e4c2687ac3710f4a3ee2439365597d973d0199661714a727f37acaf5548e6ccc747fde40794ea2c3879dd70e87a9

      Download Submit