Overview

overview

10

Static

static

1

9BF4C9B6C5...45.exe

windows7_x64

10

9BF4C9B6C5...45.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    35s
  • max time network
    64s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    20-01-2022 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe

  • Size

    1.1MB

  • MD5

    3db8aaeede991e343f4a58c029d5bcb6

  • SHA1

    dce0cf75d9080b4c31425adbc899d21f0ebb5c0f

  • SHA256

    9bf4c9b6c5e930ce91b84920a73d9111793e6d31477458043e94b649147ebf71

  • SHA512

    ae2e99816106a935498f977bf31dd995d315dcdb0237904bce86ccc525732d4b5353376818af87337396370e0cc23ebd321b4ecf1cb30c04969ea0a20ff8df31

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 41 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe
    "C:\Users\Admin\AppData\Local\Temp\9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c cmd < Ingranditi.vss
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3468
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3040
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^fuetIiQsuPqjAJVttASkWlwvPOGVNzHQwJbzXtckNBEqDdxupaWHHZAytGgTAVENilkQkBuZyGnxFwTnxALxvqowpagsQBLSXQSayDVHjXBwBu$" Sul.vss
          4⤵
            PID:1332
          • C:\Users\Admin\AppData\Roaming\Hai.exe.com
            Hai.exe.com I
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2160
            • C:\Users\Admin\AppData\Roaming\Hai.exe.com
              C:\Users\Admin\AppData\Roaming\Hai.exe.com I
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:4056
          • C:\Windows\SysWOW64\PING.EXE
            ping localhost
            4⤵
            • Runs ping.exe
            PID:1520
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 79c8e7dcbdba89421ba2c3b21b7432db ebdq2mJ970+xjRAYW6ZoTw.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:3620

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nse567B.tmp\nsExec.dll
      MD5

      09c2e27c626d6f33018b8a34d3d98cb6

      SHA1

      8d6bf50218c8f201f06ecf98ca73b74752a2e453

      SHA256

      114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

      SHA512

      883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Cancellato.vss
      MD5

      9ade5ce9d5905c826669ce593925778b

      SHA1

      b426f52bfe2297f709488e1efe74173188e9059c

      SHA256

      a362496c9b6d20798529ed23964028e39ebc245eb1cd9db407e0162c73f4d0d6

      SHA512

      3130f0ac30e8448c46f1385a91821a9d819490b8fad3a0885cdee36fda73c3322a43ff6888cb70d987164a55d4e7d848a6d529eacb3e88a7aea6c27b8e102174

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Hai.exe.com
      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Hai.exe.com
      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit
    • C:\Users\Admin\AppData\Roaming\I
      MD5

      4f0ea88efaffe77c5b2f0def0525437e

      SHA1

      fff4fafe4d044c50e4d7cbb6f3caf3b0a2857184

      SHA256

      35f4ea06fb50b35dcdbb01eed3b1326a2ab648eeec81644a12e42921fc4e0b02

      SHA512

      2ecbb604e5c366bef2de50473a8a1ad165f1bda03bc4bb6c057432514e36b68797e6a88967827f885e22e9b3ae9c8b510923b87390baf452bdd8ee539cb6af1f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Ingranditi.vss
      MD5

      43cb85e9dd4c6a25b26a284c4d4b76ac

      SHA1

      567f4c9fb4877a772bd1504fabd63e93bd30563f

      SHA256

      e33387125c435bc00687074755c6f20c461c9d935c948554a46ae4e63cd8474f

      SHA512

      54f600aefef8b937ce046edc353f971c3a02e869d7fbfe1a768360b1a3fbd85c22ad6625056acfaf44958b4e5aa6fb6bf77cfa54f68e4fd1ad916c0d283ae98f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Mille.vss
      MD5

      4f0ea88efaffe77c5b2f0def0525437e

      SHA1

      fff4fafe4d044c50e4d7cbb6f3caf3b0a2857184

      SHA256

      35f4ea06fb50b35dcdbb01eed3b1326a2ab648eeec81644a12e42921fc4e0b02

      SHA512

      2ecbb604e5c366bef2de50473a8a1ad165f1bda03bc4bb6c057432514e36b68797e6a88967827f885e22e9b3ae9c8b510923b87390baf452bdd8ee539cb6af1f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Sul.vss
      MD5

      47985749b176175b0233934dbf034f5d

      SHA1

      936938f9d1e68b932ae9d61ffec19bcb0a57efea

      SHA256

      68a864ef9f9283178192b42c19c07877454785e5db339edf77c0ca7efe337c49

      SHA512

      a6a97be7a82b20d1b9921e3639d870c4871cd224a4bd406d0e0beb93a6753cc34ece23c703601a8635859d5251d2d7a2e2a6f4799c7cb6c5e99652a42790523a

      Download Submit