Analysis
-
max time kernel
35s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-01-2022 21:22
Static task
static1
Behavioral task
behavioral1
Sample
9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe
Resource
win10v2004-en-20220113
General
-
Target
9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe
-
Size
1.1MB
-
MD5
3db8aaeede991e343f4a58c029d5bcb6
-
SHA1
dce0cf75d9080b4c31425adbc899d21f0ebb5c0f
-
SHA256
9bf4c9b6c5e930ce91b84920a73d9111793e6d31477458043e94b649147ebf71
-
SHA512
ae2e99816106a935498f977bf31dd995d315dcdb0237904bce86ccc525732d4b5353376818af87337396370e0cc23ebd321b4ecf1cb30c04969ea0a20ff8df31
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Hai.exe.comHai.exe.compid process 2160 Hai.exe.com 4056 Hai.exe.com -
Sets service image path in registry 2 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exepid process 1508 9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Hai.exe.compid process 4056 Hai.exe.com 4056 Hai.exe.com 4056 Hai.exe.com 4056 Hai.exe.com 4056 Hai.exe.com 4056 Hai.exe.com 4056 Hai.exe.com 4056 Hai.exe.com 4056 Hai.exe.com 4056 Hai.exe.com 4056 Hai.exe.com 4056 Hai.exe.com 4056 Hai.exe.com 4056 Hai.exe.com 4056 Hai.exe.com 4056 Hai.exe.com 4056 Hai.exe.com 4056 Hai.exe.com -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.execmd.execmd.exeHai.exe.comdescription pid process target process PID 1508 wrote to memory of 3468 1508 9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe cmd.exe PID 1508 wrote to memory of 3468 1508 9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe cmd.exe PID 1508 wrote to memory of 3468 1508 9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe cmd.exe PID 3468 wrote to memory of 3040 3468 cmd.exe cmd.exe PID 3468 wrote to memory of 3040 3468 cmd.exe cmd.exe PID 3468 wrote to memory of 3040 3468 cmd.exe cmd.exe PID 3040 wrote to memory of 1332 3040 cmd.exe findstr.exe PID 3040 wrote to memory of 1332 3040 cmd.exe findstr.exe PID 3040 wrote to memory of 1332 3040 cmd.exe findstr.exe PID 3040 wrote to memory of 2160 3040 cmd.exe Hai.exe.com PID 3040 wrote to memory of 2160 3040 cmd.exe Hai.exe.com PID 3040 wrote to memory of 2160 3040 cmd.exe Hai.exe.com PID 3040 wrote to memory of 1520 3040 cmd.exe PING.EXE PID 3040 wrote to memory of 1520 3040 cmd.exe PING.EXE PID 3040 wrote to memory of 1520 3040 cmd.exe PING.EXE PID 2160 wrote to memory of 4056 2160 Hai.exe.com Hai.exe.com PID 2160 wrote to memory of 4056 2160 Hai.exe.com Hai.exe.com PID 2160 wrote to memory of 4056 2160 Hai.exe.com Hai.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe"C:\Users\Admin\AppData\Local\Temp\9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c cmd < Ingranditi.vss2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^fuetIiQsuPqjAJVttASkWlwvPOGVNzHQwJbzXtckNBEqDdxupaWHHZAytGgTAVENilkQkBuZyGnxFwTnxALxvqowpagsQBLSXQSayDVHjXBwBu$" Sul.vss4⤵
-
C:\Users\Admin\AppData\Roaming\Hai.exe.comHai.exe.com I4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Hai.exe.comC:\Users\Admin\AppData\Roaming\Hai.exe.com I5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\PING.EXEping localhost4⤵
- Runs ping.exe
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 79c8e7dcbdba89421ba2c3b21b7432db ebdq2mJ970+xjRAYW6ZoTw.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nse567B.tmp\nsExec.dllMD5
09c2e27c626d6f33018b8a34d3d98cb6
SHA18d6bf50218c8f201f06ecf98ca73b74752a2e453
SHA256114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1
SHA512883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954
-
C:\Users\Admin\AppData\Roaming\Cancellato.vssMD5
9ade5ce9d5905c826669ce593925778b
SHA1b426f52bfe2297f709488e1efe74173188e9059c
SHA256a362496c9b6d20798529ed23964028e39ebc245eb1cd9db407e0162c73f4d0d6
SHA5123130f0ac30e8448c46f1385a91821a9d819490b8fad3a0885cdee36fda73c3322a43ff6888cb70d987164a55d4e7d848a6d529eacb3e88a7aea6c27b8e102174
-
C:\Users\Admin\AppData\Roaming\Hai.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Roaming\Hai.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Roaming\IMD5
4f0ea88efaffe77c5b2f0def0525437e
SHA1fff4fafe4d044c50e4d7cbb6f3caf3b0a2857184
SHA25635f4ea06fb50b35dcdbb01eed3b1326a2ab648eeec81644a12e42921fc4e0b02
SHA5122ecbb604e5c366bef2de50473a8a1ad165f1bda03bc4bb6c057432514e36b68797e6a88967827f885e22e9b3ae9c8b510923b87390baf452bdd8ee539cb6af1f
-
C:\Users\Admin\AppData\Roaming\Ingranditi.vssMD5
43cb85e9dd4c6a25b26a284c4d4b76ac
SHA1567f4c9fb4877a772bd1504fabd63e93bd30563f
SHA256e33387125c435bc00687074755c6f20c461c9d935c948554a46ae4e63cd8474f
SHA51254f600aefef8b937ce046edc353f971c3a02e869d7fbfe1a768360b1a3fbd85c22ad6625056acfaf44958b4e5aa6fb6bf77cfa54f68e4fd1ad916c0d283ae98f
-
C:\Users\Admin\AppData\Roaming\Mille.vssMD5
4f0ea88efaffe77c5b2f0def0525437e
SHA1fff4fafe4d044c50e4d7cbb6f3caf3b0a2857184
SHA25635f4ea06fb50b35dcdbb01eed3b1326a2ab648eeec81644a12e42921fc4e0b02
SHA5122ecbb604e5c366bef2de50473a8a1ad165f1bda03bc4bb6c057432514e36b68797e6a88967827f885e22e9b3ae9c8b510923b87390baf452bdd8ee539cb6af1f
-
C:\Users\Admin\AppData\Roaming\Sul.vssMD5
47985749b176175b0233934dbf034f5d
SHA1936938f9d1e68b932ae9d61ffec19bcb0a57efea
SHA25668a864ef9f9283178192b42c19c07877454785e5db339edf77c0ca7efe337c49
SHA512a6a97be7a82b20d1b9921e3639d870c4871cd224a4bd406d0e0beb93a6753cc34ece23c703601a8635859d5251d2d7a2e2a6f4799c7cb6c5e99652a42790523a