Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 04:40
Static task
static1
Behavioral task
behavioral1
Sample
b85c4824afa17d5b2d2f075be00fd90b3a1b79a1a197c44a34486a68678ff5a9.exe
Resource
win7-en-20211208
General
-
Target
b85c4824afa17d5b2d2f075be00fd90b3a1b79a1a197c44a34486a68678ff5a9.exe
-
Size
5.4MB
-
MD5
72425aac85ead205e3d26392fb414e1d
-
SHA1
fd679c7e28a76a28620ccdef1cd10e803b67c35e
-
SHA256
b85c4824afa17d5b2d2f075be00fd90b3a1b79a1a197c44a34486a68678ff5a9
-
SHA512
e73dd55400ac0be4150a524c0b51358d363551a8574b64f65b98bcb46a1d90731fea7fe7130f8f1a1c31ae11aa35ae961be36c0de3febc0ba3b3e286d7ecbd2f
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
TempEgchatinstaller.exeTempEgchat.exeTempEgchatinstaller.tmpsystem.exepid process 680 TempEgchatinstaller.exe 1204 TempEgchat.exe 1688 TempEgchatinstaller.tmp 1648 system.exe -
Drops startup file 1 IoCs
Processes:
TempEgchat.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysystem.lnk TempEgchat.exe -
Loads dropped DLL 1 IoCs
Processes:
TempEgchatinstaller.exepid process 680 TempEgchatinstaller.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
TempEgchatinstaller.tmppid process 1688 TempEgchatinstaller.tmp -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
TempEgchat.exesystem.exedescription pid process Token: SeDebugPrivilege 1204 TempEgchat.exe Token: 33 1204 TempEgchat.exe Token: SeIncBasePriorityPrivilege 1204 TempEgchat.exe Token: 33 1204 TempEgchat.exe Token: SeIncBasePriorityPrivilege 1204 TempEgchat.exe Token: 33 1204 TempEgchat.exe Token: SeIncBasePriorityPrivilege 1204 TempEgchat.exe Token: SeDebugPrivilege 1648 system.exe Token: 33 1648 system.exe Token: SeIncBasePriorityPrivilege 1648 system.exe Token: 33 1648 system.exe Token: SeIncBasePriorityPrivilege 1648 system.exe Token: 33 1648 system.exe Token: SeIncBasePriorityPrivilege 1648 system.exe Token: 33 1648 system.exe Token: SeIncBasePriorityPrivilege 1648 system.exe Token: 33 1648 system.exe Token: SeIncBasePriorityPrivilege 1648 system.exe Token: 33 1648 system.exe Token: SeIncBasePriorityPrivilege 1648 system.exe Token: 33 1648 system.exe Token: SeIncBasePriorityPrivilege 1648 system.exe Token: 33 1648 system.exe Token: SeIncBasePriorityPrivilege 1648 system.exe Token: 33 1648 system.exe Token: SeIncBasePriorityPrivilege 1648 system.exe Token: 33 1648 system.exe Token: SeIncBasePriorityPrivilege 1648 system.exe Token: 33 1648 system.exe Token: SeIncBasePriorityPrivilege 1648 system.exe Token: 33 1648 system.exe Token: SeIncBasePriorityPrivilege 1648 system.exe Token: 33 1648 system.exe Token: SeIncBasePriorityPrivilege 1648 system.exe Token: 33 1648 system.exe Token: SeIncBasePriorityPrivilege 1648 system.exe Token: 33 1204 TempEgchat.exe Token: SeIncBasePriorityPrivilege 1204 TempEgchat.exe Token: 33 1648 system.exe Token: SeIncBasePriorityPrivilege 1648 system.exe Token: 33 1648 system.exe Token: SeIncBasePriorityPrivilege 1648 system.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
TempEgchat.exepid process 1204 TempEgchat.exe 1204 TempEgchat.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
b85c4824afa17d5b2d2f075be00fd90b3a1b79a1a197c44a34486a68678ff5a9.exeTempEgchatinstaller.exeTempEgchat.exedescription pid process target process PID 1584 wrote to memory of 680 1584 b85c4824afa17d5b2d2f075be00fd90b3a1b79a1a197c44a34486a68678ff5a9.exe TempEgchatinstaller.exe PID 1584 wrote to memory of 680 1584 b85c4824afa17d5b2d2f075be00fd90b3a1b79a1a197c44a34486a68678ff5a9.exe TempEgchatinstaller.exe PID 1584 wrote to memory of 680 1584 b85c4824afa17d5b2d2f075be00fd90b3a1b79a1a197c44a34486a68678ff5a9.exe TempEgchatinstaller.exe PID 1584 wrote to memory of 680 1584 b85c4824afa17d5b2d2f075be00fd90b3a1b79a1a197c44a34486a68678ff5a9.exe TempEgchatinstaller.exe PID 1584 wrote to memory of 680 1584 b85c4824afa17d5b2d2f075be00fd90b3a1b79a1a197c44a34486a68678ff5a9.exe TempEgchatinstaller.exe PID 1584 wrote to memory of 680 1584 b85c4824afa17d5b2d2f075be00fd90b3a1b79a1a197c44a34486a68678ff5a9.exe TempEgchatinstaller.exe PID 1584 wrote to memory of 680 1584 b85c4824afa17d5b2d2f075be00fd90b3a1b79a1a197c44a34486a68678ff5a9.exe TempEgchatinstaller.exe PID 1584 wrote to memory of 1204 1584 b85c4824afa17d5b2d2f075be00fd90b3a1b79a1a197c44a34486a68678ff5a9.exe TempEgchat.exe PID 1584 wrote to memory of 1204 1584 b85c4824afa17d5b2d2f075be00fd90b3a1b79a1a197c44a34486a68678ff5a9.exe TempEgchat.exe PID 1584 wrote to memory of 1204 1584 b85c4824afa17d5b2d2f075be00fd90b3a1b79a1a197c44a34486a68678ff5a9.exe TempEgchat.exe PID 680 wrote to memory of 1688 680 TempEgchatinstaller.exe TempEgchatinstaller.tmp PID 680 wrote to memory of 1688 680 TempEgchatinstaller.exe TempEgchatinstaller.tmp PID 680 wrote to memory of 1688 680 TempEgchatinstaller.exe TempEgchatinstaller.tmp PID 680 wrote to memory of 1688 680 TempEgchatinstaller.exe TempEgchatinstaller.tmp PID 680 wrote to memory of 1688 680 TempEgchatinstaller.exe TempEgchatinstaller.tmp PID 680 wrote to memory of 1688 680 TempEgchatinstaller.exe TempEgchatinstaller.tmp PID 680 wrote to memory of 1688 680 TempEgchatinstaller.exe TempEgchatinstaller.tmp PID 1204 wrote to memory of 1648 1204 TempEgchat.exe system.exe PID 1204 wrote to memory of 1648 1204 TempEgchat.exe system.exe PID 1204 wrote to memory of 1648 1204 TempEgchat.exe system.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b85c4824afa17d5b2d2f075be00fd90b3a1b79a1a197c44a34486a68678ff5a9.exe"C:\Users\Admin\AppData\Local\Temp\b85c4824afa17d5b2d2f075be00fd90b3a1b79a1a197c44a34486a68678ff5a9.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe"C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-C5B9R.tmp\TempEgchatinstaller.tmp"C:\Users\Admin\AppData\Local\Temp\is-C5B9R.tmp\TempEgchatinstaller.tmp" /SL5="$50108,4986466,68096,C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\TempEgchat.exe"C:\Users\Admin\AppData\Local\TempEgchat.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\system.exe"C:\Users\Admin\AppData\Local\Temp\system.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\TempEgchat.exeMD5
acf5abe9f9a399a73736f0cbf2e19f4e
SHA13f165e2b44ceaad50da8745374c57b500525b2de
SHA256130a75085b8e38c0b0e3e95b74d08daca3e939506093f497206a8c250c0576fc
SHA5129154073672b45db52a856eda3d9f43c9591f3d00633fc27ef526249d2679f2cc9c38a1d5b95ac8b375ff7ca7ac531281b084a31405a77d09047302337df4aadd
-
C:\Users\Admin\AppData\Local\TempEgchat.exeMD5
acf5abe9f9a399a73736f0cbf2e19f4e
SHA13f165e2b44ceaad50da8745374c57b500525b2de
SHA256130a75085b8e38c0b0e3e95b74d08daca3e939506093f497206a8c250c0576fc
SHA5129154073672b45db52a856eda3d9f43c9591f3d00633fc27ef526249d2679f2cc9c38a1d5b95ac8b375ff7ca7ac531281b084a31405a77d09047302337df4aadd
-
C:\Users\Admin\AppData\Local\TempEgchatinstaller.exeMD5
eb6fa2af6084a0bfc804e92f166c677f
SHA1b4e69189e1dc0e0716073e89828f26107f9f2809
SHA256828353ef564506f41225e5c1056462659ab65ea5c82a3f484475b6b8449cb88b
SHA51210b6afc5ea65ef1f26beaddc4a7265f990281d0511e8fc8994a37bcb8e3daf7c171be6da869b8d348147e7c25b1cd13bd8d8e3d4c115bded7ac7773a22d97515
-
C:\Users\Admin\AppData\Local\TempEgchatinstaller.exeMD5
eb6fa2af6084a0bfc804e92f166c677f
SHA1b4e69189e1dc0e0716073e89828f26107f9f2809
SHA256828353ef564506f41225e5c1056462659ab65ea5c82a3f484475b6b8449cb88b
SHA51210b6afc5ea65ef1f26beaddc4a7265f990281d0511e8fc8994a37bcb8e3daf7c171be6da869b8d348147e7c25b1cd13bd8d8e3d4c115bded7ac7773a22d97515
-
C:\Users\Admin\AppData\Local\Temp\is-C5B9R.tmp\TempEgchatinstaller.tmpMD5
e2580737dca2845220782c8f59777679
SHA19f9c60fbd5289afa2bc810f0470004c1260a4831
SHA256258dc547d2883fb9f6c8fc934f3c9892bf253bd15133202444e265d4daf08362
SHA5120a8ba4eeded11b1052623da36cf1322e9bf48a84759922fde926b6424b5355a9c75517b17421331fa69062d8ed029aab9819a91bbf1f37fa6745affffb007e3b
-
C:\Users\Admin\AppData\Local\Temp\system.exeMD5
233c3f4734867b89f5de8679d1217c40
SHA1f1c98bfe9537b32c9d4ca1ebfc304cb9e2aab3a2
SHA2567af598d30c386d9cd170463b6340142809feb3d3109943f0fb7b60a0651ee282
SHA512d267c022c73e7e8ec5ae0dee0837a7fceb2ddfe1d895563a2c6a6d22bc62a87e4cc7e1ec648b4689fe842679213f0f82328b3a623a6e79aef9832dbfb1cc0379
-
C:\Users\Admin\AppData\Local\Temp\system.exeMD5
233c3f4734867b89f5de8679d1217c40
SHA1f1c98bfe9537b32c9d4ca1ebfc304cb9e2aab3a2
SHA2567af598d30c386d9cd170463b6340142809feb3d3109943f0fb7b60a0651ee282
SHA512d267c022c73e7e8ec5ae0dee0837a7fceb2ddfe1d895563a2c6a6d22bc62a87e4cc7e1ec648b4689fe842679213f0f82328b3a623a6e79aef9832dbfb1cc0379
-
\Users\Admin\AppData\Local\Temp\is-C5B9R.tmp\TempEgchatinstaller.tmpMD5
e2580737dca2845220782c8f59777679
SHA19f9c60fbd5289afa2bc810f0470004c1260a4831
SHA256258dc547d2883fb9f6c8fc934f3c9892bf253bd15133202444e265d4daf08362
SHA5120a8ba4eeded11b1052623da36cf1322e9bf48a84759922fde926b6424b5355a9c75517b17421331fa69062d8ed029aab9819a91bbf1f37fa6745affffb007e3b
-
memory/680-61-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB
-
memory/680-63-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1204-71-0x0000000001F65000-0x0000000001F66000-memory.dmpFilesize
4KB
-
memory/1204-79-0x0000000001F71000-0x0000000001F73000-memory.dmpFilesize
8KB
-
memory/1204-60-0x0000000001F40000-0x0000000001F42000-memory.dmpFilesize
8KB
-
memory/1204-84-0x0000000001F78000-0x0000000001F79000-memory.dmpFilesize
4KB
-
memory/1204-83-0x0000000001F77000-0x0000000001F78000-memory.dmpFilesize
4KB
-
memory/1204-70-0x0000000001F46000-0x0000000001F65000-memory.dmpFilesize
124KB
-
memory/1204-82-0x0000000001F76000-0x0000000001F77000-memory.dmpFilesize
4KB
-
memory/1204-80-0x0000000001F73000-0x0000000001F74000-memory.dmpFilesize
4KB
-
memory/1204-76-0x0000000001F67000-0x0000000001F68000-memory.dmpFilesize
4KB
-
memory/1204-81-0x0000000001F75000-0x0000000001F76000-memory.dmpFilesize
4KB
-
memory/1204-75-0x0000000001F66000-0x0000000001F67000-memory.dmpFilesize
4KB
-
memory/1204-62-0x000007FEF2610000-0x000007FEF36A6000-memory.dmpFilesize
16.6MB
-
memory/1204-77-0x0000000001F68000-0x0000000001F69000-memory.dmpFilesize
4KB
-
memory/1584-54-0x000007FEF2850000-0x000007FEF38E6000-memory.dmpFilesize
16.6MB
-
memory/1584-56-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmpFilesize
8KB
-
memory/1584-55-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/1648-78-0x00000000021B0000-0x00000000021B2000-memory.dmpFilesize
8KB
-
memory/1648-74-0x000007FEF2610000-0x000007FEF36A6000-memory.dmpFilesize
16.6MB
-
memory/1688-69-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB