Analysis
-
max time kernel
144s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 01:31
Static task
static1
Behavioral task
behavioral1
Sample
0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe
Resource
win7-en-20211208
General
-
Target
0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe
-
Size
3.4MB
-
MD5
40f4513096356284e69f79311cf710bd
-
SHA1
ae01690acb25cc0d2ec1beaa8f9092e2b62d86f3
-
SHA256
0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db
-
SHA512
590073de07ba1f3688eb7e7887d5ba0dc6a6c48e071ce375d974ff23cd0031b717face9606df3222e6e23075fc475501ca488a4b40129dfdcc5a8a9d580de625
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
Processes:
svshost.exesvshost.exesvshost.exesvshost.exeupgradewin.exeupgradewin.exeupgradewin.exepid Process 1160 svshost.exe 1360 svshost.exe 1544 svshost.exe 1760 svshost.exe 872 upgradewin.exe 764 upgradewin.exe 956 upgradewin.exe -
Loads dropped DLL 5 IoCs
Processes:
cmd.exesvshost.exepid Process 1116 cmd.exe 1116 cmd.exe 1116 cmd.exe 1760 svshost.exe 1760 svshost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 1476 timeout.exe -
Kills process with taskkill 10 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid Process 1688 taskkill.exe 1500 taskkill.exe 296 taskkill.exe 1992 taskkill.exe 1836 taskkill.exe 1548 taskkill.exe 1952 taskkill.exe 1628 taskkill.exe 1740 taskkill.exe 1756 taskkill.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid Process 2004 regedit.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
svshost.exesvshost.exesvshost.exesvshost.exeupgradewin.exepid Process 1160 svshost.exe 1160 svshost.exe 1160 svshost.exe 1160 svshost.exe 1360 svshost.exe 1360 svshost.exe 1544 svshost.exe 1544 svshost.exe 1760 svshost.exe 1760 svshost.exe 1760 svshost.exe 1760 svshost.exe 872 upgradewin.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
upgradewin.exepid Process 956 upgradewin.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exesvshost.exesvshost.exesvshost.exedescription pid Process Token: SeDebugPrivilege 1500 taskkill.exe Token: SeDebugPrivilege 296 taskkill.exe Token: SeDebugPrivilege 1992 taskkill.exe Token: SeDebugPrivilege 1836 taskkill.exe Token: SeDebugPrivilege 1548 taskkill.exe Token: SeDebugPrivilege 1952 taskkill.exe Token: SeDebugPrivilege 1688 taskkill.exe Token: SeDebugPrivilege 1628 taskkill.exe Token: SeDebugPrivilege 1740 taskkill.exe Token: SeDebugPrivilege 1756 taskkill.exe Token: SeDebugPrivilege 1160 svshost.exe Token: SeDebugPrivilege 1544 svshost.exe Token: SeTakeOwnershipPrivilege 1760 svshost.exe Token: SeTcbPrivilege 1760 svshost.exe Token: SeTcbPrivilege 1760 svshost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
svshost.exesvshost.exesvshost.exesvshost.exepid Process 1160 svshost.exe 1360 svshost.exe 1544 svshost.exe 1760 svshost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exeWScript.execmd.exedescription pid Process procid_target PID 1084 wrote to memory of 368 1084 0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe 27 PID 1084 wrote to memory of 368 1084 0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe 27 PID 1084 wrote to memory of 368 1084 0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe 27 PID 1084 wrote to memory of 368 1084 0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe 27 PID 368 wrote to memory of 1116 368 WScript.exe 28 PID 368 wrote to memory of 1116 368 WScript.exe 28 PID 368 wrote to memory of 1116 368 WScript.exe 28 PID 368 wrote to memory of 1116 368 WScript.exe 28 PID 368 wrote to memory of 1116 368 WScript.exe 28 PID 368 wrote to memory of 1116 368 WScript.exe 28 PID 368 wrote to memory of 1116 368 WScript.exe 28 PID 1116 wrote to memory of 1500 1116 cmd.exe 30 PID 1116 wrote to memory of 1500 1116 cmd.exe 30 PID 1116 wrote to memory of 1500 1116 cmd.exe 30 PID 1116 wrote to memory of 1500 1116 cmd.exe 30 PID 1116 wrote to memory of 296 1116 cmd.exe 32 PID 1116 wrote to memory of 296 1116 cmd.exe 32 PID 1116 wrote to memory of 296 1116 cmd.exe 32 PID 1116 wrote to memory of 296 1116 cmd.exe 32 PID 1116 wrote to memory of 1992 1116 cmd.exe 33 PID 1116 wrote to memory of 1992 1116 cmd.exe 33 PID 1116 wrote to memory of 1992 1116 cmd.exe 33 PID 1116 wrote to memory of 1992 1116 cmd.exe 33 PID 1116 wrote to memory of 1836 1116 cmd.exe 34 PID 1116 wrote to memory of 1836 1116 cmd.exe 34 PID 1116 wrote to memory of 1836 1116 cmd.exe 34 PID 1116 wrote to memory of 1836 1116 cmd.exe 34 PID 1116 wrote to memory of 1548 1116 cmd.exe 35 PID 1116 wrote to memory of 1548 1116 cmd.exe 35 PID 1116 wrote to memory of 1548 1116 cmd.exe 35 PID 1116 wrote to memory of 1548 1116 cmd.exe 35 PID 1116 wrote to memory of 1952 1116 cmd.exe 36 PID 1116 wrote to memory of 1952 1116 cmd.exe 36 PID 1116 wrote to memory of 1952 1116 cmd.exe 36 PID 1116 wrote to memory of 1952 1116 cmd.exe 36 PID 1116 wrote to memory of 1688 1116 cmd.exe 37 PID 1116 wrote to memory of 1688 1116 cmd.exe 37 PID 1116 wrote to memory of 1688 1116 cmd.exe 37 PID 1116 wrote to memory of 1688 1116 cmd.exe 37 PID 1116 wrote to memory of 1628 1116 cmd.exe 38 PID 1116 wrote to memory of 1628 1116 cmd.exe 38 PID 1116 wrote to memory of 1628 1116 cmd.exe 38 PID 1116 wrote to memory of 1628 1116 cmd.exe 38 PID 1116 wrote to memory of 1740 1116 cmd.exe 39 PID 1116 wrote to memory of 1740 1116 cmd.exe 39 PID 1116 wrote to memory of 1740 1116 cmd.exe 39 PID 1116 wrote to memory of 1740 1116 cmd.exe 39 PID 1116 wrote to memory of 1756 1116 cmd.exe 40 PID 1116 wrote to memory of 1756 1116 cmd.exe 40 PID 1116 wrote to memory of 1756 1116 cmd.exe 40 PID 1116 wrote to memory of 1756 1116 cmd.exe 40 PID 1116 wrote to memory of 2012 1116 cmd.exe 41 PID 1116 wrote to memory of 2012 1116 cmd.exe 41 PID 1116 wrote to memory of 2012 1116 cmd.exe 41 PID 1116 wrote to memory of 2012 1116 cmd.exe 41 PID 1116 wrote to memory of 1776 1116 cmd.exe 42 PID 1116 wrote to memory of 1776 1116 cmd.exe 42 PID 1116 wrote to memory of 1776 1116 cmd.exe 42 PID 1116 wrote to memory of 1776 1116 cmd.exe 42 PID 1116 wrote to memory of 2004 1116 cmd.exe 43 PID 1116 wrote to memory of 2004 1116 cmd.exe 43 PID 1116 wrote to memory of 2004 1116 cmd.exe 43 PID 1116 wrote to memory of 2004 1116 cmd.exe 43 PID 1116 wrote to memory of 1476 1116 cmd.exe 44 -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe"C:\Users\Admin\AppData\Local\Temp\0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:296
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im svnhost.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im systemsmss.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im svshost.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im upgradewin.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im updated.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im systemswin.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im systems.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im systeminfo.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f4⤵PID:2012
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\System Corporation Update" /f4⤵PID:1776
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"4⤵
- Runs .reg file with regedit
PID:2004
-
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
PID:1476
-
-
C:\Users\Admin\AppData\Local\Temp\svshost.exesvshost.exe /silentinstall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1160
-
-
C:\Users\Admin\AppData\Local\Temp\svshost.exesvshost.exe /firewall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1360
-
-
C:\Users\Admin\AppData\Local\Temp\svshost.exesvshost.exe /start4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1544
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Windows\System64" /S /D4⤵
- Views/modifies file attributes
PID:1984
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svshost.exeC:\Users\Admin\AppData\Local\Temp\svshost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\upgradewin.exeC:\Users\Admin\AppData\Local\Temp\upgradewin.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:872 -
C:\Users\Admin\AppData\Local\Temp\upgradewin.exeC:\Users\Admin\AppData\Local\Temp\upgradewin.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:956
-
-
-
C:\Users\Admin\AppData\Local\Temp\upgradewin.exeC:\Users\Admin\AppData\Local\Temp\upgradewin.exe /tray2⤵
- Executes dropped EXE
PID:764
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e595f1eed00fef50a90ede49468cbe60
SHA162d19a693bc252b889d684a147cf0206f77e7576
SHA25655faa864b3d8af8ee2560acc9bc002b296b375b209056d16fe9aa057859205c1
SHA5124c3a0d3275c2d809da77d7ce6aa560dd9827023de653a4bca6dbbb276fd1c1f9166537054bbdc7a02c2950488d7e658d989f0c76245f60e163ba917dc83f6a7b
-
MD5
65fc32766a238ff3e95984e325357dbb
SHA13ac16a2648410be8aa75f3e2817fbf69bb0e8922
SHA256a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420
SHA512621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608
-
MD5
b5da186c88f3e629882a94768910ac4a
SHA18fa7b238cf4f08dc04ed54334bf1e6834781733e
SHA256f2cfedc94567c049ae83f884d54c8b6e2758372adee9e9e50e16d76add165000
SHA5120829d0f16e689897737f0c57055723bece8a943ee394a785c38ae18903bcf2bbd254132b078f88724a03c319f57b072d9b8a546bbb85778b01865aaadc4cba0e
-
MD5
8d071134c46b96619483975fc06a4c2a
SHA1b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA5125ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03
-
MD5
8d071134c46b96619483975fc06a4c2a
SHA1b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA5125ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03
-
MD5
8d071134c46b96619483975fc06a4c2a
SHA1b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA5125ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03
-
MD5
8d071134c46b96619483975fc06a4c2a
SHA1b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA5125ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03
-
MD5
8d071134c46b96619483975fc06a4c2a
SHA1b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA5125ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03
-
MD5
d8aa01236323dab4facb72d3af631203
SHA101f18748f9c95121e22df54b192b383baff6b802
SHA25629ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a
-
MD5
d8aa01236323dab4facb72d3af631203
SHA101f18748f9c95121e22df54b192b383baff6b802
SHA25629ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a
-
MD5
d8aa01236323dab4facb72d3af631203
SHA101f18748f9c95121e22df54b192b383baff6b802
SHA25629ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a
-
MD5
d8aa01236323dab4facb72d3af631203
SHA101f18748f9c95121e22df54b192b383baff6b802
SHA25629ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a
-
MD5
8d071134c46b96619483975fc06a4c2a
SHA1b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA5125ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03
-
MD5
8d071134c46b96619483975fc06a4c2a
SHA1b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA5125ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03
-
MD5
8d071134c46b96619483975fc06a4c2a
SHA1b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA5125ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03
-
MD5
d8aa01236323dab4facb72d3af631203
SHA101f18748f9c95121e22df54b192b383baff6b802
SHA25629ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a
-
MD5
d8aa01236323dab4facb72d3af631203
SHA101f18748f9c95121e22df54b192b383baff6b802
SHA25629ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a