Analysis
-
max time kernel
150s -
max time network
166s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 01:31
Static task
static1
Behavioral task
behavioral1
Sample
0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe
Resource
win7-en-20211208
General
-
Target
0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe
-
Size
3.4MB
-
MD5
40f4513096356284e69f79311cf710bd
-
SHA1
ae01690acb25cc0d2ec1beaa8f9092e2b62d86f3
-
SHA256
0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db
-
SHA512
590073de07ba1f3688eb7e7887d5ba0dc6a6c48e071ce375d974ff23cd0031b717face9606df3222e6e23075fc475501ca488a4b40129dfdcc5a8a9d580de625
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
Processes:
svshost.exesvshost.exesvshost.exesvshost.exeupgradewin.exeupgradewin.exeupgradewin.exepid Process 2336 svshost.exe 2876 svshost.exe 4056 svshost.exe 4012 svshost.exe 3000 upgradewin.exe 320 upgradewin.exe 3808 upgradewin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 2144 timeout.exe -
Kills process with taskkill 10 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid Process 1196 taskkill.exe 2480 taskkill.exe 1100 taskkill.exe 2296 taskkill.exe 1828 taskkill.exe 1708 taskkill.exe 2716 taskkill.exe 628 taskkill.exe 2440 taskkill.exe 1408 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings 0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid Process 3168 regedit.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
svshost.exesvshost.exesvshost.exesvshost.exeupgradewin.exepid Process 2336 svshost.exe 2336 svshost.exe 2336 svshost.exe 2336 svshost.exe 2336 svshost.exe 2336 svshost.exe 2876 svshost.exe 2876 svshost.exe 4056 svshost.exe 4056 svshost.exe 4012 svshost.exe 4012 svshost.exe 4012 svshost.exe 4012 svshost.exe 4012 svshost.exe 4012 svshost.exe 320 upgradewin.exe 320 upgradewin.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
upgradewin.exepid Process 3808 upgradewin.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exesvshost.exesvshost.exesvshost.exedescription pid Process Token: SeDebugPrivilege 1196 taskkill.exe Token: SeDebugPrivilege 2716 taskkill.exe Token: SeDebugPrivilege 2480 taskkill.exe Token: SeDebugPrivilege 1100 taskkill.exe Token: SeDebugPrivilege 628 taskkill.exe Token: SeDebugPrivilege 2440 taskkill.exe Token: SeDebugPrivilege 2296 taskkill.exe Token: SeDebugPrivilege 1408 taskkill.exe Token: SeDebugPrivilege 1828 taskkill.exe Token: SeDebugPrivilege 1708 taskkill.exe Token: SeDebugPrivilege 2336 svshost.exe Token: SeDebugPrivilege 4056 svshost.exe Token: SeTakeOwnershipPrivilege 4012 svshost.exe Token: SeTcbPrivilege 4012 svshost.exe Token: SeTcbPrivilege 4012 svshost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
svshost.exesvshost.exesvshost.exesvshost.exepid Process 2336 svshost.exe 2876 svshost.exe 4056 svshost.exe 4012 svshost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exeWScript.execmd.exesvshost.exedescription pid Process procid_target PID 2244 wrote to memory of 1664 2244 0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe 69 PID 2244 wrote to memory of 1664 2244 0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe 69 PID 2244 wrote to memory of 1664 2244 0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe 69 PID 1664 wrote to memory of 2536 1664 WScript.exe 70 PID 1664 wrote to memory of 2536 1664 WScript.exe 70 PID 1664 wrote to memory of 2536 1664 WScript.exe 70 PID 2536 wrote to memory of 1196 2536 cmd.exe 72 PID 2536 wrote to memory of 1196 2536 cmd.exe 72 PID 2536 wrote to memory of 1196 2536 cmd.exe 72 PID 2536 wrote to memory of 2716 2536 cmd.exe 74 PID 2536 wrote to memory of 2716 2536 cmd.exe 74 PID 2536 wrote to memory of 2716 2536 cmd.exe 74 PID 2536 wrote to memory of 2480 2536 cmd.exe 75 PID 2536 wrote to memory of 2480 2536 cmd.exe 75 PID 2536 wrote to memory of 2480 2536 cmd.exe 75 PID 2536 wrote to memory of 1100 2536 cmd.exe 76 PID 2536 wrote to memory of 1100 2536 cmd.exe 76 PID 2536 wrote to memory of 1100 2536 cmd.exe 76 PID 2536 wrote to memory of 628 2536 cmd.exe 77 PID 2536 wrote to memory of 628 2536 cmd.exe 77 PID 2536 wrote to memory of 628 2536 cmd.exe 77 PID 2536 wrote to memory of 2440 2536 cmd.exe 78 PID 2536 wrote to memory of 2440 2536 cmd.exe 78 PID 2536 wrote to memory of 2440 2536 cmd.exe 78 PID 2536 wrote to memory of 2296 2536 cmd.exe 79 PID 2536 wrote to memory of 2296 2536 cmd.exe 79 PID 2536 wrote to memory of 2296 2536 cmd.exe 79 PID 2536 wrote to memory of 1408 2536 cmd.exe 80 PID 2536 wrote to memory of 1408 2536 cmd.exe 80 PID 2536 wrote to memory of 1408 2536 cmd.exe 80 PID 2536 wrote to memory of 1828 2536 cmd.exe 81 PID 2536 wrote to memory of 1828 2536 cmd.exe 81 PID 2536 wrote to memory of 1828 2536 cmd.exe 81 PID 2536 wrote to memory of 1708 2536 cmd.exe 82 PID 2536 wrote to memory of 1708 2536 cmd.exe 82 PID 2536 wrote to memory of 1708 2536 cmd.exe 82 PID 2536 wrote to memory of 2192 2536 cmd.exe 83 PID 2536 wrote to memory of 2192 2536 cmd.exe 83 PID 2536 wrote to memory of 2192 2536 cmd.exe 83 PID 2536 wrote to memory of 2044 2536 cmd.exe 84 PID 2536 wrote to memory of 2044 2536 cmd.exe 84 PID 2536 wrote to memory of 2044 2536 cmd.exe 84 PID 2536 wrote to memory of 3168 2536 cmd.exe 85 PID 2536 wrote to memory of 3168 2536 cmd.exe 85 PID 2536 wrote to memory of 3168 2536 cmd.exe 85 PID 2536 wrote to memory of 2144 2536 cmd.exe 86 PID 2536 wrote to memory of 2144 2536 cmd.exe 86 PID 2536 wrote to memory of 2144 2536 cmd.exe 86 PID 2536 wrote to memory of 2336 2536 cmd.exe 87 PID 2536 wrote to memory of 2336 2536 cmd.exe 87 PID 2536 wrote to memory of 2336 2536 cmd.exe 87 PID 2536 wrote to memory of 2876 2536 cmd.exe 88 PID 2536 wrote to memory of 2876 2536 cmd.exe 88 PID 2536 wrote to memory of 2876 2536 cmd.exe 88 PID 2536 wrote to memory of 4056 2536 cmd.exe 89 PID 2536 wrote to memory of 4056 2536 cmd.exe 89 PID 2536 wrote to memory of 4056 2536 cmd.exe 89 PID 4012 wrote to memory of 320 4012 svshost.exe 91 PID 4012 wrote to memory of 3000 4012 svshost.exe 92 PID 4012 wrote to memory of 3000 4012 svshost.exe 92 PID 4012 wrote to memory of 3000 4012 svshost.exe 92 PID 4012 wrote to memory of 320 4012 svshost.exe 91 PID 4012 wrote to memory of 320 4012 svshost.exe 91 PID 2536 wrote to memory of 3156 2536 cmd.exe 93 -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe"C:\Users\Admin\AppData\Local\Temp\0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im svnhost.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im systemsmss.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im svshost.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:628
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im upgradewin.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im updated.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im systemswin.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im systems.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im systeminfo.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f4⤵PID:2192
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\System Corporation Update" /f4⤵PID:2044
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"4⤵
- Runs .reg file with regedit
PID:3168
-
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\svshost.exesvshost.exe /silentinstall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2336
-
-
C:\Users\Admin\AppData\Local\Temp\svshost.exesvshost.exe /firewall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2876
-
-
C:\Users\Admin\AppData\Local\Temp\svshost.exesvshost.exe /start4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4056
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Windows\System64" /S /D4⤵
- Views/modifies file attributes
PID:3156
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svshost.exeC:\Users\Admin\AppData\Local\Temp\svshost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\upgradewin.exeC:\Users\Admin\AppData\Local\Temp\upgradewin.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:320 -
C:\Users\Admin\AppData\Local\Temp\upgradewin.exeC:\Users\Admin\AppData\Local\Temp\upgradewin.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:3808
-
-
-
C:\Users\Admin\AppData\Local\Temp\upgradewin.exeC:\Users\Admin\AppData\Local\Temp\upgradewin.exe /tray2⤵
- Executes dropped EXE
PID:3000
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e595f1eed00fef50a90ede49468cbe60
SHA162d19a693bc252b889d684a147cf0206f77e7576
SHA25655faa864b3d8af8ee2560acc9bc002b296b375b209056d16fe9aa057859205c1
SHA5124c3a0d3275c2d809da77d7ce6aa560dd9827023de653a4bca6dbbb276fd1c1f9166537054bbdc7a02c2950488d7e658d989f0c76245f60e163ba917dc83f6a7b
-
MD5
65fc32766a238ff3e95984e325357dbb
SHA13ac16a2648410be8aa75f3e2817fbf69bb0e8922
SHA256a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420
SHA512621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608
-
MD5
b5da186c88f3e629882a94768910ac4a
SHA18fa7b238cf4f08dc04ed54334bf1e6834781733e
SHA256f2cfedc94567c049ae83f884d54c8b6e2758372adee9e9e50e16d76add165000
SHA5120829d0f16e689897737f0c57055723bece8a943ee394a785c38ae18903bcf2bbd254132b078f88724a03c319f57b072d9b8a546bbb85778b01865aaadc4cba0e
-
MD5
8d071134c46b96619483975fc06a4c2a
SHA1b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA5125ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03
-
MD5
8d071134c46b96619483975fc06a4c2a
SHA1b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA5125ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03
-
MD5
8d071134c46b96619483975fc06a4c2a
SHA1b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA5125ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03
-
MD5
8d071134c46b96619483975fc06a4c2a
SHA1b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA5125ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03
-
MD5
8d071134c46b96619483975fc06a4c2a
SHA1b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA5125ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03
-
MD5
d8aa01236323dab4facb72d3af631203
SHA101f18748f9c95121e22df54b192b383baff6b802
SHA25629ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a
-
MD5
d8aa01236323dab4facb72d3af631203
SHA101f18748f9c95121e22df54b192b383baff6b802
SHA25629ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a
-
MD5
d8aa01236323dab4facb72d3af631203
SHA101f18748f9c95121e22df54b192b383baff6b802
SHA25629ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a
-
MD5
d8aa01236323dab4facb72d3af631203
SHA101f18748f9c95121e22df54b192b383baff6b802
SHA25629ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a