Analysis
-
max time kernel
468s -
max time network
252s -
platform
windows11_x64 -
resource
win11 -
submitted
30-01-2022 14:11
Static task
static1
Behavioral task
behavioral1
Sample
ACTIVATE____SETUP__4695.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ACTIVATE____SETUP__4695.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
ACTIVATE____SETUP__4695.exe
Resource
win11
General
-
Target
ACTIVATE____SETUP__4695.exe
-
Size
744KB
-
MD5
849bf640bf914ec675b9477a802a22f9
-
SHA1
e1a12595f8c9d48416ec342cd4037a32f3fdda24
-
SHA256
5b74eb73697a853a9d2d138a270a97a4edbcdc38ba46c5ea3cd79076ba4cecb4
-
SHA512
763878ebb2c574f6e93e6bd7be49ee874e35e04c4bbd8d771224c16ece3628523041520497b6f66bd3f90e8f3e09b0accda049fa518bfbeb4fc77bc2175d6ec1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Accostarmi.exe.pifpid process 472 Accostarmi.exe.pif -
Loads dropped DLL 7 IoCs
Processes:
Accostarmi.exe.pifpid process 472 Accostarmi.exe.pif 472 Accostarmi.exe.pif 472 Accostarmi.exe.pif 472 Accostarmi.exe.pif 472 Accostarmi.exe.pif 472 Accostarmi.exe.pif 472 Accostarmi.exe.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2000 tasklist.exe 2388 tasklist.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 2000 tasklist.exe Token: SeDebugPrivilege 2388 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Accostarmi.exe.pifpid process 472 Accostarmi.exe.pif 472 Accostarmi.exe.pif 472 Accostarmi.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Accostarmi.exe.pifpid process 472 Accostarmi.exe.pif 472 Accostarmi.exe.pif 472 Accostarmi.exe.pif -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
ACTIVATE____SETUP__4695.execmd.execmd.exedescription pid process target process PID 5000 wrote to memory of 4792 5000 ACTIVATE____SETUP__4695.exe dllhost.exe PID 5000 wrote to memory of 4792 5000 ACTIVATE____SETUP__4695.exe dllhost.exe PID 5000 wrote to memory of 4792 5000 ACTIVATE____SETUP__4695.exe dllhost.exe PID 5000 wrote to memory of 1536 5000 ACTIVATE____SETUP__4695.exe cmd.exe PID 5000 wrote to memory of 1536 5000 ACTIVATE____SETUP__4695.exe cmd.exe PID 5000 wrote to memory of 1536 5000 ACTIVATE____SETUP__4695.exe cmd.exe PID 1536 wrote to memory of 3124 1536 cmd.exe cmd.exe PID 1536 wrote to memory of 3124 1536 cmd.exe cmd.exe PID 1536 wrote to memory of 3124 1536 cmd.exe cmd.exe PID 3124 wrote to memory of 2000 3124 cmd.exe tasklist.exe PID 3124 wrote to memory of 2000 3124 cmd.exe tasklist.exe PID 3124 wrote to memory of 2000 3124 cmd.exe tasklist.exe PID 3124 wrote to memory of 788 3124 cmd.exe find.exe PID 3124 wrote to memory of 788 3124 cmd.exe find.exe PID 3124 wrote to memory of 788 3124 cmd.exe find.exe PID 3124 wrote to memory of 2388 3124 cmd.exe tasklist.exe PID 3124 wrote to memory of 2388 3124 cmd.exe tasklist.exe PID 3124 wrote to memory of 2388 3124 cmd.exe tasklist.exe PID 3124 wrote to memory of 3736 3124 cmd.exe find.exe PID 3124 wrote to memory of 3736 3124 cmd.exe find.exe PID 3124 wrote to memory of 3736 3124 cmd.exe find.exe PID 3124 wrote to memory of 4736 3124 cmd.exe findstr.exe PID 3124 wrote to memory of 4736 3124 cmd.exe findstr.exe PID 3124 wrote to memory of 4736 3124 cmd.exe findstr.exe PID 3124 wrote to memory of 472 3124 cmd.exe Accostarmi.exe.pif PID 3124 wrote to memory of 472 3124 cmd.exe Accostarmi.exe.pif PID 3124 wrote to memory of 472 3124 cmd.exe Accostarmi.exe.pif PID 3124 wrote to memory of 1052 3124 cmd.exe waitfor.exe PID 3124 wrote to memory of 1052 3124 cmd.exe waitfor.exe PID 3124 wrote to memory of 1052 3124 cmd.exe waitfor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ACTIVATE____SETUP__4695.exe"C:\Users\Admin\AppData\Local\Temp\ACTIVATE____SETUP__4695.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Nel.xls2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^HSpZWdXvufzDAYGXjZABuYRJLvHBPEtTIkAzCKbYUuhbCfMdrpLnpmdIqmgmIvGBkAVfbjxBBCGZLxicKsnFSFJoVSzecYfbmLjezbSQPlXHSd$" Questo.xls4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pifAccostarmi.exe.pif x4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\waitfor.exewaitfor /t 5 aRUpIzAL4⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 9e25590de4b80355628001e19fad4e53 VWqDcBM/gUS1bXFtid5BQQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pifMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nel.xlsMD5
a338f121bc7c0acf5f297bf85f150b7f
SHA1b1b4dd45417c0907dabf3cd93ea6410c73df5325
SHA2564556a5e53c426abe5565342d9b091134ebc4aaaedafb00454f0a248ff78e1668
SHA512fa6b633dd69bf0cc195b093417001517e3dbe22f516109a4180d853849741b44fe8fc00264135ab8686512dc8b58a01b7727f8c3a89de121b6a176a14f0485c0
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Questo.xlsMD5
0d8fea82e82b1fa16b1dc714d106830c
SHA1ee9b15e9c380bbd6ac6431aae8f4625fecb77bec
SHA25636c088f98ef9b8fe659e23f01a15c72b6b9824faedbfd9ae78e00de536f80ed6
SHA512de6dd75f8086aee2a50f4042586400b563dfe5a551195567a7ba3caaaf7c80342f47c6b452f1a97118b02eaf984c2cf350fbc2bf5b0194c6f147f84f3d268494
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vorrei.xlsMD5
cee0255c4b09a8487fb1d965c91b2769
SHA130e68f2c59d67c9dbde4366a91f07b6d2ad7a576
SHA2565bdde7bda1df04120c4e30a546a59192ec439cebfd7b55e95adbcfed87d821b3
SHA512d94613f347210b15f8759ec20377878a91735712c3fbcba1aee19dbdcc3164e17ac8ef305f07242275b66bcc8678a3ea823420c262c185f601e4ca1e21bbf328
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
18633504d1d02fdd6ab81984751a095e
SHA1bed8b98e3a2e64ed80c9e733c3cdc119cfa87857
SHA256cfdf9bb639cd7a9751c3b475a908dbdac66f50d6ca5fe672b062f76bd1a4e232
SHA5129d83eb74d4003c1bfcd83f51cc47b44393fdb84fdacfe36b7a7eb020cc81506ff04d3313414815670665a7d2f31eb2504e154d53b81aa830d5abe7371a099550
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
18633504d1d02fdd6ab81984751a095e
SHA1bed8b98e3a2e64ed80c9e733c3cdc119cfa87857
SHA256cfdf9bb639cd7a9751c3b475a908dbdac66f50d6ca5fe672b062f76bd1a4e232
SHA5129d83eb74d4003c1bfcd83f51cc47b44393fdb84fdacfe36b7a7eb020cc81506ff04d3313414815670665a7d2f31eb2504e154d53b81aa830d5abe7371a099550
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
18633504d1d02fdd6ab81984751a095e
SHA1bed8b98e3a2e64ed80c9e733c3cdc119cfa87857
SHA256cfdf9bb639cd7a9751c3b475a908dbdac66f50d6ca5fe672b062f76bd1a4e232
SHA5129d83eb74d4003c1bfcd83f51cc47b44393fdb84fdacfe36b7a7eb020cc81506ff04d3313414815670665a7d2f31eb2504e154d53b81aa830d5abe7371a099550
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
18633504d1d02fdd6ab81984751a095e
SHA1bed8b98e3a2e64ed80c9e733c3cdc119cfa87857
SHA256cfdf9bb639cd7a9751c3b475a908dbdac66f50d6ca5fe672b062f76bd1a4e232
SHA5129d83eb74d4003c1bfcd83f51cc47b44393fdb84fdacfe36b7a7eb020cc81506ff04d3313414815670665a7d2f31eb2504e154d53b81aa830d5abe7371a099550
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
18633504d1d02fdd6ab81984751a095e
SHA1bed8b98e3a2e64ed80c9e733c3cdc119cfa87857
SHA256cfdf9bb639cd7a9751c3b475a908dbdac66f50d6ca5fe672b062f76bd1a4e232
SHA5129d83eb74d4003c1bfcd83f51cc47b44393fdb84fdacfe36b7a7eb020cc81506ff04d3313414815670665a7d2f31eb2504e154d53b81aa830d5abe7371a099550
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
18633504d1d02fdd6ab81984751a095e
SHA1bed8b98e3a2e64ed80c9e733c3cdc119cfa87857
SHA256cfdf9bb639cd7a9751c3b475a908dbdac66f50d6ca5fe672b062f76bd1a4e232
SHA5129d83eb74d4003c1bfcd83f51cc47b44393fdb84fdacfe36b7a7eb020cc81506ff04d3313414815670665a7d2f31eb2504e154d53b81aa830d5abe7371a099550
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
18633504d1d02fdd6ab81984751a095e
SHA1bed8b98e3a2e64ed80c9e733c3cdc119cfa87857
SHA256cfdf9bb639cd7a9751c3b475a908dbdac66f50d6ca5fe672b062f76bd1a4e232
SHA5129d83eb74d4003c1bfcd83f51cc47b44393fdb84fdacfe36b7a7eb020cc81506ff04d3313414815670665a7d2f31eb2504e154d53b81aa830d5abe7371a099550
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xMD5
cee0255c4b09a8487fb1d965c91b2769
SHA130e68f2c59d67c9dbde4366a91f07b6d2ad7a576
SHA2565bdde7bda1df04120c4e30a546a59192ec439cebfd7b55e95adbcfed87d821b3
SHA512d94613f347210b15f8759ec20377878a91735712c3fbcba1aee19dbdcc3164e17ac8ef305f07242275b66bcc8678a3ea823420c262c185f601e4ca1e21bbf328