Overview

overview

10

Static

static

7

3756c1fcf3...65.exe

windows7_x64

10

3756c1fcf3...65.exe

windows10_x64

10

Analysis

  • max time kernel
    155s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    31-01-2022 03:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe

  • Size

    32KB

  • MD5

    0793e40192cb5916d1aeb03e045ddd58

  • SHA1

    4f07512ff629cae2e4175a3e1e4235fa8cee3bfe

  • SHA256

    3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565

  • SHA512

    2b5bfbfc151861dead86d241ad3a6afb76142cb4a6fd2811abfebab4f3026af92f0aee25865d778672a3c8cf0f3496f707a1efba1212067a2471d66b1a7b3226

Score
10/10
persistencethemida

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 3 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe
    "C:\Users\Admin\AppData\Local\Temp\3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\W.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c tasklist /FI "WINDOWTITLE eq 342213780" /FO CSV
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1384
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /FI "WINDOWTITLE eq 342213780" /FO CSV
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:304
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" Set WhiteList=Microsoft.ActiveDirectory.WebServices.exe:cmd.exe:find.exe:conhost.exe:explorer.exe:ctfmon.exe:dllhost.exe:lsass.exe:services.exe:smss.exe:tasklist.exe:winlogon.exe:wmiprvse.exe:msdts.exe:bfsvc.exe:AdapterTroubleshooter.exe:alg.exe:dwm.exe:issch.exe:rundll32.exe:spoolsv.exe:wininit.exe:wmiprvse.exe:wudfhost.exe:taskmgr.exe:rdpclip.exe:logonui.exe:lsm.exe:spoolsv.exe:dwm.exe:dfssvc.exe:csrss.exe:svchost.exe:3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe:/FO CSV') Do (Echo :"
        3⤵
          PID:836
        • C:\Windows\SysWOW64\find.exe
          Find /I ":%~p:"
          3⤵
            PID:2008
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" Echo :"
            3⤵
              PID:2004
            • C:\Windows\SysWOW64\find.exe
              Find /I ":%~p:"
              3⤵
                PID:2012
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" Echo :"
                3⤵
                  PID:1060
                • C:\Windows\SysWOW64\find.exe
                  Find /I ":):"
                  3⤵
                    PID:1252
                  • C:\Windows\SysWOW64\taskkill.exe
                    TaskKill /F /IM ")"
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1528

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Winlogon Helper DLL

              2
              T1004

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              Modify Registry

              3
              T1112

              Credential Access

              Discovery

              System Information Discovery

              1
              T1082

              Process Discovery

              1
              T1057

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\W.bat
                MD5

                cd86964cdae6daa2fd67c7a29376b4b7

                SHA1

                eafed9c23b60ae5e9d8c0e73f7d69c1b4ea74819

                SHA256

                8957c1c743faff67fb124e8e491e6fe5e66ee2b018d23dbeb4483aca2a650327

                SHA512

                309bd081d6088e2bb4d6edc0ac9036adc988ef603ac9a4b18e2a889de5180466412ae234c2c46654933d288cf26ec25c9445520904eff2f8112c545dcb7018f9

                Download Submit
              • memory/1640-64-0x0000000000370000-0x0000000000371000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1640-61-0x00000000002B0000-0x00000000002DD000-memory.dmp
                Filesize

                180KB

                Download
              • memory/1640-65-0x0000000000380000-0x0000000000381000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1640-60-0x00000000003A0000-0x00000000003A1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1640-66-0x0000000000390000-0x0000000000391000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1640-62-0x0000000000360000-0x0000000000361000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1640-63-0x0000000000360000-0x0000000000369000-memory.dmp
                Filesize

                36KB

                Download
              • memory/1640-58-0x00000000022D0000-0x000000000236F000-memory.dmp
                Filesize

                636KB

                Download
              • memory/1640-59-0x00000000003B0000-0x00000000003B1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1640-56-0x0000000000400000-0x000000000041B396-memory.dmp
                Filesize

                108KB

                Download
              • memory/1640-54-0x0000000075431000-0x0000000075433000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1640-67-0x0000000002370000-0x000000000249D000-memory.dmp
                Filesize

                1.2MB

                Download
              • memory/1640-68-0x0000000000510000-0x000000000052F000-memory.dmp
                Filesize

                124KB

                Download
              • memory/1640-70-0x0000000000470000-0x0000000000476000-memory.dmp
                Filesize

                24KB

                Download
              • memory/1640-69-0x00000000027E0000-0x00000000028E9000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/1640-71-0x000000007EFA0000-0x000000007EFA1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1640-55-0x0000000000400000-0x000000000041B396-memory.dmp
                Filesize

                108KB

                Download