Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-04-2022 12:54
Static task
static1
Behavioral task
behavioral1
Sample
eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe
Resource
win10v2004-20220414-en
General
-
Target
eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe
-
Size
557KB
-
MD5
a9c69fa0b7a1a2a72928c83bf48cea3e
-
SHA1
7cf88e28f6a0e12953a89aba86cc1dea8794f27e
-
SHA256
eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0
-
SHA512
de5e3403104d78951505c03e51c6ae7526612a844ebc4e989d4faf8bf8138fa9f3afcc39d80ac1d224dd1f95dfcd215cb12407273e90dc409e48908417513e5b
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1816 msfonts.exe 1896 TZNlVAKZE10zbXRI.exe -
resource yara_rule behavioral1/files/0x000700000001335e-87.dat upx behavioral1/files/0x000700000001335e-88.dat upx behavioral1/files/0x000700000001335e-90.dat upx behavioral1/files/0x000700000001335e-89.dat upx behavioral1/files/0x000700000001335e-92.dat upx -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msfonts.lnk msfonts.exe -
Loads dropped DLL 6 IoCs
pid Process 1696 cmd.exe 1816 msfonts.exe 1712 mscorsvw.exe 1712 mscorsvw.exe 1712 mscorsvw.exe 1712 mscorsvw.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1896 TZNlVAKZE10zbXRI.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1816 set thread context of 1712 1816 msfonts.exe 37 PID 1816 set thread context of 640 1816 msfonts.exe 41 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2012 msconfigs.exe 1816 msfonts.exe 1816 msfonts.exe 1816 msfonts.exe 1816 msfonts.exe 1816 msfonts.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1756 eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1756 eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe Token: SeDebugPrivilege 2012 msconfigs.exe Token: SeDebugPrivilege 1816 msfonts.exe Token: SeShutdownPrivilege 1896 TZNlVAKZE10zbXRI.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1756 wrote to memory of 2024 1756 eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe 28 PID 1756 wrote to memory of 2024 1756 eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe 28 PID 1756 wrote to memory of 2024 1756 eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe 28 PID 1756 wrote to memory of 2024 1756 eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe 28 PID 2024 wrote to memory of 2012 2024 cmd.exe 30 PID 2024 wrote to memory of 2012 2024 cmd.exe 30 PID 2024 wrote to memory of 2012 2024 cmd.exe 30 PID 2024 wrote to memory of 2012 2024 cmd.exe 30 PID 2012 wrote to memory of 640 2012 msconfigs.exe 32 PID 2012 wrote to memory of 640 2012 msconfigs.exe 32 PID 2012 wrote to memory of 640 2012 msconfigs.exe 32 PID 2012 wrote to memory of 640 2012 msconfigs.exe 32 PID 2012 wrote to memory of 1696 2012 msconfigs.exe 34 PID 2012 wrote to memory of 1696 2012 msconfigs.exe 34 PID 2012 wrote to memory of 1696 2012 msconfigs.exe 34 PID 2012 wrote to memory of 1696 2012 msconfigs.exe 34 PID 1696 wrote to memory of 1816 1696 cmd.exe 36 PID 1696 wrote to memory of 1816 1696 cmd.exe 36 PID 1696 wrote to memory of 1816 1696 cmd.exe 36 PID 1696 wrote to memory of 1816 1696 cmd.exe 36 PID 1816 wrote to memory of 1712 1816 msfonts.exe 37 PID 1816 wrote to memory of 1712 1816 msfonts.exe 37 PID 1816 wrote to memory of 1712 1816 msfonts.exe 37 PID 1816 wrote to memory of 1712 1816 msfonts.exe 37 PID 1816 wrote to memory of 1712 1816 msfonts.exe 37 PID 1816 wrote to memory of 1712 1816 msfonts.exe 37 PID 1816 wrote to memory of 1712 1816 msfonts.exe 37 PID 1816 wrote to memory of 1712 1816 msfonts.exe 37 PID 1816 wrote to memory of 1712 1816 msfonts.exe 37 PID 1816 wrote to memory of 1712 1816 msfonts.exe 37 PID 1816 wrote to memory of 1712 1816 msfonts.exe 37 PID 1816 wrote to memory of 1712 1816 msfonts.exe 37 PID 1712 wrote to memory of 1896 1712 mscorsvw.exe 40 PID 1712 wrote to memory of 1896 1712 mscorsvw.exe 40 PID 1712 wrote to memory of 1896 1712 mscorsvw.exe 40 PID 1712 wrote to memory of 1896 1712 mscorsvw.exe 40 PID 1816 wrote to memory of 640 1816 msfonts.exe 41 PID 1816 wrote to memory of 640 1816 msfonts.exe 41 PID 1816 wrote to memory of 640 1816 msfonts.exe 41 PID 1816 wrote to memory of 640 1816 msfonts.exe 41 PID 1816 wrote to memory of 640 1816 msfonts.exe 41 PID 1816 wrote to memory of 640 1816 msfonts.exe 41 PID 1816 wrote to memory of 640 1816 msfonts.exe 41 PID 1816 wrote to memory of 640 1816 msfonts.exe 41 PID 1816 wrote to memory of 640 1816 msfonts.exe 41 PID 1816 wrote to memory of 640 1816 msfonts.exe 41 PID 1816 wrote to memory of 640 1816 msfonts.exe 41 PID 1816 wrote to memory of 640 1816 msfonts.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe"C:\Users\Admin\AppData\Local\Temp\eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\Temp\msconfigs.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\msconfigs.exe"C:\Users\Admin\AppData\Local\Temp\msconfigs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\msconfigs.exe" "C:\Users\Admin\AppData\Roaming\msfonts.exe"4⤵PID:640
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\msfonts.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Roaming\msfonts.exe"C:\Users\Admin\AppData\Roaming\msfonts.exe"5⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\TZNlVAKZE10zbXRI.exe"C:\Users\Admin\AppData\Local\Temp\TZNlVAKZE10zbXRI.exe"7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"6⤵PID:640
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD582994b5f5726565ab094aca586ca25ac
SHA15ef88f5e534eefb0dde10cfdce0d977075c40d1a
SHA256f0428acc40b7ec72a6d1409c3adc1f62bead8f0ef9c5ee47d5f92c35e0bc18bc
SHA51223d19fefea22af46425a0d9e0a0470cea9612681e28c43affe0f2a02ee40683cff62c6728cac59a046f962d7a605c6a4ccf0997570b5898d3cfd7b73e1ce73ac
-
Filesize
557KB
MD5a9c69fa0b7a1a2a72928c83bf48cea3e
SHA17cf88e28f6a0e12953a89aba86cc1dea8794f27e
SHA256eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0
SHA512de5e3403104d78951505c03e51c6ae7526612a844ebc4e989d4faf8bf8138fa9f3afcc39d80ac1d224dd1f95dfcd215cb12407273e90dc409e48908417513e5b
-
Filesize
557KB
MD5a9c69fa0b7a1a2a72928c83bf48cea3e
SHA17cf88e28f6a0e12953a89aba86cc1dea8794f27e
SHA256eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0
SHA512de5e3403104d78951505c03e51c6ae7526612a844ebc4e989d4faf8bf8138fa9f3afcc39d80ac1d224dd1f95dfcd215cb12407273e90dc409e48908417513e5b
-
Filesize
5.6MB
MD582994b5f5726565ab094aca586ca25ac
SHA15ef88f5e534eefb0dde10cfdce0d977075c40d1a
SHA256f0428acc40b7ec72a6d1409c3adc1f62bead8f0ef9c5ee47d5f92c35e0bc18bc
SHA51223d19fefea22af46425a0d9e0a0470cea9612681e28c43affe0f2a02ee40683cff62c6728cac59a046f962d7a605c6a4ccf0997570b5898d3cfd7b73e1ce73ac
-
Filesize
5.6MB
MD582994b5f5726565ab094aca586ca25ac
SHA15ef88f5e534eefb0dde10cfdce0d977075c40d1a
SHA256f0428acc40b7ec72a6d1409c3adc1f62bead8f0ef9c5ee47d5f92c35e0bc18bc
SHA51223d19fefea22af46425a0d9e0a0470cea9612681e28c43affe0f2a02ee40683cff62c6728cac59a046f962d7a605c6a4ccf0997570b5898d3cfd7b73e1ce73ac
-
Filesize
5.6MB
MD582994b5f5726565ab094aca586ca25ac
SHA15ef88f5e534eefb0dde10cfdce0d977075c40d1a
SHA256f0428acc40b7ec72a6d1409c3adc1f62bead8f0ef9c5ee47d5f92c35e0bc18bc
SHA51223d19fefea22af46425a0d9e0a0470cea9612681e28c43affe0f2a02ee40683cff62c6728cac59a046f962d7a605c6a4ccf0997570b5898d3cfd7b73e1ce73ac
-
Filesize
5.6MB
MD582994b5f5726565ab094aca586ca25ac
SHA15ef88f5e534eefb0dde10cfdce0d977075c40d1a
SHA256f0428acc40b7ec72a6d1409c3adc1f62bead8f0ef9c5ee47d5f92c35e0bc18bc
SHA51223d19fefea22af46425a0d9e0a0470cea9612681e28c43affe0f2a02ee40683cff62c6728cac59a046f962d7a605c6a4ccf0997570b5898d3cfd7b73e1ce73ac
-
Filesize
557KB
MD5a9c69fa0b7a1a2a72928c83bf48cea3e
SHA17cf88e28f6a0e12953a89aba86cc1dea8794f27e
SHA256eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0
SHA512de5e3403104d78951505c03e51c6ae7526612a844ebc4e989d4faf8bf8138fa9f3afcc39d80ac1d224dd1f95dfcd215cb12407273e90dc409e48908417513e5b
-
Filesize
557KB
MD5a9c69fa0b7a1a2a72928c83bf48cea3e
SHA17cf88e28f6a0e12953a89aba86cc1dea8794f27e
SHA256eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0
SHA512de5e3403104d78951505c03e51c6ae7526612a844ebc4e989d4faf8bf8138fa9f3afcc39d80ac1d224dd1f95dfcd215cb12407273e90dc409e48908417513e5b