e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302

Analysis

max time kernel
201s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-04-2022 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe
Size

3.7MB
MD5

50f94e792afda30fe1c485c2d733ddae
SHA1

5acb6535b97021f32220fb4ec2c68bb3019ec55b
SHA256

e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302
SHA512

2f5cdd6c589289e1e35cc50fc449c6419a81f724e65770d9bb2aca5f42472476a06de522e7a9f29d6e6dd52ff49fac355a058f9971ef3ee4b3c274ebd4de8834

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\bAPSHbkkGXm778Nx\\bd2za1clTfqT.exe\",explorer.exe"	e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe

Executes dropped EXE 3 IoCs

Processes:

B8sKIHOgV2jUK8al.exeB8sKIHOgV2jUK8al.exeB8sKIHOgV2jUK8al.exe

pid process

2916 B8sKIHOgV2jUK8al.exe
4968 B8sKIHOgV2jUK8al.exe
4136 B8sKIHOgV2jUK8al.exe

pid	process
2916	B8sKIHOgV2jUK8al.exe
4968	B8sKIHOgV2jUK8al.exe
4136	B8sKIHOgV2jUK8al.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

B8sKIHOgV2jUK8al.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	B8sKIHOgV2jUK8al.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	B8sKIHOgV2jUK8al.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

B8sKIHOgV2jUK8al.exe

pid process

4968 B8sKIHOgV2jUK8al.exe
4968 B8sKIHOgV2jUK8al.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe

description pid process

Token: SeDebugPrivilege 2968 e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

B8sKIHOgV2jUK8al.exe

pid process

4136 B8sKIHOgV2jUK8al.exe
4136 B8sKIHOgV2jUK8al.exe
4136 B8sKIHOgV2jUK8al.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

B8sKIHOgV2jUK8al.exe

pid process

4136 B8sKIHOgV2jUK8al.exe
4136 B8sKIHOgV2jUK8al.exe
4136 B8sKIHOgV2jUK8al.exe

pid	process
4968	B8sKIHOgV2jUK8al.exe
4968	B8sKIHOgV2jUK8al.exe

description	pid	process
Token: SeDebugPrivilege	2968	e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe

pid	process
4136	B8sKIHOgV2jUK8al.exe
4136	B8sKIHOgV2jUK8al.exe
4136	B8sKIHOgV2jUK8al.exe

pid	process
4136	B8sKIHOgV2jUK8al.exe
4136	B8sKIHOgV2jUK8al.exe
4136	B8sKIHOgV2jUK8al.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exeB8sKIHOgV2jUK8al.exe

description	pid	process	target process
PID 2968 wrote to memory of 2916	2968	e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe	B8sKIHOgV2jUK8al.exe
PID 2968 wrote to memory of 2916	2968	e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe	B8sKIHOgV2jUK8al.exe
PID 2968 wrote to memory of 2916	2968	e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe	B8sKIHOgV2jUK8al.exe
PID 2916 wrote to memory of 4968	2916	B8sKIHOgV2jUK8al.exe	B8sKIHOgV2jUK8al.exe
PID 2916 wrote to memory of 4968	2916	B8sKIHOgV2jUK8al.exe	B8sKIHOgV2jUK8al.exe
PID 2916 wrote to memory of 4968	2916	B8sKIHOgV2jUK8al.exe	B8sKIHOgV2jUK8al.exe
PID 2916 wrote to memory of 4136	2916	B8sKIHOgV2jUK8al.exe	B8sKIHOgV2jUK8al.exe
PID 2916 wrote to memory of 4136	2916	B8sKIHOgV2jUK8al.exe	B8sKIHOgV2jUK8al.exe
PID 2916 wrote to memory of 4136	2916	B8sKIHOgV2jUK8al.exe	B8sKIHOgV2jUK8al.exe

C:\Users\Admin\AppData\Local\Temp\e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe
"C:\Users\Admin\AppData\Local\Temp\e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exe
"C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exe
"C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exe" --local-service
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4968

C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exe
"C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exe" --local-control
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exe
Filesize
3.5MB

MD5
e9fb13875b744fa633d1a7a34b0f6a52

SHA1
f0966985745541ba01800aa213509a89a7fdf716

SHA256
fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e

SHA512
c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exe
Filesize
3.5MB

MD5
e9fb13875b744fa633d1a7a34b0f6a52

SHA1
f0966985745541ba01800aa213509a89a7fdf716

SHA256
fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e

SHA512
c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exe
Filesize
3.5MB

MD5
e9fb13875b744fa633d1a7a34b0f6a52

SHA1
f0966985745541ba01800aa213509a89a7fdf716

SHA256
fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e

SHA512
c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exe
Filesize
3.5MB

MD5
e9fb13875b744fa633d1a7a34b0f6a52

SHA1
f0966985745541ba01800aa213509a89a7fdf716

SHA256
fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e

SHA512
c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
7KB

MD5
87b880fded5866f4cbd13a957b2cc042

SHA1
17273cd4f43bd51fdc759bf5e0ea1ca30cccc22f

SHA256
07f917a3ed3fa66fba3d56f54eadbffd1977aa0abe4c0dbd1736c5f488771a01

SHA512
71565e17c7290fe1a5e51fbeb88fb01e3a11b8c0c97ce6f3e2aa08e256f95ea1727ad50cf8eee05b3206e53ae781c172d2872c23f72c4c6d1102d7c3cdef6950

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
8KB

MD5
4252d6b9cf1e4167bc7d6224a1fc8b1d

SHA1
86a382dc871f946bd3d8e34d11a985b3a387fc96

SHA256
b613757b59cd6fb7d05346d1b72d1db9efae67eee1bff0d4744a6616ddbc3cd0

SHA512
3d9ac9c6ed0e0699d460efe804776cf12d1c3126c3f40ec21fd4220c474a2ee59403233753580ac08d0ae4ef98325ab03d5d77ef1dfada210d22d77ccf7e93a9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
dc44c0d3acca5dda701705f29b6fa396

SHA1
268ed08ab8d64c638d4f7e5f7fe47b74ddd42d79

SHA256
44191ce5c944fdcb65f6dc610d24a7f64f574531aa0fa9ae783827f893ef42e0

SHA512
5006b007059db8ddca313605b15afa96a99a113c9416e8ae10735f7378bf2c8817ebff37b11b5318527274df1b9525032bdd5308a71f6b36b0e0ebd5029ee581

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
105B

MD5
2821f44709d619234bf06a39d4fdbf9b

SHA1
fe10d1428b41a6810f45e8ae3e8b06f5986e1996

SHA256
828ded024f01f9c8fec896e91790e689f524bb7d37c7cf97147e44f273adb759

SHA512
c8a10a2fb8da7f130c46eba97a2ed4cdb7e28923dffe8168c7b6f84e99650638f9c10d224ce12df20b643e20b4249290e1618ba63d8ba87bde13353c708d53cb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
113B

MD5
ffd38000d16c2dbac41a90fcbcb2c4d0

SHA1
44a5ba0fed8aa0614107e47823a6d3bb2fa1846a

SHA256
436affe25e583303713f6bad3d79bad62141090e6bc78f05c6a1caffc8960fa5

SHA512
883b4047a3cc6772a62b1b2c5460ae8684e670882481e22b8c34cb741d3705c61167f7ec73582ed6bfe3155bb6822b12d0bc687cafc156640122c232b1d2f027

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/2916-135-0x0000000000000000-mapping.dmp

Download
memory/2916-137-0x0000000000620000-0x0000000001395000-memory.dmp

Filesize
13.5MB

Download
memory/2916-139-0x0000000000620000-0x0000000001395000-memory.dmp

Filesize
13.5MB

Download
memory/2968-133-0x0000000005310000-0x000000000531A000-memory.dmp

Filesize
40KB

Download
memory/2968-134-0x0000000005330000-0x00000000058D4000-memory.dmp

Filesize
5.6MB

Download
memory/2968-131-0x00000000058E0000-0x0000000005E84000-memory.dmp

Filesize
5.6MB

Download
memory/2968-132-0x0000000005260000-0x00000000052F2000-memory.dmp

Filesize
584KB

Download
memory/2968-130-0x0000000000510000-0x00000000008C6000-memory.dmp

Filesize
3.7MB

Download
memory/4136-143-0x0000000000000000-mapping.dmp

Download
memory/4136-146-0x0000000000620000-0x0000000001395000-memory.dmp

Filesize
13.5MB

Download
memory/4136-153-0x0000000000620000-0x0000000001395000-memory.dmp

Filesize
13.5MB

Download
memory/4968-145-0x0000000000620000-0x0000000001395000-memory.dmp

Filesize
13.5MB

Download
memory/4968-152-0x0000000000620000-0x0000000001395000-memory.dmp

Filesize
13.5MB

Download
memory/4968-141-0x0000000000000000-mapping.dmp

Download