b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3

Analysis

max time kernel
77s
max time network
51s
platform
windows7_x64
resource
win7-20220414-en
submitted
11-05-2022 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe
Size

1.5MB
MD5

fe7c13445868482b63e1ae71bca9d150
SHA1

78111d52ba0215bb531d487bc6e9a218ea768377
SHA256

b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3
SHA512

c1a2bc27e1381f6ed142ffb8a6cdb0006a9161433dbb9222f83ec407cf0bb5510f9986108b4e96c4a3d0dd30659cc48baec96b9ca962082c64c0fcbcc8c0879c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Decoder.exesystems32.exe

pid	Process
680	Decoder.exe
58784	systems32.exe

Drops startup file 2 IoCs

Processes:

Decoder.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe

Loads dropped DLL 1 IoCs

Processes:

b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe

pid	Process
1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	api.ipify.org
4	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe

pid	Process
1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe
1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
1492	schtasks.exe
58876	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

Processes:

timeout.exetimeout.exe

pid	Process
1300	timeout.exe
1424	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Decoder.exesystems32.exe

pid	Process
680	Decoder.exe
58784	systems32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exeDecoder.exesystems32.exe

description	pid	Process
Token: SeDebugPrivilege	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe
Token: SeDebugPrivilege	680	Decoder.exe
Token: SeDebugPrivilege	58784	systems32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe

pid	Process
1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.execmd.execmd.exeDecoder.exetaskeng.exesystems32.exe

description	pid	Process	procid_target
PID 1944 wrote to memory of 680	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	28
PID 1944 wrote to memory of 680	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	28
PID 1944 wrote to memory of 680	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	28
PID 1944 wrote to memory of 680	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	28
PID 1944 wrote to memory of 572	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	29
PID 1944 wrote to memory of 572	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	29
PID 1944 wrote to memory of 572	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	29
PID 1944 wrote to memory of 572	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	29
PID 1944 wrote to memory of 668	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	31
PID 1944 wrote to memory of 668	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	31
PID 1944 wrote to memory of 668	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	31
PID 1944 wrote to memory of 668	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	31
PID 668 wrote to memory of 1424	668	cmd.exe	34
PID 668 wrote to memory of 1424	668	cmd.exe	34
PID 668 wrote to memory of 1424	668	cmd.exe	34
PID 668 wrote to memory of 1424	668	cmd.exe	34
PID 572 wrote to memory of 1300	572	cmd.exe	33
PID 572 wrote to memory of 1300	572	cmd.exe	33
PID 572 wrote to memory of 1300	572	cmd.exe	33
PID 572 wrote to memory of 1300	572	cmd.exe	33
PID 680 wrote to memory of 1492	680	Decoder.exe	35
PID 680 wrote to memory of 1492	680	Decoder.exe	35
PID 680 wrote to memory of 1492	680	Decoder.exe	35
PID 58492 wrote to memory of 58784	58492	taskeng.exe	38
PID 58492 wrote to memory of 58784	58492	taskeng.exe	38
PID 58492 wrote to memory of 58784	58492	taskeng.exe	38
PID 58784 wrote to memory of 58876	58784	systems32.exe	39
PID 58784 wrote to memory of 58876	58784	systems32.exe	39
PID 58784 wrote to memory of 58876	58784	systems32.exe	39

C:\Users\Admin\AppData\Local\Temp\b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe
"C:\Users\Admin\AppData\Local\Temp\b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944
- C:\ProgramData\Decoder.exe
  "C:\ProgramData\Decoder.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Windows\SysWOW64\timeout.exe
    timeout 4
    3⤵
    - Delays execution with timeout.exe
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4358.tmp.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\timeout.exe
    timeout 4
    3⤵
    - Delays execution with timeout.exe
    PID:1424

C:\Windows\system32\taskeng.exe
taskeng.exe {AEFC3BE6-3227-4BCC-B77D-8A57490156DC} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:58492
- C:\systems32_bit\systems32.exe
  \systems32_bit\systems32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:58784
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:58876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe

Filesize
39KB

MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\ProgramData\Decoder.exe

Filesize
39KB

MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd

Filesize
28B

MD5
217407484aac2673214337def8886072

SHA1
0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6

SHA256
467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797

SHA512
8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4358.tmp.cmd

Filesize
131B

MD5
d24fa10befdf8e5043f12632665a7990

SHA1
62cdfcaaafb90897ae1b955e13a372b3b0de50de

SHA256
9ae02fe424ba041c4e2e99496bb163d4d2209e1ffa081f8f07d742c272803d20

SHA512
4e849cda458fa88b2643795e850fe12a80369e1d7e854761786dcbdd0e51c5a2b3f42d7bde78381f991b1405452e07070e17ace8da231f0ac24fc4b8c2064b43

Download Submit
C:\systems32_bit\systems32.exe

Filesize
39KB

MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\systems32_bit\systems32.exe

Filesize
39KB

MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
\ProgramData\Decoder.exe

Filesize
39KB

MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
memory/572-60-0x0000000000000000-mapping.dmp

Download
memory/668-62-0x0000000000000000-mapping.dmp

Download
memory/680-67-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/680-68-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download
memory/680-58-0x0000000000000000-mapping.dmp

Download
memory/1300-66-0x0000000000000000-mapping.dmp

Download
memory/1424-65-0x0000000000000000-mapping.dmp

Download
memory/1492-69-0x0000000000000000-mapping.dmp

Download
memory/1944-55-0x0000000000800000-0x0000000000C4E000-memory.dmp

Filesize
4.3MB

Download
memory/1944-54-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1944-56-0x0000000002EF0000-0x0000000002F66000-memory.dmp

Filesize
472KB

Download
memory/58784-70-0x0000000000000000-mapping.dmp

Download
memory/58784-73-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/58876-75-0x0000000000000000-mapping.dmp

Download