e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20220414-en
submitted
18-05-2022 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff72b295ded9889cee24320db368bcf1.exe
Size

809KB
MD5

ff72b295ded9889cee24320db368bcf1
SHA1

5d7991f8495d56088710dd558faba639ffd05292
SHA256

e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd
SHA512

37ab209741e90c78565d170ab48d7ee83c8633e93e646a4c8f639c305c8b6528841668b6aa7797870612d24e11e1ff1aaae0f5622e9a2195957f9142e93a7b1b

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata

Executes dropped EXE 1 IoCs

pid	Process
696	IFMb39aGmCsqJcthXwNQEToq7.exe

Deletes itself 1 IoCs

pid	Process
524	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1868	ff72b295ded9889cee24320db368bcf1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TxMT8hHkO8fBB5FlBurdwljpn = "C:\\ProgramData\\4vFAHkNczECIXuLdvBZKuXofw\\IFMb39aGmCsqJcthXwNQEToq7.exe"	ff72b295ded9889cee24320db368bcf1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1800	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1308	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
696	IFMb39aGmCsqJcthXwNQEToq7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe
1868	ff72b295ded9889cee24320db368bcf1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	ff72b295ded9889cee24320db368bcf1.exe
Token: SeDebugPrivilege	1868	ff72b295ded9889cee24320db368bcf1.exe
Token: SeDebugPrivilege	696	IFMb39aGmCsqJcthXwNQEToq7.exe
Token: SeDebugPrivilege	696	IFMb39aGmCsqJcthXwNQEToq7.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1800	1868	ff72b295ded9889cee24320db368bcf1.exe	27
PID 1868 wrote to memory of 1800	1868	ff72b295ded9889cee24320db368bcf1.exe	27
PID 1868 wrote to memory of 1800	1868	ff72b295ded9889cee24320db368bcf1.exe	27
PID 1868 wrote to memory of 696	1868	ff72b295ded9889cee24320db368bcf1.exe	29
PID 1868 wrote to memory of 696	1868	ff72b295ded9889cee24320db368bcf1.exe	29
PID 1868 wrote to memory of 696	1868	ff72b295ded9889cee24320db368bcf1.exe	29
PID 1868 wrote to memory of 524	1868	ff72b295ded9889cee24320db368bcf1.exe	30
PID 1868 wrote to memory of 524	1868	ff72b295ded9889cee24320db368bcf1.exe	30
PID 1868 wrote to memory of 524	1868	ff72b295ded9889cee24320db368bcf1.exe	30
PID 524 wrote to memory of 1308	524	cmd.exe	32
PID 524 wrote to memory of 1308	524	cmd.exe	32
PID 524 wrote to memory of 1308	524	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\ff72b295ded9889cee24320db368bcf1.exe
"C:\Users\Admin\AppData\Local\Temp\ff72b295ded9889cee24320db368bcf1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\system32\schtasks.exe
  "schtasks.exe" /create /tn TxMT8hHkO8fBB5FlBurdwljpn /tr "C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe" /st 00:22 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - Creates scheduled task(s)
  PID:1800
- C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe
  "C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  PID:696
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8057.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\system32\timeout.exe
    timeout 6
    3⤵
    - Delays execution with timeout.exe
    PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe

Filesize
645.3MB

MD5
15a3a72ed92f48d1643d99eaa9640179

SHA1
298e064647fe3f5f5ac21d67bbd358f9976623eb

SHA256
7333a82c1c4ed043ae3997a619100002162a39c915f1fc2f240b4419a0705493

SHA512
c5e2c02a4300e6f32ed901cf004ce112907920d485eeb4dc0af96e9e9ae4443930dfa4a8eca2936ea432ccbd79d8bac7fc70235787c248a41d433668b3d8874c

Download Submit
C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe

Filesize
645.3MB

MD5
15a3a72ed92f48d1643d99eaa9640179

SHA1
298e064647fe3f5f5ac21d67bbd358f9976623eb

SHA256
7333a82c1c4ed043ae3997a619100002162a39c915f1fc2f240b4419a0705493

SHA512
c5e2c02a4300e6f32ed901cf004ce112907920d485eeb4dc0af96e9e9ae4443930dfa4a8eca2936ea432ccbd79d8bac7fc70235787c248a41d433668b3d8874c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8057.tmp.bat

Filesize
184B

MD5
2810b99d55ecb63eb665c03ea2fd9a94

SHA1
f76fa96ee0c230c2af68616741c3dc8b59bb77e2

SHA256
29766cfe739dc4f12a4bbe1d760eaedd86f0bd822eccbe7bc9ff98a42efa625b

SHA512
0399699f690cf2aac0cfb86463d45164d0d87a3b86adf879164760c9bd8e44fbb7c5996a0d3f148aa4f3e9589d091359a03dcd8f6d200ca440b5f6ccfda94e6d

Download Submit
\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe

Filesize
645.3MB

MD5
15a3a72ed92f48d1643d99eaa9640179

SHA1
298e064647fe3f5f5ac21d67bbd358f9976623eb

SHA256
7333a82c1c4ed043ae3997a619100002162a39c915f1fc2f240b4419a0705493

SHA512
c5e2c02a4300e6f32ed901cf004ce112907920d485eeb4dc0af96e9e9ae4443930dfa4a8eca2936ea432ccbd79d8bac7fc70235787c248a41d433668b3d8874c

Download Submit
memory/696-69-0x000000001BBD5000-0x000000001BBD8000-memory.dmp

Filesize
12KB

Download
memory/696-68-0x000000001D0B0000-0x000000001D17A000-memory.dmp

Filesize
808KB

Download
memory/696-67-0x000000001BBB6000-0x000000001BBD5000-memory.dmp

Filesize
124KB

Download
memory/696-63-0x000000013F370000-0x000000013F43E000-memory.dmp

Filesize
824KB

Download
memory/1868-58-0x000000001BB56000-0x000000001BB75000-memory.dmp

Filesize
124KB

Download
memory/1868-54-0x000000013F510000-0x000000013F5DE000-memory.dmp

Filesize
824KB

Download
memory/1868-56-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/1868-55-0x000000001AC50000-0x000000001AD26000-memory.dmp

Filesize
856KB

Download