30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745

Analysis

max time kernel
42s
max time network
120s
platform
windows7_x64
resource
win7-20220414-en
submitted
18-05-2022 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be75e9e51767b5a59536afbbf9ffafbc.exe
Size

810KB
MD5

be75e9e51767b5a59536afbbf9ffafbc
SHA1

78be65d86a6918643092e8e90fd72ad3b9ab997f
SHA256

30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745
SHA512

4e9f7198dd12adeb21669f74e1cdebe16ac7ccae8e1f29b537438239d1a240a8f1ab890afebe8c1f8603909a1c72b8ce7e7c981f2147fa53dccc6c43b6a3d9e6

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata

Executes dropped EXE 1 IoCs

pid	Process
336	test.exe

Deletes itself 1 IoCs

pid	Process
1756	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HGRAyZk0Y950ZeEUrPGcT36so = "C:\\ProgramData\\test\\test.exe"	be75e9e51767b5a59536afbbf9ffafbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1504	336	WerFault.exe	31

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2040	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
584	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe
1160	be75e9e51767b5a59536afbbf9ffafbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1160	be75e9e51767b5a59536afbbf9ffafbc.exe
Token: SeDebugPrivilege	1160	be75e9e51767b5a59536afbbf9ffafbc.exe
Token: SeDebugPrivilege	336	test.exe
Token: SeDebugPrivilege	336	test.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 2040	1160	be75e9e51767b5a59536afbbf9ffafbc.exe	29
PID 1160 wrote to memory of 2040	1160	be75e9e51767b5a59536afbbf9ffafbc.exe	29
PID 1160 wrote to memory of 2040	1160	be75e9e51767b5a59536afbbf9ffafbc.exe	29
PID 1160 wrote to memory of 336	1160	be75e9e51767b5a59536afbbf9ffafbc.exe	31
PID 1160 wrote to memory of 336	1160	be75e9e51767b5a59536afbbf9ffafbc.exe	31
PID 1160 wrote to memory of 336	1160	be75e9e51767b5a59536afbbf9ffafbc.exe	31
PID 1160 wrote to memory of 1756	1160	be75e9e51767b5a59536afbbf9ffafbc.exe	32
PID 1160 wrote to memory of 1756	1160	be75e9e51767b5a59536afbbf9ffafbc.exe	32
PID 1160 wrote to memory of 1756	1160	be75e9e51767b5a59536afbbf9ffafbc.exe	32
PID 1756 wrote to memory of 584	1756	cmd.exe	34
PID 1756 wrote to memory of 584	1756	cmd.exe	34
PID 1756 wrote to memory of 584	1756	cmd.exe	34
PID 336 wrote to memory of 1504	336	test.exe	35
PID 336 wrote to memory of 1504	336	test.exe	35
PID 336 wrote to memory of 1504	336	test.exe	35

C:\Users\Admin\AppData\Local\Temp\be75e9e51767b5a59536afbbf9ffafbc.exe
"C:\Users\Admin\AppData\Local\Temp\be75e9e51767b5a59536afbbf9ffafbc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\system32\schtasks.exe
  "schtasks.exe" /create /tn HGRAyZk0Y950ZeEUrPGcT36so /tr "C:\ProgramData\test\test.exe" /st 16:35 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - Creates scheduled task(s)
  PID:2040
- C:\ProgramData\test\test.exe
  "C:\ProgramData\test\test.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 336 -s 1684
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1504
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp29CF.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\system32\timeout.exe
    timeout 6
    3⤵
    - Delays execution with timeout.exe
    PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\test\test.exe

Filesize
234.7MB

MD5
54cd503528f26a88538efb0bd6bb639e

SHA1
5f24ec7576c94076cadc3f2edb2826b8593e44c6

SHA256
0fa9136edac467e6b627e78f68cce9a62cd35d60eab4448b49fcf70845f0d53f

SHA512
29c8dfb6cba5ae05921ba2e0fc3818a6412b24404a4138d4052605c1714f8c667917250716efd7dc9d2b9442eb484928694516c5238b1650080f40949f3d4950

Download Submit
C:\ProgramData\test\test.exe

Filesize
242.2MB

MD5
5bb8e9d3e108c30311942077c193508d

SHA1
fad43dbc4ca325c66a2b2f60cc7f1d67d7076aa2

SHA256
cc5414b589d3734140d9050b420b110299f06c41d3db126cda2ca41b9a404f1b

SHA512
a49b8326fc0f072a1c5fc9cb0235a29fae785c0b3088fa4ba90d85525c0652468ee33924bc481064554aa90669a8a98e99d4601aa729537a06438cba2c3832fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp29CF.tmp.bat

Filesize
184B

MD5
75994c06ca0b463ccbc65edbcc597322

SHA1
f8f0c414c3b04ba453552fb744e57aa52ddeee40

SHA256
0646e1bc473a77844166a2372a95adf7d63e345e8018a79b20b0492300d4948b

SHA512
9f87ce786dcce5be5e7864d215a4f550222379623c576226b5e866caabac28c8dd6a07c053929b1684dc3b3b06e745e3fc3a84d66cea00fcdb93f953cd1d1cf3

Download Submit
\ProgramData\test\test.exe

Filesize
243.3MB

MD5
fc2b796499d51fc8d696168f9c669e48

SHA1
ed4e48992195e535fc76245a33e835db8e8930a5

SHA256
2f4e1c3547e1e5afcf13d167164da89c95ba1aad6e767e7f3bc225ef59bce805

SHA512
dfe627f6c7137f0be21067474e735f3e32bfd76a93c31f4ddf9917d44fb5d57017372a65b566fe2ce14a66c47bb6ecd4c2e51505bcd44d6c5d58ccff41c9c184

Download Submit
\ProgramData\test\test.exe

Filesize
116.9MB

MD5
f87ed0c7cc6a595e097e87ac923fedc8

SHA1
b4adbdb29fb71d38bb6150984dd560f5997a7afe

SHA256
c7b32efb21038308786a0d9dc8eec4c089f93281ca01b176bc5261513b704769

SHA512
606111f508aeb74956e48b969301520a2c2350c8b57b59ad5452cbd67815445a0e30ed6c9c0a5dd1abce8a3f0fa4965ebccd7a5d18eb034f57dc29f800cda621

Download Submit
\ProgramData\test\test.exe

Filesize
113.4MB

MD5
59e793be4da2f437a74b7f0111eb16c1

SHA1
071e64e65df0409220625472c2e8ef4108c66fd3

SHA256
2775aa4ac2fa2be0a990c6ac27344533d4d792130d53616e61266b3327f5424e

SHA512
c43110d070c0454444c0128acb689d26dc4c4d897684561efa9374372d03c4c92b03bb8e5935e971312d45f7c1c750182e48532947533fb2d002ae16bc0a4a5e

Download Submit
\ProgramData\test\test.exe

Filesize
114.6MB

MD5
b5ed4b3e21a036bb65ca84b51a108f45

SHA1
bceba8e9a6df7aa463b1926e30d74a22c6b4d2e9

SHA256
3a3cb01f68d8577c0b6261208a94fda3d5572af2cdf68ea9a05443067e23a98f

SHA512
d115ea191ec58fd54770f87515bd742e153c03ded4adb4ef80d799df6ace9b9be6d3b859406a47aa5e0f489cdf04c0961027480ffb5231e31b83412059f4f9d2

Download Submit
\ProgramData\test\test.exe

Filesize
112.2MB

MD5
fab047796cda2d8f102dbcf923587bb8

SHA1
18408ab1483d02a7d54d15acad3b3d1f72145ab4

SHA256
03ac5245850c7b738b5be600aa3b939ad57fbe5aa73e825f759860c9467b82ba

SHA512
ec142adfc31e7b25dfce4258f666376f1bc708e887b96d17d35cde4a6c1c74932a8ff47ba417c606486c28bd7f9cbb26e6336af2e6834e3f7a38af245a30dfbf

Download Submit
\ProgramData\test\test.exe

Filesize
117.9MB

MD5
5e4e3d4e5c5557c00344724fc0ae0e08

SHA1
f73edb731a5ccb79e06904b32f09784e5ae10ea0

SHA256
179956ae11756c8510ada0e746ed2b882203d27f7270a257387e0652e0132f8c

SHA512
88841b3af8116c2b6f5ca92ad78110218dbb5cbf962fd4bb77286ffba9cafeab7c09359d66a2225f5fb7ac771447b710d129455df2e3f0b9b85a5d57a76a003a

Download Submit
memory/336-67-0x0000000000540000-0x00000000005C0000-memory.dmp

Filesize
512KB

Download
memory/336-63-0x000000013F1F0000-0x000000013F2BE000-memory.dmp

Filesize
824KB

Download
memory/1160-55-0x000000001ADA0000-0x000000001AE76000-memory.dmp

Filesize
856KB

Download
memory/1160-54-0x000000013FAE0000-0x000000013FBAE000-memory.dmp

Filesize
824KB

Download
memory/1160-58-0x000000001BBB6000-0x000000001BBD5000-memory.dmp

Filesize
124KB

Download
memory/1160-56-0x00000000007C0000-0x00000000007C6000-memory.dmp

Filesize
24KB

Download