30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745

Analysis

max time kernel
149s
max time network
137s
platform
windows7_x64
resource
win7-20220414-en
submitted
18-05-2022 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be75e9e51767b5a59536afbbf9ffafbc.exe
Size

810KB
MD5

be75e9e51767b5a59536afbbf9ffafbc
SHA1

78be65d86a6918643092e8e90fd72ad3b9ab997f
SHA256

30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745
SHA512

4e9f7198dd12adeb21669f74e1cdebe16ac7ccae8e1f29b537438239d1a240a8f1ab890afebe8c1f8603909a1c72b8ce7e7c981f2147fa53dccc6c43b6a3d9e6

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata

Executes dropped EXE 2 IoCs

pid	Process
1932	test.exe
1412	5iOsII87is.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5iOsII87is.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5iOsII87is.exe

Deletes itself 1 IoCs

pid	Process
528	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1932	test.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HGRAyZk0Y950ZeEUrPGcT36so = "C:\\ProgramData\\test\\test.exe"	be75e9e51767b5a59536afbbf9ffafbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1996	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
560	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1932	test.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe
1960	be75e9e51767b5a59536afbbf9ffafbc.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	be75e9e51767b5a59536afbbf9ffafbc.exe
Token: SeDebugPrivilege	1960	be75e9e51767b5a59536afbbf9ffafbc.exe
Token: SeDebugPrivilege	1932	test.exe
Token: SeDebugPrivilege	1932	test.exe
Token: SeLockMemoryPrivilege	1412	5iOsII87is.exe
Token: SeLockMemoryPrivilege	1412	5iOsII87is.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1412	5iOsII87is.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1996	1960	be75e9e51767b5a59536afbbf9ffafbc.exe	28
PID 1960 wrote to memory of 1996	1960	be75e9e51767b5a59536afbbf9ffafbc.exe	28
PID 1960 wrote to memory of 1996	1960	be75e9e51767b5a59536afbbf9ffafbc.exe	28
PID 1960 wrote to memory of 1932	1960	be75e9e51767b5a59536afbbf9ffafbc.exe	30
PID 1960 wrote to memory of 1932	1960	be75e9e51767b5a59536afbbf9ffafbc.exe	30
PID 1960 wrote to memory of 1932	1960	be75e9e51767b5a59536afbbf9ffafbc.exe	30
PID 1960 wrote to memory of 528	1960	be75e9e51767b5a59536afbbf9ffafbc.exe	31
PID 1960 wrote to memory of 528	1960	be75e9e51767b5a59536afbbf9ffafbc.exe	31
PID 1960 wrote to memory of 528	1960	be75e9e51767b5a59536afbbf9ffafbc.exe	31
PID 528 wrote to memory of 560	528	cmd.exe	33
PID 528 wrote to memory of 560	528	cmd.exe	33
PID 528 wrote to memory of 560	528	cmd.exe	33
PID 1932 wrote to memory of 1412	1932	test.exe	34
PID 1932 wrote to memory of 1412	1932	test.exe	34
PID 1932 wrote to memory of 1412	1932	test.exe	34

C:\Users\Admin\AppData\Local\Temp\be75e9e51767b5a59536afbbf9ffafbc.exe
"C:\Users\Admin\AppData\Local\Temp\be75e9e51767b5a59536afbbf9ffafbc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\system32\schtasks.exe
  "schtasks.exe" /create /tn HGRAyZk0Y950ZeEUrPGcT36so /tr "C:\ProgramData\test\test.exe" /st 16:34 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - Creates scheduled task(s)
  PID:1996
- C:\ProgramData\test\test.exe
  "C:\ProgramData\test\test.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\ProgramData\15B34D9CC5\Rtyghe8m6tcKF3IhOCw6tKiCM8pafgGT5CrTRVex\5iOsII87is.exe
    "C:\ProgramData\15B34D9CC5\Rtyghe8m6tcKF3IhOCw6tKiCM8pafgGT5CrTRVex\5iOsII87is.exe" --url xmr.hashcity.org:4444 --user first1805.15B34D9CC5 --pass x --title Service --cpu-max-threads-hint=70 --donate-level 0
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1412
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3E2A.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\system32\timeout.exe
    timeout 6
    3⤵
    - Delays execution with timeout.exe
    PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\15B34D9CC5\Rtyghe8m6tcKF3IhOCw6tKiCM8pafgGT5CrTRVex\5iOsII87is.exe

Filesize
25.1MB

MD5
a2826a003decf7c28c6032fc67d73f1d

SHA1
d2359c3a2722ce88a41218fed699a53f670c60a6

SHA256
fb27916254ed52de3bc74cc7b9e2edfccd0e0a6f7ca739b398afa3160ae25e53

SHA512
b233e83e8d3274b7ff677a06d514af9a3abe8900474ce2873af7b33df68becb7216f8e2aae88cc96e1c81b1a5fd5c91dfcc5262806a8ecad0584be18a502692b

Download Submit
C:\ProgramData\test\test.exe

Filesize
422.9MB

MD5
2a2cf8fcf5235b1f8d3c8281b21f6510

SHA1
7515b9373f1d0210db00d7991128506981ddd7e3

SHA256
40b8b144c325213ce39cd6ff7e096ad8310ed55fa8171a005f6579bcaed0a264

SHA512
6f49a98bc32b0f6b9a1c3a9c408e929107c45f7bde129bbd2863791830f1e40252b32e3627fb9ab2e67d0b1f9f7c05b4fc57335b34c21754fa64780fe7394dde

Download Submit
C:\ProgramData\test\test.exe

Filesize
422.4MB

MD5
66e5377cba4ee681f78199839726ca5f

SHA1
e06cc691f0f553223645076580ccfb79860cfc2d

SHA256
c3aa417251cabee25905ff8baa95aef4695096da3dbf032f67f1cc488e636298

SHA512
6d7a651fe37693d8b714b48d53f253c0d06d4650af10c6c118cf44d24b8bac92e10385d79da7cfacc93b4b522a6289fb5acd5a14ac029ce8dba3c0cc1c74e77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3E2A.tmp.bat

Filesize
184B

MD5
0f397cc5f4c48eec99467ddc190c8a91

SHA1
2bfc9d3057e8c0f6368f6ae1589acd0b6844cb4e

SHA256
bd9591910b93da534de995fdd7ffc48c32afcefd99f953ad44229588d7cf9f12

SHA512
b641c52b670c1bd41fbc5ac9e4d0c10b030b7e9f6dc8ae8f4240ecaff42dc151ad9912020e645111ef7268891e8044514c25aa6667f51890e995b714031159b7

Download Submit
\ProgramData\15B34D9CC5\Rtyghe8m6tcKF3IhOCw6tKiCM8pafgGT5CrTRVex\5iOsII87is.exe

Filesize
23.9MB

MD5
077afb33bf2001d49e1f11a136801002

SHA1
e7e1ca59946b3f0b33f70a8f22309fac5f0f87b5

SHA256
2a6e1353e233cd85fc01515961df473551bb898eb62b67841cf990d89ceadf98

SHA512
567e9badeffb272210e6b6cc64ac9775ea56fda0e78ae0025aa717bf5c0909a9f8aef72191eb03101debafdbb47d4b7fc72a9c64b8ed20631f251474ce8f2a2f

Download Submit
\ProgramData\test\test.exe

Filesize
413.3MB

MD5
c2c48c316539bb0be412400ba0e4dbbc

SHA1
cb8f900ab41be7393e58013fa4a7ef471b9861ea

SHA256
48cd60724292c01bfa4af487bbf7131ad5de33a6a6bfe9cab8d392e096c92e65

SHA512
c30c1177c39bfac4fd804da78652951399988ad7f9cf9001e4b05d7d8edfcc886c465f3dc43c63255540de911856a5802bc2d8af1c8e10a7143c70299dca0b80

Download Submit
memory/1412-73-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1412-72-0x0000000076E50000-0x0000000076FF9000-memory.dmp

Filesize
1.7MB

Download
memory/1412-71-0x00000000017E0000-0x0000000001800000-memory.dmp

Filesize
128KB

Download
memory/1932-63-0x000000013F5E0000-0x000000013F6AE000-memory.dmp

Filesize
824KB

Download
memory/1932-67-0x000000001BB46000-0x000000001BB65000-memory.dmp

Filesize
124KB

Download
memory/1960-54-0x000000013F310000-0x000000013F3DE000-memory.dmp

Filesize
824KB

Download
memory/1960-55-0x000000001B430000-0x000000001B506000-memory.dmp

Filesize
856KB

Download
memory/1960-56-0x0000000000650000-0x0000000000656000-memory.dmp

Filesize
24KB

Download
memory/1960-57-0x000000001BA86000-0x000000001BAA5000-memory.dmp

Filesize
124KB

Download