Analysis
-
max time kernel
53s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:05
General
-
Target
47bcda5c1f05dabceb6c20797ad6501a0494628f1b7266a7264348eacf22d6e1.exe
-
Size
27KB
-
MD5
cb1814f943f708d032b7587a858390e9
-
SHA1
e94f6b03ab0e81497c15898f47e3a1395356b50f
-
SHA256
47bcda5c1f05dabceb6c20797ad6501a0494628f1b7266a7264348eacf22d6e1
-
SHA512
edbdcf77c6005cc716a0cc99223cdaaac3dd96debfa60f507ae670f598e8d34cc2d9fa985c4edd24eb59c633634c29c2fda6d56a32493be82c6d27b05177066b
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 29 IoCs
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\47bcda5c1f05dabceb6c20797ad6501a0494628f1b7266a7264348eacf22d6e1.exe"C:\Users\Admin\AppData\Local\Temp\47bcda5c1f05dabceb6c20797ad6501a0494628f1b7266a7264348eacf22d6e1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\F2F7.tmp\Sendable Virus.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exeNET SESSION3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 SESSION4⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.roblox.com/--item?id=927262213⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\opendisk.vbs"3⤵
- Enumerates connected drives
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msgbox.vbs"3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
60KB
MD5b9f21d8db36e88831e5352bb82c438b3
SHA14a3c330954f9f65a2f5fd7e55800e46ce228a3e2
SHA256998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e
SHA512d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD529bb05f895276e5a9a9e9be7958d1834
SHA19c87c510109d59a169ea6e015e210cb25c41e7a5
SHA2568e19b9bd7c65ecc466cc2655f5f80ff25eeebe22d5a22954ffe1d410a15a1f96
SHA512d6c806ef8d9a5dcbd6981a7bfae764d2c5eca90f5a9a958c58cd5ba3e70ac3a4c899ece28c3370630a5bd0977e650165b46bbd0e3ab2429725db75a7a2135179
-
C:\Users\Admin\AppData\Local\Temp\F2F7.tmp\Sendable Virus.batFilesize
9KB
MD56341e2b6cc6ffbdd6c0c336d6509ba9a
SHA163c360fb605b30c13aae5ab9eac6349f0b80cadd
SHA25673f08a5f5ecf882ac778525e206808126740864bdd2759dd2b02803b8053d6af
SHA5129081740c8a9a72322a50341d17e232c10a626fd41ddbc0f835ba58b4f7fc52b85bfb4c7407b7cdb0ee90513275485647d76bc22867816b1acf3e1ac05def8e67
-
C:\Users\Admin\AppData\Local\Temp\msgbox.vbsFilesize
89B
MD57381f78df6c2dbf25897c1b8e5ec2b43
SHA1781da509fa801ca5d8077760f7496baf70a7a56d
SHA2561b88a7b9a6c92560134f28b3a6f20368f5427a010c05d5b11a028ae3add6daee
SHA5126636f8113776c96bdca112a1badcf79a90ea6adfc1d0a6da4c2a1b2d1e1af8625745633ddae64ec7cefd08e6243ef88f494220c0d08dd5612d693b772982af60
-
C:\Users\Admin\AppData\Local\Temp\opendisk.vbsFilesize
150B
MD5673c512ec9af60c105943e3ba19faf51
SHA1e7fe0263a97aec3c2d4043a5aa311962cf8766ec
SHA256aec339e8f195ff6943f64f6ca57b022a670a0a5189d82925bde181d434128080
SHA512041af250bc25324fba28c2b7f71436f6686447f6a9d1988906d2eae4cbac189232a50c63481e881896691dbbad632b814bad521d0de316dc29fdedec861406ee
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4OVBHTZD.txtFilesize
605B
MD5ee929d5c88c462b6aabc618047ef074a
SHA1d9e2cf6182d4de020b941e8b044bc2f18644e1ef
SHA25616309be632a43c9938973d0bab3080bfc2bf082ccd4238446a4cb15a3f2cf290
SHA512eec9ec56004737e2f4cffad690953d78d664e83aec9b837a6597ce02aea259c7850e5021aec658fe0a19e3ace9b797aa11cf8aaadb72dccd19733925321eb087
-
memory/112-64-0x0000000000000000-mapping.dmp
-
memory/388-54-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/1228-62-0x0000000000000000-mapping.dmp
-
memory/1920-57-0x0000000000000000-mapping.dmp
-
memory/1996-59-0x0000000000000000-mapping.dmp
-
memory/2000-58-0x0000000000000000-mapping.dmp
-
memory/2008-60-0x0000000000000000-mapping.dmp
-
memory/2032-55-0x0000000000000000-mapping.dmp