Analysis

  • max time kernel
    3s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 03:41

General

  • Target

    244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe

  • Size

    5.5MB

  • MD5

    42f3db290bdb873ea53f87dd71262d41

  • SHA1

    97c643cee498989e193330f0af5b3d5a9d50977b

  • SHA256

    244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf

  • SHA512

    2ced086d1488f1cda5d0dfbff9b30f1c838896f925bf615c71b26816ba43a2632f74d1da0880eccaf3b4793c3ad44b24063437285995d034d62751e9cc108841

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe
    "C:\Users\Admin\AppData\Local\Temp\244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im csrss.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1820
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im ccsrss.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:268
        • C:\Windows\SysWOW64\reg.exe
          reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
          4⤵
            PID:1768
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h "C:\Windows\System32\vipcatalog"
            4⤵
            • Views/modifies file attributes
            PID:1084
          • C:\Users\Admin\AppData\Local\Temp\csrss.exe
            "csrss.exe" /silentinstall
            4⤵
            • Executes dropped EXE
            PID:1560
      • C:\Users\Admin\AppData\Local\Temp\Injector.exe
        "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        2⤵
        • Executes dropped EXE
        PID:1288

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Injector.exe

      Filesize

      1.9MB

      MD5

      ec801a7d4b72a288ec6c207bb9ff0131

      SHA1

      32eec2ae1f9e201516fa7fcdc16c4928f7997561

      SHA256

      b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

      SHA512

      a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

    • C:\Users\Admin\AppData\Local\Temp\Injector.exe

      Filesize

      1.9MB

      MD5

      ec801a7d4b72a288ec6c207bb9ff0131

      SHA1

      32eec2ae1f9e201516fa7fcdc16c4928f7997561

      SHA256

      b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

      SHA512

      a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

    • C:\Users\Admin\AppData\Local\Temp\csrss.exe

      Filesize

      2.2MB

      MD5

      439564aa3c2b3fa4f28273c47036a22a

      SHA1

      820f3cb07a4cd7e6601cb072362f921656ff870f

      SHA256

      bced15349dc6331e5bbdcf87915a22d9e833a1e61e1aba0061196412f5a72782

      SHA512

      dc4e879d999b7b8fa8a6dd116625addc87c570af9a57cb866c6b8d09b25a8da040ab905558a2052c45fc9722a492f7b1afe4a5a879f40319b7b54c2dae17350d

    • C:\Users\Admin\AppData\Local\Temp\csrss.exe

      Filesize

      2.0MB

      MD5

      24e09cdb30c90832e671abeb4631eae5

      SHA1

      0ebf52631f4cf8c42dccc2cf6c3ad807b7e85126

      SHA256

      1311f41cf4a5ede4d7e5d9a2c19c8c01d9477501a52b900b3ab26713e1c423cd

      SHA512

      bb1c5296f794c79fe8e1ef37d8e8b074a2569ea0e271500e805e36e44a834fc4afebdb1a4ca4afc9d31b334b65600b0426a81a4c806f13c1166444b42a115993

    • C:\Users\Admin\AppData\Local\Temp\install.bat

      Filesize

      663B

      MD5

      836eb56035271bdd5ba96d7d3e9ea733

      SHA1

      f38a9c5e37947dbcf59e9bb728316eeefb1cc630

      SHA256

      c70172116a25dcc9c067a4c557103e5e2350c419cd728b8efc6a438409179748

      SHA512

      f9ff472f6f892604d3457738636ef5af20a35346264677c510dda5a76bbb0f9c7645e7a38cea77864c903e257df4eeb4e5daf4254c4e12b4d06df57b21fea2e9

    • C:\Users\Admin\AppData\Local\Temp\install.vbs

      Filesize

      117B

      MD5

      65fc32766a238ff3e95984e325357dbb

      SHA1

      3ac16a2648410be8aa75f3e2817fbf69bb0e8922

      SHA256

      a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420

      SHA512

      621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

    • \Users\Admin\AppData\Local\Temp\Injector.exe

      Filesize

      1.9MB

      MD5

      ec801a7d4b72a288ec6c207bb9ff0131

      SHA1

      32eec2ae1f9e201516fa7fcdc16c4928f7997561

      SHA256

      b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

      SHA512

      a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

    • \Users\Admin\AppData\Local\Temp\Injector.exe

      Filesize

      1.9MB

      MD5

      ec801a7d4b72a288ec6c207bb9ff0131

      SHA1

      32eec2ae1f9e201516fa7fcdc16c4928f7997561

      SHA256

      b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

      SHA512

      a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

    • \Users\Admin\AppData\Local\Temp\Injector.exe

      Filesize

      1.9MB

      MD5

      ec801a7d4b72a288ec6c207bb9ff0131

      SHA1

      32eec2ae1f9e201516fa7fcdc16c4928f7997561

      SHA256

      b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

      SHA512

      a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

    • \Users\Admin\AppData\Local\Temp\Injector.exe

      Filesize

      1.9MB

      MD5

      ec801a7d4b72a288ec6c207bb9ff0131

      SHA1

      32eec2ae1f9e201516fa7fcdc16c4928f7997561

      SHA256

      b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

      SHA512

      a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

    • \Users\Admin\AppData\Local\Temp\csrss.exe

      Filesize

      2.6MB

      MD5

      dd62926280171739773745792e3975a6

      SHA1

      73429a73d97ca1a28d5a9eae1cb5f4addaf2e52d

      SHA256

      a3bcf5dade28e370eb1239f42f9817dd78833f2c407856aa81d5f943a5282d34

      SHA512

      5cddc822b1bd04afc2afec53a7ad1d50250583392b5ddeefa32a2a2767a1d940bb2e57964f33a8799d760348a8232bb4add0425014829612478877423620a93a

    • memory/268-69-0x0000000000000000-mapping.dmp

    • memory/1084-71-0x0000000000000000-mapping.dmp

    • memory/1268-55-0x0000000000000000-mapping.dmp

    • memory/1288-67-0x0000000000830000-0x0000000000A16000-memory.dmp

      Filesize

      1.9MB

    • memory/1288-60-0x0000000000000000-mapping.dmp

    • memory/1380-66-0x0000000000000000-mapping.dmp

    • memory/1560-74-0x0000000000000000-mapping.dmp

    • memory/1768-70-0x0000000000000000-mapping.dmp

    • memory/1792-54-0x0000000075451000-0x0000000075453000-memory.dmp

      Filesize

      8KB

    • memory/1820-68-0x0000000000000000-mapping.dmp