Overview

overview

10

Static

static

b9abb9034a...bf.exe

windows7_x64

8

b9abb9034a...bf.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 01:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9abb9034a6e25c416c3031b9dbfd566b3d7b39dfb1fc9229095f22ee8c6a9bf.exe

  • Size

    790KB

  • MD5

    c767466a3e546cf4c3f4c7d06674f649

  • SHA1

    86fd75f689e1cdae1ebe04e75cb8c41007d58f8a

  • SHA256

    b9abb9034a6e25c416c3031b9dbfd566b3d7b39dfb1fc9229095f22ee8c6a9bf

  • SHA512

    455df92cf93a0d78022275230f095c8ff502bfb046b407262c0043159d198294c95c32821b284f72e868983d62077e9a8a99ded02f5c4d18ef40ee2e97c9ea06

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Adds Run key to start application 2 TTPs 50 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9abb9034a6e25c416c3031b9dbfd566b3d7b39dfb1fc9229095f22ee8c6a9bf.exe
    "C:\Users\Admin\AppData\Local\Temp\b9abb9034a6e25c416c3031b9dbfd566b3d7b39dfb1fc9229095f22ee8c6a9bf.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\b9abb9034a6e25c416c3031b9dbfd566b3d7b39dfb1fc9229095f22ee8c6a9bf.exe
      2⤵
      • Views/modifies file attributes
      PID:1088
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
      2⤵
      • Adds Run key to start application
      PID:1996
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
        PID:1688
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:1988
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:1172
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:1868
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:1108
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:700
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:1252
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:780
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:1360
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:1972
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:1044
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:1028
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:1148
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:692
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:480
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:888
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:976
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:1668
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:1756
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:2020
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:1944
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:1580
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:1420
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:1628
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "rsegdgsg" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\\ergsergs\dev.exe
        2⤵
        • Adds Run key to start application
        PID:1456

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/480-71-0x0000000000000000-mapping.dmp

      Download

    • memory/692-70-0x0000000000000000-mapping.dmp

      Download

    • memory/700-62-0x0000000000000000-mapping.dmp

      Download

    • memory/748-55-0x0000000074980000-0x0000000074F2B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/748-54-0x00000000763E1000-0x00000000763E3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/780-64-0x0000000000000000-mapping.dmp

      Download

    • memory/888-72-0x0000000000000000-mapping.dmp

      Download

    • memory/976-73-0x0000000000000000-mapping.dmp

      Download

    • memory/1028-68-0x0000000000000000-mapping.dmp

      Download

    • memory/1044-67-0x0000000000000000-mapping.dmp

      Download

    • memory/1088-56-0x0000000000000000-mapping.dmp

      Download

    • memory/1108-61-0x0000000000000000-mapping.dmp

      Download

    • memory/1148-69-0x0000000000000000-mapping.dmp

      Download

    • memory/1172-59-0x0000000000000000-mapping.dmp

      Download

    • memory/1252-63-0x0000000000000000-mapping.dmp

      Download

    • memory/1360-65-0x0000000000000000-mapping.dmp

      Download

    • memory/1420-79-0x0000000000000000-mapping.dmp

      Download

    • memory/1456-81-0x0000000000000000-mapping.dmp

      Download

    • memory/1580-78-0x0000000000000000-mapping.dmp

      Download

    • memory/1628-80-0x0000000000000000-mapping.dmp

      Download

    • memory/1668-74-0x0000000000000000-mapping.dmp

      Download

    • memory/1756-75-0x0000000000000000-mapping.dmp

      Download

    • memory/1868-60-0x0000000000000000-mapping.dmp

      Download

    • memory/1944-77-0x0000000000000000-mapping.dmp

      Download

    • memory/1972-66-0x0000000000000000-mapping.dmp

      Download

    • memory/1988-58-0x0000000000000000-mapping.dmp

      Download

    • memory/1996-57-0x0000000000000000-mapping.dmp

      Download

    • memory/2020-76-0x0000000000000000-mapping.dmp

      Download