Analysis
-
max time kernel
128s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 22:57
Static task
static1
Behavioral task
behavioral1
Sample
6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Resource
win10v2004-20220414-en
General
-
Target
6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
-
Size
11.7MB
-
MD5
18b14674866c89c770a7f8cafcd9d77a
-
SHA1
bb4c7f84f81d926be1c0819b59ae9ec891b1989a
-
SHA256
6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416
-
SHA512
a05017b19da903cdbb0a2ce6fa238a43853d75db426e14cc4f8d26cdbe3e541a37e4236900cb9cd2f8eb416ba13d93f26fdbcc01e7f66fa8306551ffe71841ba
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
bcdedit.exeo.exepid process 112 bcdedit.exe 1812 o.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.execmd.exepid process 1036 cmd.exe 1540 cmd.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exeo.exedescription ioc process File opened (read-only) \??\Z: 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe File opened (read-only) \??\D: o.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
o.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum o.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 o.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
o.exedescription ioc process File opened for modification \??\PhysicalDrive0 o.exe -
Drops file in Windows directory 1 IoCs
Processes:
6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exedescription ioc process File created C:\Windows\v.cfg 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exedescription pid process Token: 33 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: SeIncBasePriorityPrivilege 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: 33 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: SeIncBasePriorityPrivilege 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: 33 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: SeIncBasePriorityPrivilege 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: 33 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: SeIncBasePriorityPrivilege 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: 33 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: SeIncBasePriorityPrivilege 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: 33 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: SeIncBasePriorityPrivilege 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: 33 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: SeIncBasePriorityPrivilege 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: 33 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: SeIncBasePriorityPrivilege 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: 33 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: SeIncBasePriorityPrivilege 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: 33 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: SeIncBasePriorityPrivilege 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: 33 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: SeIncBasePriorityPrivilege 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: 33 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe Token: SeIncBasePriorityPrivilege 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exepid process 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exepid process 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exepid process 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.execmd.execmd.exedescription pid process target process PID 1968 wrote to memory of 1036 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe cmd.exe PID 1968 wrote to memory of 1036 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe cmd.exe PID 1968 wrote to memory of 1036 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe cmd.exe PID 1968 wrote to memory of 1036 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe cmd.exe PID 1036 wrote to memory of 112 1036 cmd.exe bcdedit.exe PID 1036 wrote to memory of 112 1036 cmd.exe bcdedit.exe PID 1036 wrote to memory of 112 1036 cmd.exe bcdedit.exe PID 1036 wrote to memory of 112 1036 cmd.exe bcdedit.exe PID 1968 wrote to memory of 1540 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe cmd.exe PID 1968 wrote to memory of 1540 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe cmd.exe PID 1968 wrote to memory of 1540 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe cmd.exe PID 1968 wrote to memory of 1540 1968 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe cmd.exe PID 1540 wrote to memory of 1812 1540 cmd.exe o.exe PID 1540 wrote to memory of 1812 1540 cmd.exe o.exe PID 1540 wrote to memory of 1812 1540 cmd.exe o.exe PID 1540 wrote to memory of 1812 1540 cmd.exe o.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe"C:\Users\Admin\AppData\Local\Temp\6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c bcdedit2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bcdedit.exebcdedit3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c o info2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\o.exeo info3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Writes to the Master Boot Record (MBR)
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f41⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bcdedit.exeFilesize
359KB
MD5f812d591a7b7a5f15141e891a95ba4bb
SHA18c04bbae962a561cbba0353b8e86e877ca45bb68
SHA2566cc9858b49578c8a98b8926563f1c7d82641277bd7e3d1ad2fcadfa0ca1422a7
SHA512f5de84398c2cf2a2bc168eb6c9a773c647bf2dad169a131bb0f8b54ac058b037daa0de5355e47384ad5c15c69822897a55f9d4c8da2b8480212fe5b068baa2ad
-
C:\Users\Admin\AppData\Local\Temp\o.exeFilesize
2.3MB
MD570b6a76178479d237a2c23b86d6c06d9
SHA13bfd492082e3958a1038685ad9e17800510e94e1
SHA256ed1f0c01a20b99435c9f6a233bf3a766e756c866db1dda460822424d228ec5d7
SHA512596dcbbb2daf686b938356dff9bbc94f92bf9e92d1230beda5e11cb6dde6538d3878e1d83b9d007dbd550f09d4335443b9b5e922580f6b9b6d2f03d8d6cb0cbd
-
C:\Users\Admin\AppData\Local\Temp\o.exeFilesize
2.3MB
MD570b6a76178479d237a2c23b86d6c06d9
SHA13bfd492082e3958a1038685ad9e17800510e94e1
SHA256ed1f0c01a20b99435c9f6a233bf3a766e756c866db1dda460822424d228ec5d7
SHA512596dcbbb2daf686b938356dff9bbc94f92bf9e92d1230beda5e11cb6dde6538d3878e1d83b9d007dbd550f09d4335443b9b5e922580f6b9b6d2f03d8d6cb0cbd
-
\Users\Admin\AppData\Local\Temp\bcdedit.exeFilesize
359KB
MD5f812d591a7b7a5f15141e891a95ba4bb
SHA18c04bbae962a561cbba0353b8e86e877ca45bb68
SHA2566cc9858b49578c8a98b8926563f1c7d82641277bd7e3d1ad2fcadfa0ca1422a7
SHA512f5de84398c2cf2a2bc168eb6c9a773c647bf2dad169a131bb0f8b54ac058b037daa0de5355e47384ad5c15c69822897a55f9d4c8da2b8480212fe5b068baa2ad
-
\Users\Admin\AppData\Local\Temp\o.exeFilesize
2.3MB
MD570b6a76178479d237a2c23b86d6c06d9
SHA13bfd492082e3958a1038685ad9e17800510e94e1
SHA256ed1f0c01a20b99435c9f6a233bf3a766e756c866db1dda460822424d228ec5d7
SHA512596dcbbb2daf686b938356dff9bbc94f92bf9e92d1230beda5e11cb6dde6538d3878e1d83b9d007dbd550f09d4335443b9b5e922580f6b9b6d2f03d8d6cb0cbd
-
memory/112-57-0x0000000000000000-mapping.dmp
-
memory/1036-55-0x0000000000000000-mapping.dmp
-
memory/1540-61-0x0000000000000000-mapping.dmp
-
memory/1812-64-0x0000000000000000-mapping.dmp
-
memory/1968-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1968-59-0x0000000010024000-0x0000000010031000-memory.dmpFilesize
52KB
-
memory/1968-60-0x0000000008580000-0x00000000087A2000-memory.dmpFilesize
2.1MB