00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124

Analysis

max time kernel
22s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe
Size

870KB
MD5

588be75f7ceb82915980b2f90be3c4ac
SHA1

65d5912f2e9b8a16989c72c4e943c2e1ecc014ee
SHA256

00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124
SHA512

b8737dd5a3bda3ee0a6476c46fcfaf688c5d3fe2067117dec90206896e095d8fc0ed91425acd397b3efdebe42c6c43051d9ffc6c51e505b3f66a49a73a51c99b

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-87585857695986954\winmgr.exe = "C:\\Users\\Admin\\M-87585857695986954\\winmgr.exe:*:Enabled:Microsoft Windows Service"	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe

Executes dropped EXE 1 IoCs

pid	Process
1788	winmgr.exe

Loads dropped DLL 6 IoCs

pid	Process
956	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Service = "C:\\Users\\Admin\\M-87585857695986954\\winmgr.exe"	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0006000000014250-73.dat	autoit_exe
behavioral1/files/0x0006000000014250-100.dat	autoit_exe
behavioral1/files/0x0006000000014250-99.dat	autoit_exe
behavioral1/files/0x0006000000014250-98.dat	autoit_exe
behavioral1/files/0x0006000000014250-97.dat	autoit_exe
behavioral1/files/0x0006000000014250-101.dat	autoit_exe
behavioral1/files/0x0006000000014250-71.dat	autoit_exe
behavioral1/files/0x0006000000014250-69.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1496 set thread context of 956	1496	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1924	1788	WerFault.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 956	1496	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	27
PID 1496 wrote to memory of 956	1496	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	27
PID 1496 wrote to memory of 956	1496	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	27
PID 1496 wrote to memory of 956	1496	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	27
PID 1496 wrote to memory of 956	1496	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	27
PID 1496 wrote to memory of 956	1496	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	27
PID 1496 wrote to memory of 956	1496	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	27
PID 1496 wrote to memory of 956	1496	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	27
PID 1496 wrote to memory of 956	1496	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	27
PID 1496 wrote to memory of 956	1496	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	27
PID 1496 wrote to memory of 956	1496	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	27
PID 956 wrote to memory of 1788	956	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	29
PID 956 wrote to memory of 1788	956	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	29
PID 956 wrote to memory of 1788	956	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	29
PID 956 wrote to memory of 1788	956	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	29
PID 1788 wrote to memory of 1924	1788	winmgr.exe	28
PID 1788 wrote to memory of 1924	1788	winmgr.exe	28
PID 1788 wrote to memory of 1924	1788	winmgr.exe	28
PID 1788 wrote to memory of 1924	1788	winmgr.exe	28

C:\Users\Admin\AppData\Local\Temp\00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe
"C:\Users\Admin\AppData\Local\Temp\00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\Temp\00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe
  "C:\Users\Admin\AppData\Local\Temp\00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe"
  2⤵
  - Modifies firewall policy service
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Users\Admin\M-87585857695986954\winmgr.exe
    C:\Users\Admin\M-87585857695986954\winmgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 380
1⤵
- Loads dropped DLL
- Program crash
PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\deepwebx.txt

Filesize
60KB

MD5
1f59dec3d69b5a8ce892db9ff72096c3

SHA1
923a511671583f7e144a8b6a5547d1018bf0e3cc

SHA256
b8dfc0af166b7e0bb771d15bf315442247410a4e82c4091a5a85205fa1b89b47

SHA512
8cfd98c164b07e21e132f3a89a870c98d80e45bbd9cb3b7da191b418bcd17a83febc11da92df8e9ae609cf2992601aa520e91f02057696a2e89bfb4f5414b499

Download Submit
C:\Users\Admin\AppData\Local\Temp\test2x.txt

Filesize
100B

MD5
6a5b76312aceea53d56b4373d53c1451

SHA1
d5a9eafc38b81a25daf03b3d9a742ee1bba3651b

SHA256
21da4382be35ee414afd57f6802b3802b00e79f0762a2b9942591be4b846099c

SHA512
b59130490303b607013812bba31f704fedf8789848ac98005d37e163bedfffb7d70bebb023feaaf28664f6000163868c6cf5f45f7f9434971ecdf82f66c7ff7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\test2xx.txt

Filesize
98B

MD5
f42f0562816b96102dde294fb2c508ac

SHA1
191e0e60526e020c4f456eb2f08b1536b8e7712d

SHA256
b2da6507c5a77d3d0d2b711bb8c347c383f29e39ac7b74b479b5425e2ac77c00

SHA512
67a36d10fac324588eb420857522cc32d41cebd1745b96a7e9713fddf8318f751e16e84b42b446a2c9465fb4dc5a77b8ede75f6af097c33f9d2a87f9649a2255

Download Submit
C:\Users\Admin\AppData\Local\Temp\test3x.txt

Filesize
108B

MD5
88116ec49738a1493fc284c51d4dbfba

SHA1
269f74c3259ae5fe2c4cc2445ccb2e8b0baf9004

SHA256
0d6a0f80e046b6bb77b87c1ca051f4bac821966293af47a62f7e5106fa1a6f74

SHA512
a430d8f6bbf86e397c4bbaa4e77b30f594540823658a7e8f217561adf100ea5839769388469d152d96d4bda63eee40b33c80945cbef235645c8f12ef369b6eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\test3xx.txt

Filesize
106B

MD5
71ef96891967694c1d2c9e6fb72ba818

SHA1
10ae116ef5e19764ac5d3a647d65f547eaa354ac

SHA256
3ec812b26581121de1a020d5dc547ad6f6ac9e321625ccca16367e56966dc275

SHA512
e9b8ab935099688f4b18e651116471f0588a13bb3fe4177591cdf21df07c187fe5463e20e67c2e11758fe7746bfc480db6c37d6e263fb80f1393e5db2cc6eafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\test4x.txt

Filesize
92B

MD5
861c22522a523bc72bf9a9b2e22e97c4

SHA1
e11ca81fe0ad875b6a3cca1bd3211f30a1524a42

SHA256
5110cadd1656f1197d4eea225af235b8265b4b77d6c6682e8119f55982199b6b

SHA512
5194b0a40e85e3ef85b96aa18b9e9e672c9aa364f41e5ed3870ce5445b6d1e02f9dd8c5d3a81c4f7064197b419708803f9170048a636cdee4d7db135e6409978

Download Submit
C:\Users\Admin\AppData\Local\Temp\test4xx.txt

Filesize
90B

MD5
7c7b6d024c627da303b1e8109b59ec8a

SHA1
8fde1af23426e860986e91f8b6c1f4fd6d3190c9

SHA256
57f0978901d4f374d9f06e07d6070f96c8041b0a8d45f46cad418066447d0186

SHA512
0d602dea536780594a6c496d8cc09d8c4c9f8eb251357f3b8562a741234651b2a079ce353dab391340b6f64b56080f00625333e6ece3a35a1c95471fdb2612c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\test5x.txt

Filesize
132B

MD5
e66c0849f8c9ee70c59203af0386926c

SHA1
4b05703f471081f9afdfb2c9934c32ea5c8be962

SHA256
084db12140daf226e3f8d024aead723729fcadb541f99c5ec152d0f43bdda5a6

SHA512
794add74dd65eae0f4f72290ff7bf31e9afc40f1c9ea79222a42d93f9cd1b87ee799c406b3309278c81f66e75f39ab6dc879be08abcc163c276d4175c86c058f

Download Submit
C:\Users\Admin\AppData\Local\Temp\test5xx.txt

Filesize
130B

MD5
f785444fa8783ebace5bf3a7ce1014d3

SHA1
bef83ea60af3a910a3bac03569e67f7aab3ca6ae

SHA256
dd496c7c8ccb887c5c9991d6a8b261e89aa1a115443058e1738eb67c9a19e754

SHA512
982fe767118c897d7ae1e7031788b48b9196af5ad55f77d83d3d244dc73ee39532e8c8b589410b59145f4c6bf817459bff22f7bba5f10549a8bd7e4f137b4120

Download Submit
C:\Users\Admin\AppData\Local\Temp\test6x.txt

Filesize
638B

MD5
0341d74cbe7eeddc97ff57a3f41e0aae

SHA1
7ac9e057c5ef1b99080631a0977ce4047cd6eecf

SHA256
79c3589c266a2f1790a416f6f269ba914d14ed0602e6c6d0964de696b350e781

SHA512
dcce723f520329c79f73ff5b7799a61a30ef9e5801b4f04f4897b06d54bbe84186e6022402f5170f3993dfb2a431131e4dd6123191ab430fc164f208061ee152

Download Submit
C:\Users\Admin\AppData\Local\Temp\test6xx.txt

Filesize
636B

MD5
b7f737a87dfe2176e40bce919499a69b

SHA1
403a2a8b72fe577139b4ee4310fccd0e669e854f

SHA256
db3c01361118d67e942ab190b76a8c7055e7b2e38c3f41f96eff80c01ad4623d

SHA512
c2dfc3ca2b6d695b9eaed6f595ec9367d3464e17b25e0627d7adc768e5cb85d5e9bfc3b6602e62589bef849f80c9d7027459b937841eb7c4f19dd8c9b41765df

Download Submit
C:\Users\Admin\AppData\Local\Temp\testx.txt

Filesize
2KB

MD5
a0990ddbb2099b380a275d32475e2fb6

SHA1
87d9c5f70be309efd85fe3076431c186eeb333eb

SHA256
1162921461c2a373fc3e3982f7995effc4ff32456a6bc9d3a6f9e263936c0283

SHA512
c7849f81c7b9cbd329f13abcc20604caaee9b310c434b385f44bb4635d29b9346f64ea2399d07b02e8d0d883e97f0f4bd89b676c9318b5dbd9b346267130ecb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\testxx.txt

Filesize
2KB

MD5
992dea548be8314039a109d8f0725578

SHA1
dbfbb7268164b58f27bc4650158312058573ac32

SHA256
9a186fead0270c923d4672ed89b898f9210cfd59837ab1fbdc82987a61378cec

SHA512
52c22415a7f0cafa1d42163873fb46e8f02a081e9edda7a51c02be87a5c0550e3eebba4f697b33d6e62bf42a79f1cbcb75f281d2cc0dc2a78e6a8e933da20577

Download Submit
C:\Users\Admin\AppData\Local\Temp\ultra.txt

Filesize
1KB

MD5
5b54502a7b2e3f71523db902eb15bcc0

SHA1
6635020844365299471d9ac2b597eccc5bff6589

SHA256
b3d65b73767d55ec548557bc83b445d51c81fbb84f845ca255d835d87c4cf1e2

SHA512
9d2ae5ba95e97edc0adbecf474628d98abfb77b2b54d14a087ef4f6f46947632814eff1a539200ea5d445dad00f77742ee654227e8c38f6200ff16386787ca86

Download Submit
C:\Users\Admin\M-87585857695986954\winmgr.exe

Filesize
870KB

MD5
588be75f7ceb82915980b2f90be3c4ac

SHA1
65d5912f2e9b8a16989c72c4e943c2e1ecc014ee

SHA256
00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124

SHA512
b8737dd5a3bda3ee0a6476c46fcfaf688c5d3fe2067117dec90206896e095d8fc0ed91425acd397b3efdebe42c6c43051d9ffc6c51e505b3f66a49a73a51c99b

Download Submit
C:\Users\Admin\M-87585857695986954\winmgr.exe

Filesize
870KB

MD5
588be75f7ceb82915980b2f90be3c4ac

SHA1
65d5912f2e9b8a16989c72c4e943c2e1ecc014ee

SHA256
00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124

SHA512
b8737dd5a3bda3ee0a6476c46fcfaf688c5d3fe2067117dec90206896e095d8fc0ed91425acd397b3efdebe42c6c43051d9ffc6c51e505b3f66a49a73a51c99b

Download Submit
\Users\Admin\M-87585857695986954\winmgr.exe

Filesize
870KB

MD5
588be75f7ceb82915980b2f90be3c4ac

SHA1
65d5912f2e9b8a16989c72c4e943c2e1ecc014ee

SHA256
00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124

SHA512
b8737dd5a3bda3ee0a6476c46fcfaf688c5d3fe2067117dec90206896e095d8fc0ed91425acd397b3efdebe42c6c43051d9ffc6c51e505b3f66a49a73a51c99b

Download Submit
\Users\Admin\M-87585857695986954\winmgr.exe

Filesize
870KB

MD5
588be75f7ceb82915980b2f90be3c4ac

SHA1
65d5912f2e9b8a16989c72c4e943c2e1ecc014ee

SHA256
00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124

SHA512
b8737dd5a3bda3ee0a6476c46fcfaf688c5d3fe2067117dec90206896e095d8fc0ed91425acd397b3efdebe42c6c43051d9ffc6c51e505b3f66a49a73a51c99b

Download Submit
\Users\Admin\M-87585857695986954\winmgr.exe

Filesize
870KB

MD5
588be75f7ceb82915980b2f90be3c4ac

SHA1
65d5912f2e9b8a16989c72c4e943c2e1ecc014ee

SHA256
00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124

SHA512
b8737dd5a3bda3ee0a6476c46fcfaf688c5d3fe2067117dec90206896e095d8fc0ed91425acd397b3efdebe42c6c43051d9ffc6c51e505b3f66a49a73a51c99b

Download Submit
\Users\Admin\M-87585857695986954\winmgr.exe

Filesize
870KB

MD5
588be75f7ceb82915980b2f90be3c4ac

SHA1
65d5912f2e9b8a16989c72c4e943c2e1ecc014ee

SHA256
00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124

SHA512
b8737dd5a3bda3ee0a6476c46fcfaf688c5d3fe2067117dec90206896e095d8fc0ed91425acd397b3efdebe42c6c43051d9ffc6c51e505b3f66a49a73a51c99b

Download Submit
\Users\Admin\M-87585857695986954\winmgr.exe

Filesize
870KB

MD5
588be75f7ceb82915980b2f90be3c4ac

SHA1
65d5912f2e9b8a16989c72c4e943c2e1ecc014ee

SHA256
00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124

SHA512
b8737dd5a3bda3ee0a6476c46fcfaf688c5d3fe2067117dec90206896e095d8fc0ed91425acd397b3efdebe42c6c43051d9ffc6c51e505b3f66a49a73a51c99b

Download Submit
\Users\Admin\M-87585857695986954\winmgr.exe

Filesize
870KB

MD5
588be75f7ceb82915980b2f90be3c4ac

SHA1
65d5912f2e9b8a16989c72c4e943c2e1ecc014ee

SHA256
00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124

SHA512
b8737dd5a3bda3ee0a6476c46fcfaf688c5d3fe2067117dec90206896e095d8fc0ed91425acd397b3efdebe42c6c43051d9ffc6c51e505b3f66a49a73a51c99b

Download Submit
memory/956-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/956-68-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/956-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/956-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/956-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/956-61-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/956-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/956-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/956-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1496-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads