Overview

overview

7

Static

static

0af412e014...41.exe

windows7_x64

7

0af412e014...41.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    42s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    30-05-2022 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0af412e0143612421adb293c6001cbb2c1bb45b7b076b897e582757c0c199e41.exe

  • Size

    234KB

  • MD5

    28713700cc4cf8795a8766fe420e4696

  • SHA1

    d56b0cef59368a5753c43037ca6cc9e4b33b11a7

  • SHA256

    0af412e0143612421adb293c6001cbb2c1bb45b7b076b897e582757c0c199e41

  • SHA512

    5b9fe21edecc4d23fee40fe05b4566bf17a341af6c0f63f5f62afbd1b6d71b9ab9bf2e0b34248c9a3e90f117fa0cc19d32cadb70bcb7cbb3324c0e07f8fbbd74

Score
7/10
discovery

Malware Config

Signatures

  • Modifies file permissions 1 TTPs 5 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 3 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0af412e0143612421adb293c6001cbb2c1bb45b7b076b897e582757c0c199e41.exe
    "C:\Users\Admin\AppData\Local\Temp\0af412e0143612421adb293c6001cbb2c1bb45b7b076b897e582757c0c199e41.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ECD0.tmp\ECD1.tmp\ECD2.bat C:\Users\Admin\AppData\Local\Temp\0af412e0143612421adb293c6001cbb2c1bb45b7b076b897e582757c0c199e41.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM WimSCP.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1004
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM ATKPrwCtrl.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1608
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM Aupuf.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:944
      • C:\Windows\system32\attrib.exe
        attrib "C:\ProgramData\AMDControlPanelClient" -s -h -r /S /D
        3⤵
        • Views/modifies file attributes
        PID:268
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\AMDControlPanelClient" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:516
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\AMDControlPanelClient" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:784
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\AMDControlPanelClient" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:620
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\AMDControlPanelClient" /inheritance:e /grant "Users:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1028
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\AMDControlPanelClient" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:644
      • C:\Windows\system32\reg.exe
        REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v AMD GPU Optimization /F
        3⤵
          PID:1772
        • C:\Windows\system32\reg.exe
          REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v AMD GPU Optimization /F
          3⤵
            PID:1804
          • C:\Windows\system32\reg.exe
            REG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v AMD GPU Optimization /F
            3⤵
              PID:1048

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Hidden Files and Directories

        1
        T1158

        Privilege Escalation

        Defense Evasion

        File Permissions Modification

        1
        T1222

        Hidden Files and Directories

        1
        T1158

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ECD0.tmp\ECD1.tmp\ECD2.bat
          Filesize

          1KB

          MD5

          57933d14dbc025036b72e4c8516a7ce1

          SHA1

          b6403e5d4c55cfc168027a33aeddf04d30f3ba47

          SHA256

          e23229afdf11d0708fa6ebd9c4c28fab1d0a59d3894e51c4c668064de55a1b45

          SHA512

          dcd226f0666fd6566216318b85b505222760355509c962f0dbdc3e5b3c3e10bc57eb44d42ead647a74d08c3043662e180010fd0acb3dc7a4ae32afaf94d80ad3

          Download Submit
        • memory/268-60-0x0000000000000000-mapping.dmp
          Download
        • memory/516-61-0x0000000000000000-mapping.dmp
          Download
        • memory/620-63-0x0000000000000000-mapping.dmp
          Download
        • memory/644-65-0x0000000000000000-mapping.dmp
          Download
        • memory/784-62-0x0000000000000000-mapping.dmp
          Download
        • memory/944-59-0x0000000000000000-mapping.dmp
          Download
        • memory/1004-57-0x0000000000000000-mapping.dmp
          Download
        • memory/1028-64-0x0000000000000000-mapping.dmp
          Download
        • memory/1048-68-0x0000000000000000-mapping.dmp
          Download
        • memory/1096-54-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1268-55-0x0000000000000000-mapping.dmp
          Download
        • memory/1608-58-0x0000000000000000-mapping.dmp
          Download
        • memory/1772-66-0x0000000000000000-mapping.dmp
          Download
        • memory/1804-67-0x0000000000000000-mapping.dmp
          Download