Analysis
-
max time kernel
151s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-06-2022 03:16
Static task
static1
Behavioral task
behavioral1
Sample
1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe
Resource
win10v2004-20220414-en
General
-
Target
1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe
-
Size
143KB
-
MD5
060bd7824d33fece88d0b30173fa9552
-
SHA1
79b6fc5843fa02d997733389cee31708cc709d34
-
SHA256
1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed
-
SHA512
95cf4e435b9085b1ebf346c9c302e8b418113a737fb5976f3767b21e25a6070d8ee4ecbb9a13bc4428cac2c062518f1f38a7a824cc7b1c4d89dad462e9a749e6
Malware Config
Extracted
tofsee
91.218.38.245
188.165.132.183
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
reblslze.exepid process 1708 reblslze.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1728 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exepid process 1800 1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe 1800 1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\reblslze.exe\"" 1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exereblslze.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum reblslze.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 reblslze.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
reblslze.exedescription pid process target process PID 1708 set thread context of 1512 1708 reblslze.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exereblslze.exedescription pid process target process PID 1800 wrote to memory of 1708 1800 1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe reblslze.exe PID 1800 wrote to memory of 1708 1800 1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe reblslze.exe PID 1800 wrote to memory of 1708 1800 1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe reblslze.exe PID 1800 wrote to memory of 1708 1800 1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe reblslze.exe PID 1800 wrote to memory of 1728 1800 1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe cmd.exe PID 1800 wrote to memory of 1728 1800 1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe cmd.exe PID 1800 wrote to memory of 1728 1800 1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe cmd.exe PID 1800 wrote to memory of 1728 1800 1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe cmd.exe PID 1708 wrote to memory of 1512 1708 reblslze.exe svchost.exe PID 1708 wrote to memory of 1512 1708 reblslze.exe svchost.exe PID 1708 wrote to memory of 1512 1708 reblslze.exe svchost.exe PID 1708 wrote to memory of 1512 1708 reblslze.exe svchost.exe PID 1708 wrote to memory of 1512 1708 reblslze.exe svchost.exe PID 1708 wrote to memory of 1512 1708 reblslze.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe"C:\Users\Admin\AppData\Local\Temp\1d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\reblslze.exe"C:\Users\Admin\reblslze.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5030.bat" "2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5030.batFilesize
302B
MD50c6c0cab50914df25f2dcf8997c3a3a6
SHA1e624fed5c2c65d3d6874be7608f78ed1327bb700
SHA2564783bf4675a7e57ccb644738842df97f5a9182637b0b5bc2e86a8c83669f666e
SHA51229e02a9fea3cfbee27314e9f49cd1d2e865b8c2bfc848c3a7d1da1f2f861192340069a3eca3aebfb9e624aa4de214a71d53116c9f98423ec2624491307438337
-
C:\Users\Admin\reblslze.exeFilesize
143KB
MD5060bd7824d33fece88d0b30173fa9552
SHA179b6fc5843fa02d997733389cee31708cc709d34
SHA2561d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed
SHA51295cf4e435b9085b1ebf346c9c302e8b418113a737fb5976f3767b21e25a6070d8ee4ecbb9a13bc4428cac2c062518f1f38a7a824cc7b1c4d89dad462e9a749e6
-
C:\Users\Admin\reblslze.exeFilesize
143KB
MD5060bd7824d33fece88d0b30173fa9552
SHA179b6fc5843fa02d997733389cee31708cc709d34
SHA2561d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed
SHA51295cf4e435b9085b1ebf346c9c302e8b418113a737fb5976f3767b21e25a6070d8ee4ecbb9a13bc4428cac2c062518f1f38a7a824cc7b1c4d89dad462e9a749e6
-
\Users\Admin\reblslze.exeFilesize
143KB
MD5060bd7824d33fece88d0b30173fa9552
SHA179b6fc5843fa02d997733389cee31708cc709d34
SHA2561d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed
SHA51295cf4e435b9085b1ebf346c9c302e8b418113a737fb5976f3767b21e25a6070d8ee4ecbb9a13bc4428cac2c062518f1f38a7a824cc7b1c4d89dad462e9a749e6
-
\Users\Admin\reblslze.exeFilesize
143KB
MD5060bd7824d33fece88d0b30173fa9552
SHA179b6fc5843fa02d997733389cee31708cc709d34
SHA2561d8bdb66f386e4a13eccbd5bd5d4a006da0b24350792b652767bf71499e3caed
SHA51295cf4e435b9085b1ebf346c9c302e8b418113a737fb5976f3767b21e25a6070d8ee4ecbb9a13bc4428cac2c062518f1f38a7a824cc7b1c4d89dad462e9a749e6
-
memory/1512-69-0x0000000000080000-0x0000000000091000-memory.dmpFilesize
68KB
-
memory/1512-67-0x0000000000080000-0x0000000000091000-memory.dmpFilesize
68KB
-
memory/1512-77-0x0000000000080000-0x0000000000091000-memory.dmpFilesize
68KB
-
memory/1512-76-0x0000000000080000-0x0000000000091000-memory.dmpFilesize
68KB
-
memory/1512-74-0x0000000000080000-0x0000000000091000-memory.dmpFilesize
68KB
-
memory/1512-70-0x0000000000087321-mapping.dmp
-
memory/1708-64-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1708-58-0x0000000000000000-mapping.dmp
-
memory/1708-72-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1728-61-0x0000000000000000-mapping.dmp
-
memory/1800-65-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1800-54-0x0000000074E91000-0x0000000074E93000-memory.dmpFilesize
8KB
-
memory/1800-55-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1800-63-0x00000000063F0000-0x0000000006445000-memory.dmpFilesize
340KB
-
memory/1800-62-0x00000000063F0000-0x0000000006445000-memory.dmpFilesize
340KB