Analysis
-
max time kernel
37s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-06-2022 22:45
Static task
static1
Behavioral task
behavioral1
Sample
2c723ae13f8953c743155d39a6caa46ca42336cfe054b05b4a88f2a038a46f44.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2c723ae13f8953c743155d39a6caa46ca42336cfe054b05b4a88f2a038a46f44.exe
Resource
win10v2004-20220414-en
General
-
Target
2c723ae13f8953c743155d39a6caa46ca42336cfe054b05b4a88f2a038a46f44.exe
-
Size
118KB
-
MD5
2954556d223bdc9f70fa117b2607ad08
-
SHA1
40f5a8bdd061f90fa48fc715b53922398ccf6f02
-
SHA256
2c723ae13f8953c743155d39a6caa46ca42336cfe054b05b4a88f2a038a46f44
-
SHA512
af0c81d007989ba5eed2270917b3a4c93804958840f21cf2297787869e02739201e2891b8058badd78cc1a0898fd965bf94b4667fc60937f2d45a2a4021d5b2c
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ezLze.execvtres.exepid process 664 ezLze.exe 524 cvtres.exe -
Loads dropped DLL 3 IoCs
Processes:
2c723ae13f8953c743155d39a6caa46ca42336cfe054b05b4a88f2a038a46f44.exeezLze.exepid process 1884 2c723ae13f8953c743155d39a6caa46ca42336cfe054b05b4a88f2a038a46f44.exe 1884 2c723ae13f8953c743155d39a6caa46ca42336cfe054b05b4a88f2a038a46f44.exe 664 ezLze.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cvtres.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run cvtres.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Media Center = "C:\\Windows\\smss.exe" cvtres.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ezLze.exedescription pid process target process PID 664 set thread context of 524 664 ezLze.exe cvtres.exe -
Drops file in Windows directory 2 IoCs
Processes:
cvtres.exedescription ioc process File created C:\Windows\smss.exe cvtres.exe File opened for modification C:\Windows\smss.exe cvtres.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ezLze.exepid process 664 ezLze.exe 664 ezLze.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ezLze.exedescription pid process Token: SeDebugPrivilege 664 ezLze.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
2c723ae13f8953c743155d39a6caa46ca42336cfe054b05b4a88f2a038a46f44.exeezLze.exedescription pid process target process PID 1884 wrote to memory of 664 1884 2c723ae13f8953c743155d39a6caa46ca42336cfe054b05b4a88f2a038a46f44.exe ezLze.exe PID 1884 wrote to memory of 664 1884 2c723ae13f8953c743155d39a6caa46ca42336cfe054b05b4a88f2a038a46f44.exe ezLze.exe PID 1884 wrote to memory of 664 1884 2c723ae13f8953c743155d39a6caa46ca42336cfe054b05b4a88f2a038a46f44.exe ezLze.exe PID 1884 wrote to memory of 664 1884 2c723ae13f8953c743155d39a6caa46ca42336cfe054b05b4a88f2a038a46f44.exe ezLze.exe PID 664 wrote to memory of 524 664 ezLze.exe cvtres.exe PID 664 wrote to memory of 524 664 ezLze.exe cvtres.exe PID 664 wrote to memory of 524 664 ezLze.exe cvtres.exe PID 664 wrote to memory of 524 664 ezLze.exe cvtres.exe PID 664 wrote to memory of 524 664 ezLze.exe cvtres.exe PID 664 wrote to memory of 524 664 ezLze.exe cvtres.exe PID 664 wrote to memory of 524 664 ezLze.exe cvtres.exe PID 664 wrote to memory of 524 664 ezLze.exe cvtres.exe PID 664 wrote to memory of 524 664 ezLze.exe cvtres.exe PID 664 wrote to memory of 524 664 ezLze.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c723ae13f8953c743155d39a6caa46ca42336cfe054b05b4a88f2a038a46f44.exe"C:\Users\Admin\AppData\Local\Temp\2c723ae13f8953c743155d39a6caa46ca42336cfe054b05b4a88f2a038a46f44.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ezLze.exe"C:\Users\Admin\AppData\Local\Temp\ezLze.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cvtres.exeC:\Users\Admin\AppData\Local\Temp\\cvtres.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cvtres.exeFilesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
C:\Users\Admin\AppData\Local\Temp\cvtres.exeFilesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
C:\Users\Admin\AppData\Local\Temp\ezLze.exeFilesize
74KB
MD57d13dfd077d79c0a8d3cd21418ccf848
SHA1716a2b22afc0e51663ca763f281f73fe1c77a7b1
SHA25650f1c18fa3bab7fa42b5db45ca29e6df4a5e19d8f5b2954f2684d7242e324b4f
SHA512659d8acfb0ecd7ca825837353aa6e47ba30284c6a0c2ef59c9b968d0ffba1587ca2a8a681a2841f02619cfe79935dd3cf07675406cf3a78560b1a33fc112f453
-
C:\Users\Admin\AppData\Local\Temp\ezLze.exeFilesize
74KB
MD57d13dfd077d79c0a8d3cd21418ccf848
SHA1716a2b22afc0e51663ca763f281f73fe1c77a7b1
SHA25650f1c18fa3bab7fa42b5db45ca29e6df4a5e19d8f5b2954f2684d7242e324b4f
SHA512659d8acfb0ecd7ca825837353aa6e47ba30284c6a0c2ef59c9b968d0ffba1587ca2a8a681a2841f02619cfe79935dd3cf07675406cf3a78560b1a33fc112f453
-
\Users\Admin\AppData\Local\Temp\cvtres.exeFilesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
\Users\Admin\AppData\Local\Temp\ezLze.exeFilesize
74KB
MD57d13dfd077d79c0a8d3cd21418ccf848
SHA1716a2b22afc0e51663ca763f281f73fe1c77a7b1
SHA25650f1c18fa3bab7fa42b5db45ca29e6df4a5e19d8f5b2954f2684d7242e324b4f
SHA512659d8acfb0ecd7ca825837353aa6e47ba30284c6a0c2ef59c9b968d0ffba1587ca2a8a681a2841f02619cfe79935dd3cf07675406cf3a78560b1a33fc112f453
-
\Users\Admin\AppData\Local\Temp\ezLze.exeFilesize
74KB
MD57d13dfd077d79c0a8d3cd21418ccf848
SHA1716a2b22afc0e51663ca763f281f73fe1c77a7b1
SHA25650f1c18fa3bab7fa42b5db45ca29e6df4a5e19d8f5b2954f2684d7242e324b4f
SHA512659d8acfb0ecd7ca825837353aa6e47ba30284c6a0c2ef59c9b968d0ffba1587ca2a8a681a2841f02619cfe79935dd3cf07675406cf3a78560b1a33fc112f453
-
memory/524-65-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/524-70-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/524-64-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/524-76-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/524-67-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/524-68-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/524-69-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/524-74-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/524-71-0x0000000000401E60-mapping.dmp
-
memory/664-58-0x0000000000000000-mapping.dmp
-
memory/664-77-0x00000000747D0000-0x0000000074D7B000-memory.dmpFilesize
5.7MB
-
memory/664-78-0x00000000747D0000-0x0000000074D7B000-memory.dmpFilesize
5.7MB
-
memory/1884-62-0x00000000747D0000-0x0000000074D7B000-memory.dmpFilesize
5.7MB
-
memory/1884-55-0x00000000747D0000-0x0000000074D7B000-memory.dmpFilesize
5.7MB
-
memory/1884-54-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB