Analysis
-
max time kernel
151s -
max time network
82s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 20:23
Behavioral task
behavioral1
Sample
5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe
Resource
win10v2004-20220721-en
General
-
Target
5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe
-
Size
132KB
-
MD5
3247288441b450a0be73b99371ffe5a4
-
SHA1
00b0844f6d2ab60df8884f77d02c92f05f83cb48
-
SHA256
5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb
-
SHA512
b7099b098b966b64a07d70b7efe74486c804f969c5c6f96c80f269627fa8e69905c11f8ca725c2cdd1651940903d4a1b744606bace0576b24fa75074141a5a66
Malware Config
Extracted
tofsee
91.218.38.245
188.165.132.183
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ckme.exepid process 900 ckme.exe -
Processes:
resource yara_rule behavioral1/memory/1820-55-0x0000000000400000-0x0000000000448000-memory.dmp upx \Users\Admin\ckme.exe upx \Users\Admin\ckme.exe upx C:\Users\Admin\ckme.exe upx C:\Users\Admin\ckme.exe upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 732 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exepid process 1820 5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe 1820 5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\ckme.exe\"" 5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.execkme.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum ckme.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 ckme.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ckme.exedescription pid process target process PID 900 set thread context of 1672 900 ckme.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.execkme.exedescription pid process target process PID 1820 wrote to memory of 900 1820 5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe ckme.exe PID 1820 wrote to memory of 900 1820 5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe ckme.exe PID 1820 wrote to memory of 900 1820 5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe ckme.exe PID 1820 wrote to memory of 900 1820 5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe ckme.exe PID 1820 wrote to memory of 732 1820 5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe cmd.exe PID 1820 wrote to memory of 732 1820 5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe cmd.exe PID 1820 wrote to memory of 732 1820 5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe cmd.exe PID 1820 wrote to memory of 732 1820 5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe cmd.exe PID 900 wrote to memory of 1672 900 ckme.exe svchost.exe PID 900 wrote to memory of 1672 900 ckme.exe svchost.exe PID 900 wrote to memory of 1672 900 ckme.exe svchost.exe PID 900 wrote to memory of 1672 900 ckme.exe svchost.exe PID 900 wrote to memory of 1672 900 ckme.exe svchost.exe PID 900 wrote to memory of 1672 900 ckme.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe"C:\Users\Admin\AppData\Local\Temp\5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\ckme.exe"C:\Users\Admin\ckme.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2320.bat" "2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2320.batFilesize
302B
MD5fbe175270e8f2e037b02355ed0b0c367
SHA10ae5db5230df2372c8416cbd9db121c958a62c35
SHA2562763b443c9fa6d2d9c55731d8a23752579965aedca6fb21479161acce0a83ef8
SHA5120c61bd25ed04dc20b30b693c6aa59e6c091b508d46e21e45c6762e3f6547755e4fb543a0c6e37fca019c1391832543cd04c4d6a13cfff380f28fbc84b6b7b845
-
C:\Users\Admin\ckme.exeFilesize
132KB
MD53247288441b450a0be73b99371ffe5a4
SHA100b0844f6d2ab60df8884f77d02c92f05f83cb48
SHA2565412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb
SHA512b7099b098b966b64a07d70b7efe74486c804f969c5c6f96c80f269627fa8e69905c11f8ca725c2cdd1651940903d4a1b744606bace0576b24fa75074141a5a66
-
C:\Users\Admin\ckme.exeFilesize
132KB
MD53247288441b450a0be73b99371ffe5a4
SHA100b0844f6d2ab60df8884f77d02c92f05f83cb48
SHA2565412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb
SHA512b7099b098b966b64a07d70b7efe74486c804f969c5c6f96c80f269627fa8e69905c11f8ca725c2cdd1651940903d4a1b744606bace0576b24fa75074141a5a66
-
\Users\Admin\ckme.exeFilesize
132KB
MD53247288441b450a0be73b99371ffe5a4
SHA100b0844f6d2ab60df8884f77d02c92f05f83cb48
SHA2565412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb
SHA512b7099b098b966b64a07d70b7efe74486c804f969c5c6f96c80f269627fa8e69905c11f8ca725c2cdd1651940903d4a1b744606bace0576b24fa75074141a5a66
-
\Users\Admin\ckme.exeFilesize
132KB
MD53247288441b450a0be73b99371ffe5a4
SHA100b0844f6d2ab60df8884f77d02c92f05f83cb48
SHA2565412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb
SHA512b7099b098b966b64a07d70b7efe74486c804f969c5c6f96c80f269627fa8e69905c11f8ca725c2cdd1651940903d4a1b744606bace0576b24fa75074141a5a66
-
memory/732-61-0x0000000000000000-mapping.dmp
-
memory/900-58-0x0000000000000000-mapping.dmp
-
memory/900-69-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1672-67-0x0000000000087322-mapping.dmp
-
memory/1672-66-0x0000000000080000-0x0000000000091000-memory.dmpFilesize
68KB
-
memory/1672-64-0x0000000000080000-0x0000000000091000-memory.dmpFilesize
68KB
-
memory/1672-71-0x0000000000080000-0x0000000000091000-memory.dmpFilesize
68KB
-
memory/1672-73-0x0000000000080000-0x0000000000091000-memory.dmpFilesize
68KB
-
memory/1672-74-0x0000000000080000-0x0000000000091000-memory.dmpFilesize
68KB
-
memory/1820-62-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1820-55-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1820-54-0x0000000075851000-0x0000000075853000-memory.dmpFilesize
8KB