Analysis
-
max time kernel
152s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 18:42
Static task
static1
Behavioral task
behavioral1
Sample
5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe
Resource
win10v2004-20220722-en
General
-
Target
5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe
-
Size
631KB
-
MD5
760c7ab3a4fef37d342cae926c2a035f
-
SHA1
a60e42682cf18b4a40446657c36c21a650b39d8e
-
SHA256
5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e
-
SHA512
4e3def883030f7e41db6df960d0f2f7d65e4cacf8668fef95cb1eececcffe1a355665ff4961fc75df4eacd8e0472310790c35d0e7b75d2a1ea406fd0f9757f31
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1716 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe -
Loads dropped DLL 3 IoCs
pid Process 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 1716 BsBhvScan.exe 824 bthserv.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1956 set thread context of 1724 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 28 PID 824 set thread context of 524 824 bthserv.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 1716 BsBhvScan.exe 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 824 bthserv.exe 824 bthserv.exe 824 bthserv.exe 824 bthserv.exe 824 bthserv.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe 824 bthserv.exe 772 BsBhvScan.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe Token: SeDebugPrivilege 1716 BsBhvScan.exe Token: SeDebugPrivilege 824 bthserv.exe Token: SeDebugPrivilege 772 BsBhvScan.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1956 wrote to memory of 1724 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 28 PID 1956 wrote to memory of 1724 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 28 PID 1956 wrote to memory of 1724 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 28 PID 1956 wrote to memory of 1724 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 28 PID 1956 wrote to memory of 1724 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 28 PID 1956 wrote to memory of 1724 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 28 PID 1956 wrote to memory of 1724 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 28 PID 1956 wrote to memory of 1724 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 28 PID 1956 wrote to memory of 1724 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 28 PID 1956 wrote to memory of 1724 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 28 PID 1956 wrote to memory of 1724 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 28 PID 1956 wrote to memory of 1724 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 28 PID 1956 wrote to memory of 1716 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 29 PID 1956 wrote to memory of 1716 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 29 PID 1956 wrote to memory of 1716 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 29 PID 1956 wrote to memory of 1716 1956 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 29 PID 1716 wrote to memory of 824 1716 BsBhvScan.exe 30 PID 1716 wrote to memory of 824 1716 BsBhvScan.exe 30 PID 1716 wrote to memory of 824 1716 BsBhvScan.exe 30 PID 1716 wrote to memory of 824 1716 BsBhvScan.exe 30 PID 824 wrote to memory of 524 824 bthserv.exe 31 PID 824 wrote to memory of 524 824 bthserv.exe 31 PID 824 wrote to memory of 524 824 bthserv.exe 31 PID 824 wrote to memory of 524 824 bthserv.exe 31 PID 824 wrote to memory of 524 824 bthserv.exe 31 PID 824 wrote to memory of 524 824 bthserv.exe 31 PID 824 wrote to memory of 524 824 bthserv.exe 31 PID 824 wrote to memory of 524 824 bthserv.exe 31 PID 824 wrote to memory of 524 824 bthserv.exe 31 PID 824 wrote to memory of 524 824 bthserv.exe 31 PID 824 wrote to memory of 524 824 bthserv.exe 31 PID 824 wrote to memory of 524 824 bthserv.exe 31 PID 824 wrote to memory of 772 824 bthserv.exe 32 PID 824 wrote to memory of 772 824 bthserv.exe 32 PID 824 wrote to memory of 772 824 bthserv.exe 32 PID 824 wrote to memory of 772 824 bthserv.exe 32 PID 1724 wrote to memory of 1884 1724 RegAsm.exe 34 PID 1724 wrote to memory of 1884 1724 RegAsm.exe 34 PID 1724 wrote to memory of 1884 1724 RegAsm.exe 34 PID 1724 wrote to memory of 1884 1724 RegAsm.exe 34 PID 524 wrote to memory of 960 524 RegAsm.exe 33 PID 524 wrote to memory of 960 524 RegAsm.exe 33 PID 524 wrote to memory of 960 524 RegAsm.exe 33 PID 524 wrote to memory of 960 524 RegAsm.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe"C:\Users\Admin\AppData\Local\Temp\5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8563⤵PID:1884
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\BsBhvScan.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\BsBhvScan.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\bthserv.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\bthserv.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8565⤵PID:960
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\BsBhvScan.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\BsBhvScan.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD556da270bbd70f986ca0ffe23d904986f
SHA1ce0c63d9da9e6812000d1bc2723161d2f9f09429
SHA256555726bb227402ace35ec78cb0812b6fc53fd998994e650a910318407eb2012f
SHA5122ca827860820165af0f6b0f4b407c91d34c995046f574ca1921d058f8f383cf8e643d048295bc433616714c870d9039a1f582bc30e9be7d3a49a117a600a1cc6
-
Filesize
8KB
MD556da270bbd70f986ca0ffe23d904986f
SHA1ce0c63d9da9e6812000d1bc2723161d2f9f09429
SHA256555726bb227402ace35ec78cb0812b6fc53fd998994e650a910318407eb2012f
SHA5122ca827860820165af0f6b0f4b407c91d34c995046f574ca1921d058f8f383cf8e643d048295bc433616714c870d9039a1f582bc30e9be7d3a49a117a600a1cc6
-
Filesize
8KB
MD556da270bbd70f986ca0ffe23d904986f
SHA1ce0c63d9da9e6812000d1bc2723161d2f9f09429
SHA256555726bb227402ace35ec78cb0812b6fc53fd998994e650a910318407eb2012f
SHA5122ca827860820165af0f6b0f4b407c91d34c995046f574ca1921d058f8f383cf8e643d048295bc433616714c870d9039a1f582bc30e9be7d3a49a117a600a1cc6
-
Filesize
8KB
MD556da270bbd70f986ca0ffe23d904986f
SHA1ce0c63d9da9e6812000d1bc2723161d2f9f09429
SHA256555726bb227402ace35ec78cb0812b6fc53fd998994e650a910318407eb2012f
SHA5122ca827860820165af0f6b0f4b407c91d34c995046f574ca1921d058f8f383cf8e643d048295bc433616714c870d9039a1f582bc30e9be7d3a49a117a600a1cc6
-
Filesize
631KB
MD5760c7ab3a4fef37d342cae926c2a035f
SHA1a60e42682cf18b4a40446657c36c21a650b39d8e
SHA2565ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e
SHA5124e3def883030f7e41db6df960d0f2f7d65e4cacf8668fef95cb1eececcffe1a355665ff4961fc75df4eacd8e0472310790c35d0e7b75d2a1ea406fd0f9757f31
-
Filesize
631KB
MD5760c7ab3a4fef37d342cae926c2a035f
SHA1a60e42682cf18b4a40446657c36c21a650b39d8e
SHA2565ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e
SHA5124e3def883030f7e41db6df960d0f2f7d65e4cacf8668fef95cb1eececcffe1a355665ff4961fc75df4eacd8e0472310790c35d0e7b75d2a1ea406fd0f9757f31
-
Filesize
8KB
MD556da270bbd70f986ca0ffe23d904986f
SHA1ce0c63d9da9e6812000d1bc2723161d2f9f09429
SHA256555726bb227402ace35ec78cb0812b6fc53fd998994e650a910318407eb2012f
SHA5122ca827860820165af0f6b0f4b407c91d34c995046f574ca1921d058f8f383cf8e643d048295bc433616714c870d9039a1f582bc30e9be7d3a49a117a600a1cc6
-
Filesize
8KB
MD556da270bbd70f986ca0ffe23d904986f
SHA1ce0c63d9da9e6812000d1bc2723161d2f9f09429
SHA256555726bb227402ace35ec78cb0812b6fc53fd998994e650a910318407eb2012f
SHA5122ca827860820165af0f6b0f4b407c91d34c995046f574ca1921d058f8f383cf8e643d048295bc433616714c870d9039a1f582bc30e9be7d3a49a117a600a1cc6
-
Filesize
631KB
MD5760c7ab3a4fef37d342cae926c2a035f
SHA1a60e42682cf18b4a40446657c36c21a650b39d8e
SHA2565ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e
SHA5124e3def883030f7e41db6df960d0f2f7d65e4cacf8668fef95cb1eececcffe1a355665ff4961fc75df4eacd8e0472310790c35d0e7b75d2a1ea406fd0f9757f31