Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-09-2022 01:22
Behavioral task
behavioral1
Sample
0x00060000000149b7-76.exe
Resource
win7-20220812-en
General
-
Target
0x00060000000149b7-76.exe
-
Size
3.8MB
-
MD5
d208502b720a4c00ae55379a1adff4fe
-
SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876
-
SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4
-
SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363
-
SSDEEP
98304:t77Pmq33rE/JDLPWZADUGer7B6iY74M/2mlwXVZaFB:J+R/eZADUXR
Malware Config
Extracted
bitrat
1.38
anubisgod.duckdns.org:1440
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
install_dir
spottifyy
-
install_file
spottifyy.exe
-
tor_process
tor
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\WgUvKD.exe aspack_v212_v242 \Users\Admin\AppData\Local\Temp\WgUvKD.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
WgUvKD.exepid process 864 WgUvKD.exe -
Loads dropped DLL 2 IoCs
Processes:
0x00060000000149b7-76.exepid process 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0x00060000000149b7-76.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\spottifyy = "C:\\Users\\Admin\\AppData\\Local\\spottifyy\\spottifyy.exe" 0x00060000000149b7-76.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
0x00060000000149b7-76.exepid process 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe -
Drops file in Program Files directory 64 IoCs
Processes:
WgUvKD.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe WgUvKD.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe WgUvKD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE WgUvKD.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe WgUvKD.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{BC26E81A-F128-4782-8D2F-D77BD62CE0C4}\chrome_installer.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe WgUvKD.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe WgUvKD.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe WgUvKD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE WgUvKD.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe WgUvKD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe WgUvKD.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe WgUvKD.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe WgUvKD.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe WgUvKD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE WgUvKD.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe WgUvKD.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe WgUvKD.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe WgUvKD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe WgUvKD.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe WgUvKD.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe WgUvKD.exe File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe WgUvKD.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe WgUvKD.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe WgUvKD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE WgUvKD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE WgUvKD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe WgUvKD.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE WgUvKD.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe WgUvKD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe WgUvKD.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe WgUvKD.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe WgUvKD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE WgUvKD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe WgUvKD.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe WgUvKD.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.exe WgUvKD.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe WgUvKD.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe WgUvKD.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe WgUvKD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\misc.exe WgUvKD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE WgUvKD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 26 IoCs
Processes:
0x00060000000149b7-76.exepid process 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0x00060000000149b7-76.exedescription pid process Token: SeDebugPrivilege 1504 0x00060000000149b7-76.exe Token: SeShutdownPrivilege 1504 0x00060000000149b7-76.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
0x00060000000149b7-76.exepid process 1504 0x00060000000149b7-76.exe 1504 0x00060000000149b7-76.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0x00060000000149b7-76.exeWgUvKD.exedescription pid process target process PID 1504 wrote to memory of 864 1504 0x00060000000149b7-76.exe WgUvKD.exe PID 1504 wrote to memory of 864 1504 0x00060000000149b7-76.exe WgUvKD.exe PID 1504 wrote to memory of 864 1504 0x00060000000149b7-76.exe WgUvKD.exe PID 1504 wrote to memory of 864 1504 0x00060000000149b7-76.exe WgUvKD.exe PID 864 wrote to memory of 364 864 WgUvKD.exe cmd.exe PID 864 wrote to memory of 364 864 WgUvKD.exe cmd.exe PID 864 wrote to memory of 364 864 WgUvKD.exe cmd.exe PID 864 wrote to memory of 364 864 WgUvKD.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x00060000000149b7-76.exe"C:\Users\Admin\AppData\Local\Temp\0x00060000000149b7-76.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exeC:\Users\Admin\AppData\Local\Temp\WgUvKD.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\14e05dcd.bat" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\14e05dcd.batFilesize
187B
MD521e1dda0cae016de4d6e58ace7b84097
SHA1082fb77a16a82f1a795a0b7e3838803eacc06a34
SHA256aba08861fd90f254a229907b004c9aa1404ff62935f73baaca3c16014f364d55
SHA512ea9a1e8dd28c6003da5898e7c46477c1d8f73530a5e217817c741981cfeb89baad8d6c70d31f2d7185d9603d3d4ce3c3d6dcd95b4356c0e705ab26f7a8e7efcc
-
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exeFilesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exeFilesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
\Users\Admin\AppData\Local\Temp\WgUvKD.exeFilesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
\Users\Admin\AppData\Local\Temp\WgUvKD.exeFilesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
memory/364-66-0x0000000000000000-mapping.dmp
-
memory/864-67-0x0000000000E70000-0x0000000000E79000-memory.dmpFilesize
36KB
-
memory/864-56-0x0000000000000000-mapping.dmp
-
memory/864-58-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/864-63-0x0000000000E70000-0x0000000000E79000-memory.dmpFilesize
36KB
-
memory/1504-61-0x0000000000400000-0x00000000007D3000-memory.dmpFilesize
3.8MB
-
memory/1504-65-0x00000000003E0000-0x00000000003EA000-memory.dmpFilesize
40KB
-
memory/1504-64-0x00000000003E0000-0x00000000003EA000-memory.dmpFilesize
40KB
-
memory/1504-62-0x0000000000E70000-0x0000000000E79000-memory.dmpFilesize
36KB
-
memory/1504-69-0x0000000000400000-0x00000000007D3000-memory.dmpFilesize
3.8MB