Analysis
-
max time kernel
73s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-09-2022 04:48
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
62KB
-
MD5
372c389955436b05a3e27c628f2f3dd6
-
SHA1
9b0e47953cfc4e4b314123966591cd72b3531426
-
SHA256
1584b24459df523db2d980cb45d3f3c4f010ed2c5b7f79312faad51ab3ee2abc
-
SHA512
8b9b41953739028ab668e39a95c974df6e0132fa6d85c29b1fcefcbc9c25b02ffcd1eb71c7a6a4814c5a624a99c279b752b705d286933bb71f798f37e706a40c
-
SSDEEP
1536:LjO/wOIXQFwWyE2IIq6KwTypLwCV/Gg3xLFrHtDGGZu:djXCwMIqnwTypLZ/PxrHtDpu
Malware Config
Extracted
systembc
31.41.244.183:4257
194.36.177.46:4257
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
BBBBBBBBBBBBBBBBBBBB.exeBBBBBBBBBBBBBBBBBBBB.exepid process 1312 BBBBBBBBBBBBBBBBBBBB.exe 2036 BBBBBBBBBBBBBBBBBBBB.exe -
Loads dropped DLL 2 IoCs
Processes:
RegAsm.exepid process 1776 RegAsm.exe 1776 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 1184 set thread context of 1776 1184 tmp.exe RegAsm.exe -
Drops file in Windows directory 2 IoCs
Processes:
BBBBBBBBBBBBBBBBBBBB.exedescription ioc process File created C:\Windows\Tasks\wow64.job BBBBBBBBBBBBBBBBBBBB.exe File opened for modification C:\Windows\Tasks\wow64.job BBBBBBBBBBBBBBBBBBBB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1776 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
tmp.exeRegAsm.exetaskeng.exedescription pid process target process PID 1184 wrote to memory of 1776 1184 tmp.exe RegAsm.exe PID 1184 wrote to memory of 1776 1184 tmp.exe RegAsm.exe PID 1184 wrote to memory of 1776 1184 tmp.exe RegAsm.exe PID 1184 wrote to memory of 1776 1184 tmp.exe RegAsm.exe PID 1184 wrote to memory of 1776 1184 tmp.exe RegAsm.exe PID 1184 wrote to memory of 1776 1184 tmp.exe RegAsm.exe PID 1184 wrote to memory of 1776 1184 tmp.exe RegAsm.exe PID 1184 wrote to memory of 1776 1184 tmp.exe RegAsm.exe PID 1184 wrote to memory of 1776 1184 tmp.exe RegAsm.exe PID 1184 wrote to memory of 1776 1184 tmp.exe RegAsm.exe PID 1184 wrote to memory of 1776 1184 tmp.exe RegAsm.exe PID 1184 wrote to memory of 1776 1184 tmp.exe RegAsm.exe PID 1776 wrote to memory of 1312 1776 RegAsm.exe BBBBBBBBBBBBBBBBBBBB.exe PID 1776 wrote to memory of 1312 1776 RegAsm.exe BBBBBBBBBBBBBBBBBBBB.exe PID 1776 wrote to memory of 1312 1776 RegAsm.exe BBBBBBBBBBBBBBBBBBBB.exe PID 1776 wrote to memory of 1312 1776 RegAsm.exe BBBBBBBBBBBBBBBBBBBB.exe PID 1960 wrote to memory of 2036 1960 taskeng.exe BBBBBBBBBBBBBBBBBBBB.exe PID 1960 wrote to memory of 2036 1960 taskeng.exe BBBBBBBBBBBBBBBBBBBB.exe PID 1960 wrote to memory of 2036 1960 taskeng.exe BBBBBBBBBBBBBBBBBBBB.exe PID 1960 wrote to memory of 2036 1960 taskeng.exe BBBBBBBBBBBBBBBBBBBB.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\BBBBBBBBBBBBBBBBBBBB.exe"C:\ProgramData\BBBBBBBBBBBBBBBBBBBB.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\system32\taskeng.exetaskeng.exe {1D5B761E-E049-44B5-AD14-A0A808448793} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\BBBBBBBBBBBBBBBBBBBB.exeC:\ProgramData\BBBBBBBBBBBBBBBBBBBB.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\BBBBBBBBBBBBBBBBBBBB.exeFilesize
13KB
MD51be6092e32956e83b99c3dc7c66603c7
SHA192d942f9eba3c7146588f56d33a32262e042091d
SHA2568dc6a4ee7b41ba73197485e2b685f7f82e9889b2e544269eabcc5c6c1cb8bac7
SHA5129dbafbd83acf41cddf6da38f984e09a35d2639f326988845d91d80c2e449b3284c17d601d4f27eb1059a9122f719eeabdd3387aceb9c0c9eed2cca01c812e91e
-
C:\ProgramData\BBBBBBBBBBBBBBBBBBBB.exeFilesize
13KB
MD51be6092e32956e83b99c3dc7c66603c7
SHA192d942f9eba3c7146588f56d33a32262e042091d
SHA2568dc6a4ee7b41ba73197485e2b685f7f82e9889b2e544269eabcc5c6c1cb8bac7
SHA5129dbafbd83acf41cddf6da38f984e09a35d2639f326988845d91d80c2e449b3284c17d601d4f27eb1059a9122f719eeabdd3387aceb9c0c9eed2cca01c812e91e
-
C:\ProgramData\BBBBBBBBBBBBBBBBBBBB.exeFilesize
13KB
MD51be6092e32956e83b99c3dc7c66603c7
SHA192d942f9eba3c7146588f56d33a32262e042091d
SHA2568dc6a4ee7b41ba73197485e2b685f7f82e9889b2e544269eabcc5c6c1cb8bac7
SHA5129dbafbd83acf41cddf6da38f984e09a35d2639f326988845d91d80c2e449b3284c17d601d4f27eb1059a9122f719eeabdd3387aceb9c0c9eed2cca01c812e91e
-
\ProgramData\BBBBBBBBBBBBBBBBBBBB.exeFilesize
13KB
MD51be6092e32956e83b99c3dc7c66603c7
SHA192d942f9eba3c7146588f56d33a32262e042091d
SHA2568dc6a4ee7b41ba73197485e2b685f7f82e9889b2e544269eabcc5c6c1cb8bac7
SHA5129dbafbd83acf41cddf6da38f984e09a35d2639f326988845d91d80c2e449b3284c17d601d4f27eb1059a9122f719eeabdd3387aceb9c0c9eed2cca01c812e91e
-
\ProgramData\BBBBBBBBBBBBBBBBBBBB.exeFilesize
13KB
MD51be6092e32956e83b99c3dc7c66603c7
SHA192d942f9eba3c7146588f56d33a32262e042091d
SHA2568dc6a4ee7b41ba73197485e2b685f7f82e9889b2e544269eabcc5c6c1cb8bac7
SHA5129dbafbd83acf41cddf6da38f984e09a35d2639f326988845d91d80c2e449b3284c17d601d4f27eb1059a9122f719eeabdd3387aceb9c0c9eed2cca01c812e91e
-
memory/1184-55-0x0000000074BB1000-0x0000000074BB3000-memory.dmpFilesize
8KB
-
memory/1184-56-0x00000000003B0000-0x00000000003C4000-memory.dmpFilesize
80KB
-
memory/1184-54-0x0000000001150000-0x0000000001166000-memory.dmpFilesize
88KB
-
memory/1312-71-0x0000000000000000-mapping.dmp
-
memory/1776-58-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1776-67-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1776-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1776-63-0x000000000040C646-mapping.dmp
-
memory/1776-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1776-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1776-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1776-57-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2036-75-0x0000000000000000-mapping.dmp