af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e

Analysis

max time kernel
300s
max time network
302s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17/09/2022, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe
Size

2.5MB
MD5

0119f6316586f89f83c24254c6927dd9
SHA1

eb462b622d6038638889154839238105a17f508b
SHA256

af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e
SHA512

f864b04c6906abd03db89d85d9fde4cf7a35078fac9dbc51ba2285adc8bbc4e5d46cb351b4d6ad59bf04949ec851571f655a09fb2322709c06357daae8283653
SSDEEP

49152:35mGlO0aBsajwiCzLaeG862uwnYn9fRLdrAoVMkTEHMUHqyuWoG:0G8/Bspp/p+3rjspTj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1536	qwfqwf.exe
1120	explorer.exe

Loads dropped DLL 1 IoCs

pid	Process
300	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\D309.tmp	qwfqwf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1536 set thread context of 1120	1536	qwfqwf.exe	45

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\qwfqwf.exe	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe
File opened for modification	C:\Program Files\qwfqwf.exe	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe
File created	C:\Program Files\Google\Libs\WR64.sys	qwfqwf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1884	schtasks.exe
1932	schtasks.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	qwfqwf.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	qwfqwf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0da8e4e90cad801	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	qwfqwf.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1500	powershell.exe
1520	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe
1200	powershell.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	1520	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeLockMemoryPrivilege	1120	explorer.exe
Token: SeDebugPrivilege	1536	qwfqwf.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1500	1520	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe	28
PID 1520 wrote to memory of 1500	1520	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe	28
PID 1520 wrote to memory of 1500	1520	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe	28
PID 1520 wrote to memory of 1988	1520	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe	30
PID 1520 wrote to memory of 1988	1520	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe	30
PID 1520 wrote to memory of 1988	1520	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe	30
PID 1988 wrote to memory of 1884	1988	cmd.exe	32
PID 1988 wrote to memory of 1884	1988	cmd.exe	32
PID 1988 wrote to memory of 1884	1988	cmd.exe	32
PID 1520 wrote to memory of 692	1520	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe	33
PID 1520 wrote to memory of 692	1520	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe	33
PID 1520 wrote to memory of 692	1520	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe	33
PID 692 wrote to memory of 1680	692	cmd.exe	35
PID 692 wrote to memory of 1680	692	cmd.exe	35
PID 692 wrote to memory of 1680	692	cmd.exe	35
PID 300 wrote to memory of 1536	300	taskeng.exe	37
PID 300 wrote to memory of 1536	300	taskeng.exe	37
PID 300 wrote to memory of 1536	300	taskeng.exe	37
PID 1536 wrote to memory of 1200	1536	qwfqwf.exe	38
PID 1536 wrote to memory of 1200	1536	qwfqwf.exe	38
PID 1536 wrote to memory of 1200	1536	qwfqwf.exe	38
PID 1536 wrote to memory of 1188	1536	qwfqwf.exe	40
PID 1536 wrote to memory of 1188	1536	qwfqwf.exe	40
PID 1536 wrote to memory of 1188	1536	qwfqwf.exe	40
PID 1188 wrote to memory of 1932	1188	cmd.exe	42
PID 1188 wrote to memory of 1932	1188	cmd.exe	42
PID 1188 wrote to memory of 1932	1188	cmd.exe	42
PID 1536 wrote to memory of 1720	1536	qwfqwf.exe	44
PID 1536 wrote to memory of 1720	1536	qwfqwf.exe	44
PID 1536 wrote to memory of 1720	1536	qwfqwf.exe	44
PID 1536 wrote to memory of 1720	1536	qwfqwf.exe	44
PID 1536 wrote to memory of 1120	1536	qwfqwf.exe	45
PID 1536 wrote to memory of 1120	1536	qwfqwf.exe	45
PID 1536 wrote to memory of 1120	1536	qwfqwf.exe	45
PID 1536 wrote to memory of 1120	1536	qwfqwf.exe	45

C:\Users\Admin\AppData\Local\Temp\af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe
"C:\Users\Admin\AppData\Local\Temp\af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAdwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAYgBtAHQAIwA+ACAAQAAoACAAPAAjAGEAdABzACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBlAGgAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAaABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdwBlACMAPgA="
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "qwfqwf" /tr "\"C:\Program Files\qwfqwf.exe\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "qwfqwf" /tr "\"C:\Program Files\qwfqwf.exe\""
    3⤵
    - Creates scheduled task(s)
    PID:1884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /run /tn "qwfqwf"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn "qwfqwf"
    3⤵
    PID:1680

C:\Windows\system32\taskeng.exe
taskeng.exe {AB928269-9073-4F56-910D-0E258B9EACCA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:300
- C:\Program Files\qwfqwf.exe
  "C:\Program Files\qwfqwf.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAdwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAYgBtAHQAIwA+ACAAQAAoACAAPAAjAGEAdABzACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBlAGgAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAaABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdwBlACMAPgA="
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "qwfqwf" /tr "\"C:\Program Files\qwfqwf.exe\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "qwfqwf" /tr "\"C:\Program Files\qwfqwf.exe\""
      4⤵
      Creates scheduled task(s)
      PID:1932
- - C:\Windows\System32\conhost.exe
    C:\Windows\System32\conhost.exe "dplckqvqeii"
    3⤵
    PID:1720
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe oiwyeszwfgcchj0 XofLACsdV31j9ZQMDeZoqGi8Jt8J9pT+LaLT9/h7mc2lwG87CaVN5EzLnei9FHVsjt/hBqk2cTgsmCQzP63vQgf+54VyKHwwH69NepkH8M2stSb71uK1KIJJmTYhpCUFgEOsuzY0niiQhO4IOHEE9e4sENaUmjYuxDw5wrLuyC8LykQtm4N+vgPtPiXrgni2TUdtqXmIDR4R+72aCV7DHwsbx1WEqZrFFqJymbMq1JZVnZbh+OEPkwxlN7+zLObs1FTuo2sWS54ALgasRhnsT7kWRUUmlyabrkMK2DQmwu3LW0d6p7k8lJ5VMjQ/Cjfpy1KQsqtQ4oDh8dL288eS3kSVSx4v69CksqYI4pJt2Y4KBNDs/GHeKAzo6Bc9UNzCMef/jPbcIDe3Yp/2LYV30gzhg5rQINuyoxM58Mu8THf4E8smMaTwy1yf3v0rAXnQmaDr2jTmVoyq4UNdb8issfE5UQm2tLrv+MzA/f/rHvLGjTkGxL+MU70e1VSwZSudke4N28PyHGuhSiTevP6g3A==
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\qwfqwf.exe

Filesize
2.5MB

MD5
0119f6316586f89f83c24254c6927dd9

SHA1
eb462b622d6038638889154839238105a17f508b

SHA256
af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e

SHA512
f864b04c6906abd03db89d85d9fde4cf7a35078fac9dbc51ba2285adc8bbc4e5d46cb351b4d6ad59bf04949ec851571f655a09fb2322709c06357daae8283653

Download Submit
C:\Program Files\qwfqwf.exe

Filesize
2.5MB

MD5
0119f6316586f89f83c24254c6927dd9

SHA1
eb462b622d6038638889154839238105a17f508b

SHA256
af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e

SHA512
f864b04c6906abd03db89d85d9fde4cf7a35078fac9dbc51ba2285adc8bbc4e5d46cb351b4d6ad59bf04949ec851571f655a09fb2322709c06357daae8283653

Download Submit
\Program Files\qwfqwf.exe

Filesize
2.5MB

MD5
0119f6316586f89f83c24254c6927dd9

SHA1
eb462b622d6038638889154839238105a17f508b

SHA256
af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e

SHA512
f864b04c6906abd03db89d85d9fde4cf7a35078fac9dbc51ba2285adc8bbc4e5d46cb351b4d6ad59bf04949ec851571f655a09fb2322709c06357daae8283653

Download Submit
memory/1120-93-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/1200-77-0x000007FEEC200000-0x000007FEECD5D000-memory.dmp

Filesize
11.4MB

Download
memory/1500-62-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1500-59-0x000007FEEC6B0000-0x000007FEED20D000-memory.dmp

Filesize
11.4MB

Download
memory/1500-63-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/1500-58-0x000007FEED210000-0x000007FEEDC33000-memory.dmp

Filesize
10.1MB

Download
memory/1500-60-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1500-61-0x000000001B850000-0x000000001BB4F000-memory.dmp

Filesize
3.0MB

Download
memory/1520-55-0x000007FEFB801000-0x000007FEFB803000-memory.dmp

Filesize
8KB

Download
memory/1520-54-0x000000013F570000-0x000000013F7EA000-memory.dmp

Filesize
2.5MB

Download
memory/1536-72-0x000000013FCC0000-0x000000013FF3A000-memory.dmp

Filesize
2.5MB

Download
memory/1536-80-0x0000000000770000-0x000000000077A000-memory.dmp

Filesize
40KB

Download
memory/1536-81-0x0000000180000000-0x0000000180023000-memory.dmp

Filesize
140KB

Download
memory/1536-96-0x0000000180000000-0x000000018001D000-memory.dmp

Filesize
116KB

Download
memory/1720-87-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/1720-88-0x00000000006E0000-0x00000000006E6000-memory.dmp

Filesize
24KB

Download