59fe7345e0be81520b6599981e9729c8529da15e45503877a6faad7a383a9b34

Analysis

max time kernel
123s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18/09/2022, 13:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7841954e260efd4e3cef2a5371f43286.exe
Size

319KB
MD5

7841954e260efd4e3cef2a5371f43286
SHA1

ddc7770fe061d8d935cad11f56ae7ccb550f7de8
SHA256

59fe7345e0be81520b6599981e9729c8529da15e45503877a6faad7a383a9b34
SHA512

e0c45be4ee0f313009c55401611734484a22e53b5d309bd0d938115c4cb2f5c4cc55b94e93805698197648a1f03e77ed1e418ce0a118ef30388629e81fb1343c
SSDEEP

6144:h0LgM3q34lqOu1ECOIPsmZl5Hl/QwL+9GoGN9q9hpJv64x7xxxIkMkMkMkqUkkku:6cM3qBOu1ECOIP7Hiw693XN

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1768	7841954e260efd4e3cef2a5371f43286.exe
1004	7841954e260efd4e3cef2a5371f43286.exe
1736	7841954e260efd4e3cef2a5371f43286.exe
804	7841954e260efd4e3cef2a5371f43286.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7841954e260efd4e3cef2a5371f43286.exe	7841954e260efd4e3cef2a5371f43286.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7841954e260efd4e3cef2a5371f43286.exe	7841954e260efd4e3cef2a5371f43286.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\7841954e260efd4e3cef2a5371f43286 = "C:\\Users\\Admin\\AppData\\Roaming\\7841954e260efd4e3cef2a5371f43286.exe"	7841954e260efd4e3cef2a5371f43286.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1052 set thread context of 1600	1052	7841954e260efd4e3cef2a5371f43286.exe	28
PID 1768 set thread context of 1004	1768	7841954e260efd4e3cef2a5371f43286.exe	34
PID 1736 set thread context of 804	1736	7841954e260efd4e3cef2a5371f43286.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
920	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	7841954e260efd4e3cef2a5371f43286.exe
Token: SeDebugPrivilege	1768	7841954e260efd4e3cef2a5371f43286.exe
Token: SeDebugPrivilege	1736	7841954e260efd4e3cef2a5371f43286.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1600	1052	7841954e260efd4e3cef2a5371f43286.exe	28
PID 1052 wrote to memory of 1600	1052	7841954e260efd4e3cef2a5371f43286.exe	28
PID 1052 wrote to memory of 1600	1052	7841954e260efd4e3cef2a5371f43286.exe	28
PID 1052 wrote to memory of 1600	1052	7841954e260efd4e3cef2a5371f43286.exe	28
PID 1052 wrote to memory of 1600	1052	7841954e260efd4e3cef2a5371f43286.exe	28
PID 1052 wrote to memory of 1600	1052	7841954e260efd4e3cef2a5371f43286.exe	28
PID 1052 wrote to memory of 1600	1052	7841954e260efd4e3cef2a5371f43286.exe	28
PID 1052 wrote to memory of 1600	1052	7841954e260efd4e3cef2a5371f43286.exe	28
PID 1052 wrote to memory of 1600	1052	7841954e260efd4e3cef2a5371f43286.exe	28
PID 1600 wrote to memory of 920	1600	7841954e260efd4e3cef2a5371f43286.exe	29
PID 1600 wrote to memory of 920	1600	7841954e260efd4e3cef2a5371f43286.exe	29
PID 1600 wrote to memory of 920	1600	7841954e260efd4e3cef2a5371f43286.exe	29
PID 1600 wrote to memory of 920	1600	7841954e260efd4e3cef2a5371f43286.exe	29
PID 932 wrote to memory of 1768	932	taskeng.exe	33
PID 932 wrote to memory of 1768	932	taskeng.exe	33
PID 932 wrote to memory of 1768	932	taskeng.exe	33
PID 932 wrote to memory of 1768	932	taskeng.exe	33
PID 1768 wrote to memory of 1004	1768	7841954e260efd4e3cef2a5371f43286.exe	34
PID 1768 wrote to memory of 1004	1768	7841954e260efd4e3cef2a5371f43286.exe	34
PID 1768 wrote to memory of 1004	1768	7841954e260efd4e3cef2a5371f43286.exe	34
PID 1768 wrote to memory of 1004	1768	7841954e260efd4e3cef2a5371f43286.exe	34
PID 1768 wrote to memory of 1004	1768	7841954e260efd4e3cef2a5371f43286.exe	34
PID 1768 wrote to memory of 1004	1768	7841954e260efd4e3cef2a5371f43286.exe	34
PID 1768 wrote to memory of 1004	1768	7841954e260efd4e3cef2a5371f43286.exe	34
PID 1768 wrote to memory of 1004	1768	7841954e260efd4e3cef2a5371f43286.exe	34
PID 1768 wrote to memory of 1004	1768	7841954e260efd4e3cef2a5371f43286.exe	34
PID 932 wrote to memory of 1736	932	taskeng.exe	35
PID 932 wrote to memory of 1736	932	taskeng.exe	35
PID 932 wrote to memory of 1736	932	taskeng.exe	35
PID 932 wrote to memory of 1736	932	taskeng.exe	35
PID 1736 wrote to memory of 804	1736	7841954e260efd4e3cef2a5371f43286.exe	36
PID 1736 wrote to memory of 804	1736	7841954e260efd4e3cef2a5371f43286.exe	36
PID 1736 wrote to memory of 804	1736	7841954e260efd4e3cef2a5371f43286.exe	36
PID 1736 wrote to memory of 804	1736	7841954e260efd4e3cef2a5371f43286.exe	36
PID 1736 wrote to memory of 804	1736	7841954e260efd4e3cef2a5371f43286.exe	36
PID 1736 wrote to memory of 804	1736	7841954e260efd4e3cef2a5371f43286.exe	36
PID 1736 wrote to memory of 804	1736	7841954e260efd4e3cef2a5371f43286.exe	36
PID 1736 wrote to memory of 804	1736	7841954e260efd4e3cef2a5371f43286.exe	36
PID 1736 wrote to memory of 804	1736	7841954e260efd4e3cef2a5371f43286.exe	36

C:\Users\Admin\AppData\Local\Temp\7841954e260efd4e3cef2a5371f43286.exe
"C:\Users\Admin\AppData\Local\Temp\7841954e260efd4e3cef2a5371f43286.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\7841954e260efd4e3cef2a5371f43286.exe
  "C:\Users\Admin\AppData\Local\Temp\7841954e260efd4e3cef2a5371f43286.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "7841954e260efd4e3cef2a5371f43286" /tr "C:\Users\Admin\AppData\Roaming\7841954e260efd4e3cef2a5371f43286.exe"
    3⤵
    - Creates scheduled task(s)
    PID:920

C:\Windows\system32\taskeng.exe
taskeng.exe {4E8574A9-F6CF-4BFF-BE8B-5719C88A28AA} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:932
- C:\Users\Admin\AppData\Roaming\7841954e260efd4e3cef2a5371f43286.exe
  C:\Users\Admin\AppData\Roaming\7841954e260efd4e3cef2a5371f43286.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Users\Admin\AppData\Roaming\7841954e260efd4e3cef2a5371f43286.exe
    "C:\Users\Admin\AppData\Roaming\7841954e260efd4e3cef2a5371f43286.exe"
    3⤵
    - Executes dropped EXE
    PID:1004
- C:\Users\Admin\AppData\Roaming\7841954e260efd4e3cef2a5371f43286.exe
  C:\Users\Admin\AppData\Roaming\7841954e260efd4e3cef2a5371f43286.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Roaming\7841954e260efd4e3cef2a5371f43286.exe
    "C:\Users\Admin\AppData\Roaming\7841954e260efd4e3cef2a5371f43286.exe"
    3⤵
    - Executes dropped EXE
    PID:804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7841954e260efd4e3cef2a5371f43286.exe

Filesize
319KB

MD5
7841954e260efd4e3cef2a5371f43286

SHA1
ddc7770fe061d8d935cad11f56ae7ccb550f7de8

SHA256
59fe7345e0be81520b6599981e9729c8529da15e45503877a6faad7a383a9b34

SHA512
e0c45be4ee0f313009c55401611734484a22e53b5d309bd0d938115c4cb2f5c4cc55b94e93805698197648a1f03e77ed1e418ce0a118ef30388629e81fb1343c

Download Submit
C:\Users\Admin\AppData\Roaming\7841954e260efd4e3cef2a5371f43286.exe

Filesize
319KB

MD5
7841954e260efd4e3cef2a5371f43286

SHA1
ddc7770fe061d8d935cad11f56ae7ccb550f7de8

SHA256
59fe7345e0be81520b6599981e9729c8529da15e45503877a6faad7a383a9b34

SHA512
e0c45be4ee0f313009c55401611734484a22e53b5d309bd0d938115c4cb2f5c4cc55b94e93805698197648a1f03e77ed1e418ce0a118ef30388629e81fb1343c

Download Submit
C:\Users\Admin\AppData\Roaming\7841954e260efd4e3cef2a5371f43286.exe

Filesize
319KB

MD5
7841954e260efd4e3cef2a5371f43286

SHA1
ddc7770fe061d8d935cad11f56ae7ccb550f7de8

SHA256
59fe7345e0be81520b6599981e9729c8529da15e45503877a6faad7a383a9b34

SHA512
e0c45be4ee0f313009c55401611734484a22e53b5d309bd0d938115c4cb2f5c4cc55b94e93805698197648a1f03e77ed1e418ce0a118ef30388629e81fb1343c

Download Submit
C:\Users\Admin\AppData\Roaming\7841954e260efd4e3cef2a5371f43286.exe

Filesize
319KB

MD5
7841954e260efd4e3cef2a5371f43286

SHA1
ddc7770fe061d8d935cad11f56ae7ccb550f7de8

SHA256
59fe7345e0be81520b6599981e9729c8529da15e45503877a6faad7a383a9b34

SHA512
e0c45be4ee0f313009c55401611734484a22e53b5d309bd0d938115c4cb2f5c4cc55b94e93805698197648a1f03e77ed1e418ce0a118ef30388629e81fb1343c

Download Submit
C:\Users\Admin\AppData\Roaming\7841954e260efd4e3cef2a5371f43286.exe

Filesize
319KB

MD5
7841954e260efd4e3cef2a5371f43286

SHA1
ddc7770fe061d8d935cad11f56ae7ccb550f7de8

SHA256
59fe7345e0be81520b6599981e9729c8529da15e45503877a6faad7a383a9b34

SHA512
e0c45be4ee0f313009c55401611734484a22e53b5d309bd0d938115c4cb2f5c4cc55b94e93805698197648a1f03e77ed1e418ce0a118ef30388629e81fb1343c

Download Submit
memory/1004-91-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1004-88-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1004-84-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1052-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1052-54-0x0000000000B10000-0x0000000000B66000-memory.dmp

Filesize
344KB

Download
memory/1052-56-0x0000000000530000-0x0000000000554000-memory.dmp

Filesize
144KB

Download
memory/1600-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1600-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1600-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1600-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1600-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1600-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1600-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1736-94-0x0000000000C10000-0x0000000000C66000-memory.dmp

Filesize
344KB

Download
memory/1736-96-0x00000000003B0000-0x00000000003D4000-memory.dmp

Filesize
144KB

Download
memory/1768-74-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads