8dc834a143dc37774beb33de60d39537646d2b21c60147c197ccad714f05a150

Analysis

max time kernel
47s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dc834a143dc37774beb33de60d39537646d2b21c60147c197ccad714f05a150.exe
Size

1.0MB
MD5

d606e3b524e7f7f8da05bb974598f5ed
SHA1

6f314d3636f3c2d6aef8e567e7ccd85715cca1d4
SHA256

8dc834a143dc37774beb33de60d39537646d2b21c60147c197ccad714f05a150
SHA512

5a89063c991e26395a4e44990c0414384817a4d7494a73180340d9de3d50fafabb8591c9e57b6fd221c7d27136df379eb5176ecb7b92b03b6f21dd5c2f5657f1
SSDEEP

24576:v4I53/pmAQR2inrIfCkqMG+YyMJhESvAX+0:vZ53/gT2Z6r9mMDE8O+0

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
900	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1552	8dc834a143dc37774beb33de60d39537646d2b21c60147c197ccad714f05a150.exe
1552	8dc834a143dc37774beb33de60d39537646d2b21c60147c197ccad714f05a150.exe
900	svchost.exe
900	svchost.exe
900	svchost.exe
900	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe\" -noconnect"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "mIRC"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "mIRC"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe\" -noconnect"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
900	svchost.exe
900	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 900	1552	8dc834a143dc37774beb33de60d39537646d2b21c60147c197ccad714f05a150.exe	26
PID 1552 wrote to memory of 900	1552	8dc834a143dc37774beb33de60d39537646d2b21c60147c197ccad714f05a150.exe	26
PID 1552 wrote to memory of 900	1552	8dc834a143dc37774beb33de60d39537646d2b21c60147c197ccad714f05a150.exe	26
PID 1552 wrote to memory of 900	1552	8dc834a143dc37774beb33de60d39537646d2b21c60147c197ccad714f05a150.exe	26
PID 1552 wrote to memory of 900	1552	8dc834a143dc37774beb33de60d39537646d2b21c60147c197ccad714f05a150.exe	26
PID 1552 wrote to memory of 900	1552	8dc834a143dc37774beb33de60d39537646d2b21c60147c197ccad714f05a150.exe	26
PID 1552 wrote to memory of 900	1552	8dc834a143dc37774beb33de60d39537646d2b21c60147c197ccad714f05a150.exe	26

C:\Users\Admin\AppData\Local\Temp\8dc834a143dc37774beb33de60d39537646d2b21c60147c197ccad714f05a150.exe
"C:\Users\Admin\AppData\Local\Temp\8dc834a143dc37774beb33de60d39537646d2b21c60147c197ccad714f05a150.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
  "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\5yn.udp

Filesize
11KB

MD5
4eec3dfda17d55b0225ed99a8ec60579

SHA1
604c25a1440d4ba124b2af14bcf6759b2649ddcd

SHA256
c2c8adef327641ed4c7b53efef5785eb42c935c599d53b4518225b186b49faa6

SHA512
19dd48d2f4d8ef3802bc0f475b585eb5d499b623700e055f228fb4864636b3789bcc4d085282359a262f8ed1d0489233337cc701e95a2cc2d3bba35e3abd63a0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\bnc.txt

Filesize
6KB

MD5
94d8699f974bb65461f4e7459e696608

SHA1
7dc3be2f7bb9c0ee2b1e8370546531496327960f

SHA256
dab903e77142e482ed48e5139d9b41f16db873861424671b77c445efb97af3f0

SHA512
2347648e4f67519a170c01639a1beef6ae00f17b4d3f65df49f3c437404e964ca8711a2efbf2191bb8bc3df908ae21db6baa0ec8f555f4492bcc9ebccb12ddfb

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\dwx.bb

Filesize
1KB

MD5
bfcbea52fd5bceae28bf72521ec216da

SHA1
1159e6fba5b02445250ced122f7a1a37aafc10bd

SHA256
b6576e1bc98c9d31f802597917f79d9b7234169eea1cd9920c64c33e458d03ae

SHA512
5e58bb725aed78845f4592d245251aaa1be5d362c631faf904b7181e6534d4db949e96b258a8f958a9e03547f33c1aa32d41dfe214a0284d7a594ba3987efe1e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\info.br

Filesize
285B

MD5
aefafa4024b7a5571d0d53005db1e20f

SHA1
12ff23219dc6e7bcfbe2855b47aaf70542b7a0e2

SHA256
1ff68562655fe5ff3614ce72cdc593948a81e1406418eba7424f9588daa75aad

SHA512
5480dc2e6b6ea2432975e8cfd72efd4cb42c858c0e4533ea6391569e4ef87b250852bc94dd5de0c70d86ad4556e53f31c82e774d69ab33ade9f83f839c5db328

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ipconfig.tcp

Filesize
1KB

MD5
dc858a77addc081979ac2afba7c2c51a

SHA1
0b3309626e77cb04389749bda6b4ce195c228893

SHA256
4227c32d9fb025248bfd50b089be30ef20171a821613ee0ffc911caff93e853c

SHA512
3a0cd1253e0522db87cb193f28ab695e30db6738d73b7a0bf08c5d81efdeffe783318141525a7b266e52fca0d36fce3f8ff3ca1b7731418d3cb4cc79e8bc3664

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mirc.ini

Filesize
3KB

MD5
ec82fa6ad36e5edbef72373bdafe4680

SHA1
376c280f15eb05b2ad788a5c3616dfd6b93ec69c

SHA256
48684079ebdbdcefa131e62e2f4c3d8269e061a19577ab53dd58cd5cf74d1ffe

SHA512
befbe6dcc7a9e4848f0b8047c05b0059ed67888d1cbe1b6efdd2962552758296c365615a7ac626561b6774b4aae1cbb0a2cb102e0a64f8882c28788bee57984b

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\redaerps.due

Filesize
1KB

MD5
b8c3321a10eb4a9e40b7dd6e8a3b370a

SHA1
3b41944c058f7a467b486e72c2c195314bcbcb05

SHA256
0ec1ec344a90814bd0bc3ae6e0288e9bc245a59fdbd93a75a6419cf2af979ddd

SHA512
85cccb8f7eb745b242a5d139d679526030e5ed7c3b902b4e9ee6f0c6b47a40a1fd68750d7acc9753850bd7c7346193c40a9e7dda7db5319a5823f8b29924a9ca

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\redoolf.cc

Filesize
2KB

MD5
47e95ea8eacfe403ba5cd090c37b9ffd

SHA1
1fe9d5b72404277bc1ed12c8a006fb004a0206e9

SHA256
4c40df5360c2629123ab9ab6b45694a96417122d7de7177ab0ea4897f770cf03

SHA512
860675bac9d59b0eef03275626a26c7ab6fe58de4a275a32335a3c99cf6447629f3a7600648440be294aeb8d3764aa65ca33a29c99296a0caa357107d925a46e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\remote.ini

Filesize
15B

MD5
1e4248077d7b054a0d6907a9b6dbe025

SHA1
182af3a2ad57b4b7f08ba57310a43f22c8be481d

SHA256
4d40570ab7492efc32bc9021f288fcc70b0536ed058476a0767122571afad847

SHA512
c1d621609118ec55b0efa651e044bc8223de26fb02bf50b22bad3d154bcae20df1f56f13187f7a4e7859761cb3ace69c087b710be40929d2079552123b9c09cf

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\start.tgd

Filesize
4KB

MD5
99c52cfc81d0aaa8bdb1cf2318a784d6

SHA1
fea43f5b72c96c2b88ae9c57da9aa1056f5c9b01

SHA256
310ebd260318ecd04e72955f58e63315433cb343f33f63a682f18e19704378ca

SHA512
3b4a67ca39588c90ba3772a2ac889331b4eada4a70158ca949ae39756791e85cfe951321772423ed42580a1856caec9845fb4d7167878cac8c9f783604fc9094

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
1.7MB

MD5
87aef093d376004d478d3b2fa5558922

SHA1
90fa03e0a71f0e29c85bc76c5997001235791d9b

SHA256
e7dcc35179da44949cdabfa4a22e36bf5da6359cb0863e60ac56b72d54126f0c

SHA512
585d6d88c5dd5febab0a529aaa0b93ca8ee29f101f59bca904aeb4bcc23eb01d94a829998b714bab00bc211ad69e2b9c5bcd95334ebf0e2ac77aa2ad8d45113a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
1.7MB

MD5
87aef093d376004d478d3b2fa5558922

SHA1
90fa03e0a71f0e29c85bc76c5997001235791d9b

SHA256
e7dcc35179da44949cdabfa4a22e36bf5da6359cb0863e60ac56b72d54126f0c

SHA512
585d6d88c5dd5febab0a529aaa0b93ca8ee29f101f59bca904aeb4bcc23eb01d94a829998b714bab00bc211ad69e2b9c5bcd95334ebf0e2ac77aa2ad8d45113a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\systemac.dll

Filesize
28KB

MD5
2db18780ea5d7ff0d3cf0de32b844164

SHA1
d277db0b9f9374ce19eaba4aa82d4ae8dc5d3b11

SHA256
a5531baa8f74e3e6c46321c9c0add4b1de118887b16b91d29ca875a5b7bbabc2

SHA512
e0bedeb7497a104bc62162bfcb01b242685e550f5e3913b0eea8c715b25615de5c52dc0521fed84dc3ceb41dbb5b23d53af44654c91b66ee6e19a0d2d27e0a50

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
1.7MB

MD5
87aef093d376004d478d3b2fa5558922

SHA1
90fa03e0a71f0e29c85bc76c5997001235791d9b

SHA256
e7dcc35179da44949cdabfa4a22e36bf5da6359cb0863e60ac56b72d54126f0c

SHA512
585d6d88c5dd5febab0a529aaa0b93ca8ee29f101f59bca904aeb4bcc23eb01d94a829998b714bab00bc211ad69e2b9c5bcd95334ebf0e2ac77aa2ad8d45113a

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
1.7MB

MD5
87aef093d376004d478d3b2fa5558922

SHA1
90fa03e0a71f0e29c85bc76c5997001235791d9b

SHA256
e7dcc35179da44949cdabfa4a22e36bf5da6359cb0863e60ac56b72d54126f0c

SHA512
585d6d88c5dd5febab0a529aaa0b93ca8ee29f101f59bca904aeb4bcc23eb01d94a829998b714bab00bc211ad69e2b9c5bcd95334ebf0e2ac77aa2ad8d45113a

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
1.7MB

MD5
87aef093d376004d478d3b2fa5558922

SHA1
90fa03e0a71f0e29c85bc76c5997001235791d9b

SHA256
e7dcc35179da44949cdabfa4a22e36bf5da6359cb0863e60ac56b72d54126f0c

SHA512
585d6d88c5dd5febab0a529aaa0b93ca8ee29f101f59bca904aeb4bcc23eb01d94a829998b714bab00bc211ad69e2b9c5bcd95334ebf0e2ac77aa2ad8d45113a

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
1.7MB

MD5
87aef093d376004d478d3b2fa5558922

SHA1
90fa03e0a71f0e29c85bc76c5997001235791d9b

SHA256
e7dcc35179da44949cdabfa4a22e36bf5da6359cb0863e60ac56b72d54126f0c

SHA512
585d6d88c5dd5febab0a529aaa0b93ca8ee29f101f59bca904aeb4bcc23eb01d94a829998b714bab00bc211ad69e2b9c5bcd95334ebf0e2ac77aa2ad8d45113a

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
1.7MB

MD5
87aef093d376004d478d3b2fa5558922

SHA1
90fa03e0a71f0e29c85bc76c5997001235791d9b

SHA256
e7dcc35179da44949cdabfa4a22e36bf5da6359cb0863e60ac56b72d54126f0c

SHA512
585d6d88c5dd5febab0a529aaa0b93ca8ee29f101f59bca904aeb4bcc23eb01d94a829998b714bab00bc211ad69e2b9c5bcd95334ebf0e2ac77aa2ad8d45113a

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\systemac.dll

Filesize
28KB

MD5
2db18780ea5d7ff0d3cf0de32b844164

SHA1
d277db0b9f9374ce19eaba4aa82d4ae8dc5d3b11

SHA256
a5531baa8f74e3e6c46321c9c0add4b1de118887b16b91d29ca875a5b7bbabc2

SHA512
e0bedeb7497a104bc62162bfcb01b242685e550f5e3913b0eea8c715b25615de5c52dc0521fed84dc3ceb41dbb5b23d53af44654c91b66ee6e19a0d2d27e0a50

Download Submit
memory/1552-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download