cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419

Analysis

max time kernel
155s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe
Size

148KB
MD5

475f7bfbdd649d939feb3982688e214f
SHA1

0a317fd6571db6e7770cf4084cdb3050f036e625
SHA256

cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419
SHA512

b2d9cca9c916bd556a3b1241aa09ae1ec3ca5000d7307d9d6946fb8243f76737e07f86011edb0e9bb0229445771fb2313b64b7a543c4d7950aa8ec0c665a1331
SSDEEP

1536:YvtawKCWgxdXv82Oj+P2YegT/CjgmeJs2wAj:Yv+Iv8tjkLegT/8gmeTj

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe

Loads dropped DLL 1 IoCs

pid	Process
1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe
File opened for modification	C:\autorun.inf	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\func.dll	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9BD8CA53-E83F-4F3D-B47E-64F3EC08DC72}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{30125199-E203-493D-AB7C-4733C6B2EB81}.catalogItem	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\phpq.dll	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3108	sc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4916	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
736	taskkill.exe
900	taskkill.exe
4272	taskkill.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
648	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	736	taskkill.exe
Token: SeDebugPrivilege	4272	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1880	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	75
PID 1512 wrote to memory of 1880	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	75
PID 1512 wrote to memory of 1880	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	75
PID 1512 wrote to memory of 2036	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	76
PID 1512 wrote to memory of 2036	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	76
PID 1512 wrote to memory of 2036	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	76
PID 1512 wrote to memory of 3928	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	77
PID 1512 wrote to memory of 3928	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	77
PID 1512 wrote to memory of 3928	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	77
PID 1512 wrote to memory of 1824	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	78
PID 1512 wrote to memory of 1824	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	78
PID 1512 wrote to memory of 1824	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	78
PID 1512 wrote to memory of 3036	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	80
PID 1512 wrote to memory of 3036	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	80
PID 1512 wrote to memory of 3036	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	80
PID 1512 wrote to memory of 3080	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	81
PID 1512 wrote to memory of 3080	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	81
PID 1512 wrote to memory of 3080	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	81
PID 3036 wrote to memory of 4272	3036	cmd.exe	89
PID 3036 wrote to memory of 4272	3036	cmd.exe	89
PID 3036 wrote to memory of 4272	3036	cmd.exe	89
PID 1824 wrote to memory of 900	1824	cmd.exe	88
PID 1824 wrote to memory of 900	1824	cmd.exe	88
PID 1824 wrote to memory of 900	1824	cmd.exe	88
PID 3080 wrote to memory of 736	3080	cmd.exe	87
PID 3080 wrote to memory of 736	3080	cmd.exe	87
PID 3080 wrote to memory of 736	3080	cmd.exe	87
PID 3928 wrote to memory of 3108	3928	cmd.exe	90
PID 3928 wrote to memory of 3108	3928	cmd.exe	90
PID 3928 wrote to memory of 3108	3928	cmd.exe	90
PID 1880 wrote to memory of 3140	1880	cmd.exe	91
PID 1880 wrote to memory of 3140	1880	cmd.exe	91
PID 1880 wrote to memory of 3140	1880	cmd.exe	91
PID 2036 wrote to memory of 3120	2036	cmd.exe	92
PID 2036 wrote to memory of 3120	2036	cmd.exe	92
PID 2036 wrote to memory of 3120	2036	cmd.exe	92
PID 1512 wrote to memory of 3880	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	94
PID 1512 wrote to memory of 3880	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	94
PID 1512 wrote to memory of 3880	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	94
PID 1512 wrote to memory of 4916	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	95
PID 1512 wrote to memory of 4916	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	95
PID 1512 wrote to memory of 4916	1512	cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe	95

C:\Users\Admin\AppData\Local\Temp\cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe
"C:\Users\Admin\AppData\Local\Temp\cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows /e /p everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows /e /p everyone:f
    3⤵
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    PID:3120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config ekrn start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\sc.exe
    sc config ekrn start= disabled
    3⤵
    - Launches sc.exe
    PID:3108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im ekrn.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ekrn.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im egui.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im egui.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im ScanFrm.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ScanFrm.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:736
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe func.dll, droqp
  2⤵
  PID:3880
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:4916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\func.dll

Filesize
37KB

MD5
f384de596b479af7460d2c683928bdb5

SHA1
bd51d3f1fa4d7b7bf6d3b26d5170e2356e9e01f5

SHA256
5a8e8691be891df1fa4ed90103f6f46e306c3349d3ad00b436ecd26de964d635

SHA512
1eb57475029ec482c33dae53f266dd6ab1b6b9d51628b7760218ce51faaba5f4a381769e1e5306a5aeadfa67d3b89e73f9b822bfbe1dd66441a8e6ff816c2809

Download Submit
C:\Windows\phpq.dll

Filesize
44KB

MD5
8a3559366a132dbcee7b52caf877f338

SHA1
b29b585789723848b5cd49b7a6f2dbef600ed7b3

SHA256
922d81604bf3edbac51ceeeb79f85384d81113418bc6fcf0fa025c0ce3f41fe0

SHA512
aa53fd48ef9a3281dc56a1eb59ccf82fbb9cb1291d89233541352066659c05fb9b158d1e542937c97def38597c0fe683c75320c747dd9a6f36c9e3fb1359fcdd

Download Submit
memory/1512-132-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1512-147-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads