ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274

Analysis

max time kernel
159s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe
Size

1.2MB
MD5

3af20844064ec8b72b08180d09d27540
SHA1

8794f55c247a6a690a61f4f97aab6466bd692205
SHA256

ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274
SHA512

a20269872b0bb9e71eababe6261759742a987ee5d414643be6ace0b34451799d4ccf8c86687d8e781882a72ad3e85156b8a20740eb280213e5ada6b156d8d9f6
SSDEEP

24576:8OUb860NSG+uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuIuuuuuuuuuuuuuuuuuuV:B+8+uuuuuuuuuuuuuuuuuuuuuuuuuuuy

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	alg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lsass = "c:\\windows\\system\\alg.exe"	alg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\svchost.exe"	alg.exe

Executes dropped EXE 3 IoCs

pid	Process
1064	ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe
1968	alg.exe
1724	alg.exe

Loads dropped DLL 8 IoCs

pid	Process
1536	ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe
1536	ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe
1968	alg.exe
1968	alg.exe
1724	alg.exe
1724	alg.exe
1724	alg.exe
1724	alg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.aaa	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 1064	1536	ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe	27
PID 1536 wrote to memory of 1064	1536	ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe	27
PID 1536 wrote to memory of 1064	1536	ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe	27
PID 1536 wrote to memory of 1064	1536	ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe	27
PID 1536 wrote to memory of 1968	1536	ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe	28
PID 1536 wrote to memory of 1968	1536	ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe	28
PID 1536 wrote to memory of 1968	1536	ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe	28
PID 1536 wrote to memory of 1968	1536	ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe	28
PID 1968 wrote to memory of 1724	1968	alg.exe	30
PID 1968 wrote to memory of 1724	1968	alg.exe	30
PID 1968 wrote to memory of 1724	1968	alg.exe	30
PID 1968 wrote to memory of 1724	1968	alg.exe	30
PID 1724 wrote to memory of 1164	1724	alg.exe	31
PID 1724 wrote to memory of 1164	1724	alg.exe	31
PID 1724 wrote to memory of 1164	1724	alg.exe	31
PID 1724 wrote to memory of 1164	1724	alg.exe	31
PID 1968 wrote to memory of 832	1968	alg.exe	34
PID 1968 wrote to memory of 832	1968	alg.exe	34
PID 1968 wrote to memory of 832	1968	alg.exe	34
PID 1968 wrote to memory of 832	1968	alg.exe	34

C:\Users\Admin\AppData\Local\Temp\ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe
"C:\Users\Admin\AppData\Local\Temp\ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\temp\ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe
  "C:\Windows\temp\ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe"
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\alg.exe
  "C:\Windows\alg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1968
- - \??\c:\windows\system\alg.exe
    c:\windows\system\alg.exe
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\temp\*.* /q /s
      4⤵
      PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\alg.exe > nul
    3⤵
    PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe

Filesize
787KB

MD5
021a14bd97067ec93909b7106803dda7

SHA1
61c92a89567070cd1e184798437a8c544597347a

SHA256
eaa33b91d3ac045ce9c2d6f5a8f748c056d374faf67d96d5c37d0e1ce4c3d12c

SHA512
50590c3b97d65df9817a05dabd16c8993af3ce281e77f4d27c22055c8ab6201ee5406dfe75ca83c3ab83fabbff5e71477db990010006035b1611396810e50153

Download Submit
C:\Windows\alg.exe

Filesize
410KB

MD5
cf74fc2ebee7f5bf7a0dd9718dabd072

SHA1
6adcc6f8b06531a25b403f8b37b4fe9eac93e2bc

SHA256
942d473e63ec9c02b241defe112cda14a2ddd11cc3ba9b30b1ac80494cb73c0e

SHA512
4b11e222f73b82b043778ba04867aedf7aab8f481f9a1269d4958a3fcaee8651009ad1adb0e52f7bc2c85d8cb161937ade268c7a369eb2287a2022056fc944ec

Download Submit
C:\Windows\alg.exe

Filesize
410KB

MD5
cf74fc2ebee7f5bf7a0dd9718dabd072

SHA1
6adcc6f8b06531a25b403f8b37b4fe9eac93e2bc

SHA256
942d473e63ec9c02b241defe112cda14a2ddd11cc3ba9b30b1ac80494cb73c0e

SHA512
4b11e222f73b82b043778ba04867aedf7aab8f481f9a1269d4958a3fcaee8651009ad1adb0e52f7bc2c85d8cb161937ade268c7a369eb2287a2022056fc944ec

Download Submit
C:\Windows\system\alg.exe

Filesize
410KB

MD5
cf74fc2ebee7f5bf7a0dd9718dabd072

SHA1
6adcc6f8b06531a25b403f8b37b4fe9eac93e2bc

SHA256
942d473e63ec9c02b241defe112cda14a2ddd11cc3ba9b30b1ac80494cb73c0e

SHA512
4b11e222f73b82b043778ba04867aedf7aab8f481f9a1269d4958a3fcaee8651009ad1adb0e52f7bc2c85d8cb161937ade268c7a369eb2287a2022056fc944ec

Download Submit
C:\Windows\temp\ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe

Filesize
787KB

MD5
021a14bd97067ec93909b7106803dda7

SHA1
61c92a89567070cd1e184798437a8c544597347a

SHA256
eaa33b91d3ac045ce9c2d6f5a8f748c056d374faf67d96d5c37d0e1ce4c3d12c

SHA512
50590c3b97d65df9817a05dabd16c8993af3ce281e77f4d27c22055c8ab6201ee5406dfe75ca83c3ab83fabbff5e71477db990010006035b1611396810e50153

Download Submit
\??\c:\windows\system\alg.exe

Filesize
410KB

MD5
cf74fc2ebee7f5bf7a0dd9718dabd072

SHA1
6adcc6f8b06531a25b403f8b37b4fe9eac93e2bc

SHA256
942d473e63ec9c02b241defe112cda14a2ddd11cc3ba9b30b1ac80494cb73c0e

SHA512
4b11e222f73b82b043778ba04867aedf7aab8f481f9a1269d4958a3fcaee8651009ad1adb0e52f7bc2c85d8cb161937ade268c7a369eb2287a2022056fc944ec

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\Windows\Temp\ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe

Filesize
787KB

MD5
021a14bd97067ec93909b7106803dda7

SHA1
61c92a89567070cd1e184798437a8c544597347a

SHA256
eaa33b91d3ac045ce9c2d6f5a8f748c056d374faf67d96d5c37d0e1ce4c3d12c

SHA512
50590c3b97d65df9817a05dabd16c8993af3ce281e77f4d27c22055c8ab6201ee5406dfe75ca83c3ab83fabbff5e71477db990010006035b1611396810e50153

Download Submit
\Windows\Temp\ef57202247d4b07c345a0f5eb3e17a64a465e7ae86ee670eb521750edfc24274.exe

Filesize
787KB

MD5
021a14bd97067ec93909b7106803dda7

SHA1
61c92a89567070cd1e184798437a8c544597347a

SHA256
eaa33b91d3ac045ce9c2d6f5a8f748c056d374faf67d96d5c37d0e1ce4c3d12c

SHA512
50590c3b97d65df9817a05dabd16c8993af3ce281e77f4d27c22055c8ab6201ee5406dfe75ca83c3ab83fabbff5e71477db990010006035b1611396810e50153

Download Submit
\Windows\system\alg.exe

Filesize
410KB

MD5
cf74fc2ebee7f5bf7a0dd9718dabd072

SHA1
6adcc6f8b06531a25b403f8b37b4fe9eac93e2bc

SHA256
942d473e63ec9c02b241defe112cda14a2ddd11cc3ba9b30b1ac80494cb73c0e

SHA512
4b11e222f73b82b043778ba04867aedf7aab8f481f9a1269d4958a3fcaee8651009ad1adb0e52f7bc2c85d8cb161937ade268c7a369eb2287a2022056fc944ec

Download Submit
\Windows\system\alg.exe

Filesize
410KB

MD5
cf74fc2ebee7f5bf7a0dd9718dabd072

SHA1
6adcc6f8b06531a25b403f8b37b4fe9eac93e2bc

SHA256
942d473e63ec9c02b241defe112cda14a2ddd11cc3ba9b30b1ac80494cb73c0e

SHA512
4b11e222f73b82b043778ba04867aedf7aab8f481f9a1269d4958a3fcaee8651009ad1adb0e52f7bc2c85d8cb161937ade268c7a369eb2287a2022056fc944ec

Download Submit
memory/1536-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download