ea991d0beb97bb2c89a534732e2d31f2148b93fa0f16b89bc740ce90f7dc0e4a

Analysis

max time kernel
172s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 14:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ea991d0beb97bb2c89a534732e2d31f2148b93fa0f16b89bc740ce90f7dc0e4a.exe
Size

5.7MB
MD5

87b759cfcd3a08da1994bb4547550653
SHA1

7f528a4a187f051de843358596253e9e03e1accb
SHA256

ea991d0beb97bb2c89a534732e2d31f2148b93fa0f16b89bc740ce90f7dc0e4a
SHA512

5dd5a2dba6479dfc32674eccf552c21554482db23f2b906075755dc3007dba1c6bb3a78650f8a4abc31d1fa1055b7467cc8aee423c424c536caefc4b34b24457
SSDEEP

98304:tWICBaok3er2UVOPXG5gMbR5jiFmRaDNTZMXrf9ufsPwCv17o8/NhvLgPHeY94Mp:tsBaK2U4PWgwR5jisRs+VuUPwCv1UgNO

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1824	is158887.exe
4876	kgb_setup_421.exe
2440	is-2SKEH.tmp

Loads dropped DLL 4 IoCs

pid	Process
1824	is158887.exe
2136	rundll32.exe
2440	is-2SKEH.tmp
2440	is-2SKEH.tmp

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\yaYOgDwt.dll,#1"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ea991d0beb97bb2c89a534732e2d31f2148b93fa0f16b89bc740ce90f7dc0e4a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ea991d0beb97bb2c89a534732e2d31f2148b93fa0f16b89bc740ce90f7dc0e4a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\iifETNhE.dll	is158887.exe
File created	C:\Windows\SysWOW64\iifETNhE.dll	is158887.exe
File created	C:\Windows\SysWOW64\yaYOgDwt.dll	is158887.exe
File opened for modification	C:\Windows\SysWOW64\yaYOgDwt.dll	is158887.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03E3D45B-681C-481C-B6A3-0D08B12C4AB9}\InprocServer32\ThreadingModel = "Both"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03E3D45B-681C-481C-B6A3-0D08B12C4AB9}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03E3D45B-681C-481C-B6A3-0D08B12C4AB9}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03E3D45B-681C-481C-B6A3-0D08B12C4AB9}\InprocServer32\ = "C:\\Windows\\SysWow64\\yaYOgDwt.dll"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1824	is158887.exe
1824	is158887.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1824	is158887.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1824	is158887.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 1824	2596	ea991d0beb97bb2c89a534732e2d31f2148b93fa0f16b89bc740ce90f7dc0e4a.exe	80
PID 2596 wrote to memory of 1824	2596	ea991d0beb97bb2c89a534732e2d31f2148b93fa0f16b89bc740ce90f7dc0e4a.exe	80
PID 2596 wrote to memory of 1824	2596	ea991d0beb97bb2c89a534732e2d31f2148b93fa0f16b89bc740ce90f7dc0e4a.exe	80
PID 1824 wrote to memory of 608	1824	is158887.exe	7
PID 1824 wrote to memory of 2136	1824	is158887.exe	83
PID 1824 wrote to memory of 2136	1824	is158887.exe	83
PID 1824 wrote to memory of 2136	1824	is158887.exe	83
PID 1824 wrote to memory of 2024	1824	is158887.exe	84
PID 1824 wrote to memory of 2024	1824	is158887.exe	84
PID 1824 wrote to memory of 2024	1824	is158887.exe	84
PID 2596 wrote to memory of 4876	2596	ea991d0beb97bb2c89a534732e2d31f2148b93fa0f16b89bc740ce90f7dc0e4a.exe	85
PID 2596 wrote to memory of 4876	2596	ea991d0beb97bb2c89a534732e2d31f2148b93fa0f16b89bc740ce90f7dc0e4a.exe	85
PID 2596 wrote to memory of 4876	2596	ea991d0beb97bb2c89a534732e2d31f2148b93fa0f16b89bc740ce90f7dc0e4a.exe	85
PID 4876 wrote to memory of 2440	4876	kgb_setup_421.exe	87
PID 4876 wrote to memory of 2440	4876	kgb_setup_421.exe	87
PID 4876 wrote to memory of 2440	4876	kgb_setup_421.exe	87

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\ea991d0beb97bb2c89a534732e2d31f2148b93fa0f16b89bc740ce90f7dc0e4a.exe
"C:\Users\Admin\AppData\Local\Temp\ea991d0beb97bb2c89a534732e2d31f2148b93fa0f16b89bc740ce90f7dc0e4a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is158887.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is158887.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\system32\yaYOgDwt.dll,a
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\removalfile.bat "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is158887.exe"
    3⤵
    PID:2024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kgb_setup_421.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kgb_setup_421.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\is-RPEG7.tmp\is-2SKEH.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-RPEG7.tmp\is-2SKEH.tmp" /SL4 $B01D4 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kgb_setup_421.exe" 5538907 52736
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is158887.exe

Filesize
33KB

MD5
0f6f1d0ba0c13edf84ab72aac2a6c4f2

SHA1
1e4e3a4574ae2fe7565e5e6c0d8713ab1b0343b6

SHA256
88c4d6cefaa7873361aa80a66ae71d61ad71d65a8d3151089505abd11b762c71

SHA512
07b427e3cd06910088ed9a2b16032246e4fc8740dd9e7ae75af34a00b5183c002043c46fd52011b41fcac6cb27cc9c02e56b78a6ab60721cafb814d093c9901e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is158887.exe

Filesize
33KB

MD5
0f6f1d0ba0c13edf84ab72aac2a6c4f2

SHA1
1e4e3a4574ae2fe7565e5e6c0d8713ab1b0343b6

SHA256
88c4d6cefaa7873361aa80a66ae71d61ad71d65a8d3151089505abd11b762c71

SHA512
07b427e3cd06910088ed9a2b16032246e4fc8740dd9e7ae75af34a00b5183c002043c46fd52011b41fcac6cb27cc9c02e56b78a6ab60721cafb814d093c9901e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kgb_setup_421.exe

Filesize
5.6MB

MD5
bf1028f7deec090b3074f0bf7ddfb799

SHA1
9764e4400df757abb43808fbc29b42b99bfcce9c

SHA256
4057712e07b99b1faef03be75c63f447f8ed483ee81de6ed03bda65be5fe4c0f

SHA512
dfe763ed0a70ad766f98b4f1a094fc18f12f5966abbfc2e63ec45af743ab70b38ebb848862f01bf389627fce0f8b5ccd6f2c6f846547aa3e99dea6ef9d3e98af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kgb_setup_421.exe

Filesize
5.6MB

MD5
bf1028f7deec090b3074f0bf7ddfb799

SHA1
9764e4400df757abb43808fbc29b42b99bfcce9c

SHA256
4057712e07b99b1faef03be75c63f447f8ed483ee81de6ed03bda65be5fe4c0f

SHA512
dfe763ed0a70ad766f98b4f1a094fc18f12f5966abbfc2e63ec45af743ab70b38ebb848862f01bf389627fce0f8b5ccd6f2c6f846547aa3e99dea6ef9d3e98af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PQ73M.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PQ73M.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RPEG7.tmp\is-2SKEH.tmp

Filesize
659KB

MD5
a3f52b5725fbb69b7ce97e1f59e2becf

SHA1
385b8a328fdf19d32b0ff05c970348f5c67446fd

SHA256
f44e83482ab39151da7f839ea90fffb08b026df5e8e238f923827e818cdcb1b0

SHA512
dfcfc641bee2e97e347b17c1be236b256e9a46fe7ae9e41d4c9b8e23e6b5e632d4eaac97456268c5550dacbf2dea46ee42fdfd9c4d366c9b63044ae3e63e92de

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RPEG7.tmp\is-2SKEH.tmp

Filesize
659KB

MD5
a3f52b5725fbb69b7ce97e1f59e2becf

SHA1
385b8a328fdf19d32b0ff05c970348f5c67446fd

SHA256
f44e83482ab39151da7f839ea90fffb08b026df5e8e238f923827e818cdcb1b0

SHA512
dfcfc641bee2e97e347b17c1be236b256e9a46fe7ae9e41d4c9b8e23e6b5e632d4eaac97456268c5550dacbf2dea46ee42fdfd9c4d366c9b63044ae3e63e92de

Download Submit
C:\Users\Admin\AppData\Local\Temp\removalfile.bat

Filesize
43B

MD5
9a7ef09167a6f4433681b94351509043

SHA1
259b1375ed8e84943ca1d42646bb416325c89e12

SHA256
d5739a0510d89da572eb0b0d394d4fb4dd361cd9ee0144b9b31c590df93c3be7

SHA512
96b84cd88a0e4b7c1122af3ed6ce5edf0a9a4e9bf79575eadfac16b2c46f1278d57755d29f21d7c6dcb4403be24b7ac7da4837c6cc9c602342a8f2b8e54883df

Download Submit
C:\Windows\SysWOW64\iifETNhE.dll

Filesize
25KB

MD5
1892bd61cb45623d0a3a85458d75e474

SHA1
599f01819e1b902c0f89a0f122685a32b4c3010c

SHA256
9ff8856ace379699847a0ac0f08af60ae824fa7154d494afa84133889a934e9d

SHA512
99f1f16999f2fead93d784258a9463b7de2ff7a300679a0b1278986a277e7276f43dceb4a4af3e25ffb1c0d0ae5cba8957bb51c8ad70f841eb6868f0b4583c30

Download Submit
C:\Windows\SysWOW64\yaYOgDwt.dll

Filesize
25KB

MD5
1892bd61cb45623d0a3a85458d75e474

SHA1
599f01819e1b902c0f89a0f122685a32b4c3010c

SHA256
9ff8856ace379699847a0ac0f08af60ae824fa7154d494afa84133889a934e9d

SHA512
99f1f16999f2fead93d784258a9463b7de2ff7a300679a0b1278986a277e7276f43dceb4a4af3e25ffb1c0d0ae5cba8957bb51c8ad70f841eb6868f0b4583c30

Download Submit
C:\Windows\SysWOW64\yaYOgDwt.dll

Filesize
25KB

MD5
1892bd61cb45623d0a3a85458d75e474

SHA1
599f01819e1b902c0f89a0f122685a32b4c3010c

SHA256
9ff8856ace379699847a0ac0f08af60ae824fa7154d494afa84133889a934e9d

SHA512
99f1f16999f2fead93d784258a9463b7de2ff7a300679a0b1278986a277e7276f43dceb4a4af3e25ffb1c0d0ae5cba8957bb51c8ad70f841eb6868f0b4583c30

Download Submit
memory/1824-140-0x0000000010001000-0x0000000010010000-memory.dmp

Filesize
60KB

Download
memory/1824-135-0x0000000000401000-0x000000000040E000-memory.dmp

Filesize
52KB

Download
memory/1824-136-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1824-147-0x0000000000030000-0x0000000000037000-memory.dmp

Filesize
28KB

Download
memory/1824-146-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1824-145-0x0000000002A30000-0x0000000002ABD000-memory.dmp

Filesize
564KB

Download
memory/1824-137-0x0000000000030000-0x0000000000037000-memory.dmp

Filesize
28KB

Download
memory/1824-139-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1824-148-0x0000000002A30000-0x0000000002ABD000-memory.dmp

Filesize
564KB

Download
memory/2136-157-0x0000000010001000-0x0000000010010000-memory.dmp

Filesize
60KB

Download
memory/2136-156-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2136-168-0x0000000000560000-0x0000000000565000-memory.dmp

Filesize
20KB

Download
memory/2136-169-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2136-171-0x0000000000560000-0x0000000000565000-memory.dmp

Filesize
20KB

Download
memory/2440-174-0x00000000047E1000-0x00000000047E3000-memory.dmp

Filesize
8KB

Download
memory/4876-158-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4876-170-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download