Analysis
-
max time kernel
108s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
19/09/2022, 16:14
General
-
Target
5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
-
Size
135KB
-
MD5
7813e5030b0092e14d1fb0209ce922ec
-
SHA1
2f8b63c5084acdeb7d96c1c26a71aef2cdaa0694
-
SHA256
5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181
-
SHA512
eb7f0c0853312973ee8faa86f5b4d50d0ac102ddf5a0d177eff2ced87ca99a5f99af5880a3f469361fc5e0b9c2e834da04f5dd92db69b1389c008ac1c417e238
-
SSDEEP
3072:WwxVMhOC/dTDbq91+mno3t4QZQ3rfvlJk7xFRaSG2yQM:WTfFDbRnOTrf9JyS52c
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 45 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe"C:\Users\Admin\AppData\Local\Temp\5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\5y.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WINDOWS\system32\hao.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeReg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exeReg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\TmpInf.inf4⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r5⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\╫└├µ\*.lnk" /p everyone:f4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\╫└├µ\*.url" /p everyone:f4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Documents and Settings\All Users\╫└├µ\*.lnk" /p everyone:f4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Documents and Settings\All Users\╫└├µ\*.url" /p everyone:f4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk" /p everyone:f4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*.url" /p everyone:f4⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://www.7802.com/index1.html4⤵
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.7802.com/index1.html5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:284 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://fzlsisi.com/fenlei.htm4⤵
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://fzlsisi.com/fenlei.htm5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:576 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\╫└├µ\Internet Expleror.lnk" +R +S4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk" +R +S4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\═°╓╖╓«╝╥.lnk" +R +S4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\╫└├µ\╠╘▒ª╣║╬∩.lnk" +R +S4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\╫└├µ\├Γ╖╤╡τ╙░.lnk" +R +S4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\╫└├µ\╨í╙╬╧╖.lnk" +R +S4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\╠╘▒ª╣║╬∩.lnk" +R +S4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\├Γ╖╤╡τ╙░.lnk" +R +S4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\╨í╙╬╧╖.lnk" +R +S4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\╫└├µ\Internet Expleror.lnk" /p everyone:R4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Expleror Σ»└└╞≈.lnk" /p everyone:R4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╨í╙╬╧╖.lnk" /p everyone:R4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\├Γ╖╤╡τ╙░.lnk" /p everyone:R4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\╫└├µ\╨í╙╬╧╖.lnk" /p everyone:R4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\╫└├µ\╠╘▒ª╣║╬∩.lnk" /p everyone:R4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\Internet Expleror.lnk" /p everyone:R4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\╨í╙╬╧╖.lnk" /p everyone:R4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\├Γ╖╤╡τ╙░.lnk" /p everyone:R4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58B
MD5ef482bb78b8fff6cf20ec2ff9a677a93
SHA17613c5c62b89e63dc686c0f4007c4a77a4a77335
SHA2567fc3b374408af4dac1e4c39fc1218c98cb692241fd2a753ed169627e70f1536d
SHA512b4f00ef86cf8fa09517eb09d16d448d45363b87973fe346b3b6b6e9c3c41e087ede8c1a9aa0934fc1abd4d0fb01b853ec501c3bca5483a539c8d28607fd45166
-
Filesize
60KB
MD56c6a24456559f305308cb1fb6c5486b3
SHA13273ac27d78572f16c3316732b9756ebc22cb6ed
SHA256efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973
SHA512587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4
-
Filesize
344B
MD5214176395573a10a905df624f09758fc
SHA1df1d57286b49fbab6610d7d3d02ae5c449b5e130
SHA256a9acb752f9429ddc02b8af082f57a374934e222f0614978837ae276c33801fde
SHA512912104535ff0fbc05b0daeae7241506f4d1dd267a664c8c0e917eb5c633bcd273d21607b3a326bc377b7c0d6a02e7c1b7f586b70158f47ea96c8f5273480ea6b
-
Filesize
4KB
MD5318e082f2a34a034c969189043048249
SHA164ffa066043e08de3c44565f98cefebfb033bf57
SHA2563bf5f121f2340901655ceae48eec1c9a56bd046b8b31a690232018769fcd95f2
SHA512a0f77a75de85baab33698653d4956c431b658a1346b35df70de225b9efb6fdf43dbddcba84970c5a2a3cc77ad3b590b66f8076119d5208bb0f21856fecf91d3c
-
Filesize
3KB
MD5b0b637ce991fc2e0088e20e3e5270e54
SHA118d595e2d50a723a7a78f4683b64be210a15ab6f
SHA25633a2ba3fc66983448fc4428c2250bb21e990802a8c2ad6341d185c7683f49126
SHA51217283c774057e15c5fd93916e8e6a45613ebfeca2c12750e94739b6aa8bcc6f3973b14600f40338a73390b3ef5d4629ed4429335a872e448e066336005ba1bf0
-
Filesize
606B
MD5e9d4165495c90f14e3f37a3f7da96100
SHA15396a61ccc3d8d3f5e707d311fab6331e6d59947
SHA2562dae621d6ff5a0bc912868047d9f5f22bd2ea68132e312bf4c827476110e7493
SHA51284da65778538dbe39840941399994c2c311433a623714d063307bfe5b1d908ef723dee998ac0422d0a17888530e5cff46bb8968832ad3c626985cbec78e451db
-
Filesize
800B
MD5a3ab5b82d1e6714262bc167f130045c5
SHA194998582d6029b0539b26dcecd2b1050dfcc9d12
SHA2565a0e9a8d8944168ae9afe2d3b50268c83f19f541d33bd6c71c2cd2ed4eea2e17
SHA5121c2c7a4830072cd3625ef291b6b013e3445eed7feb91f54a51eb7b6e776061f8f2df15c60f658dacad72f646f19b384777db2ccd2f164d6682d498e978671d28
-
Filesize
1KB
MD591cc4989f6d5a642533dfb150f97dadc
SHA161bb275bc5645e131145e4ff57c8175f9669e03c
SHA25684c894e082fd9c8129332a0a516fe8e945b815ee796e801aac80533bd3897821
SHA512d96205dae2feadfbd9e0029a9f097d5515fa5a9aca56811053f1faddf2631cd08152224d84e21fb27be18571891a296dda915cf615aff985ebb12228ed6ad1b5
-
Filesize
5KB
MD564e9d4f8cd396c5b7dd0084d6c0619c5
SHA10a6e405b7d0092b1bd671c973980f8bb482201ce
SHA2565302208aa85b805180cf7becb7d180f1d5729bcee241b543904be3e3eb2c0189
SHA512e57c797e75baf5b387f92dbc5d46e92bd9d0709ea2aa5b70537b67006244ab56446b717b013a05cdf48d19d39150fac7003ab1f76e2c59458f451e352598fe3e
-
Filesize
2KB
MD51ea9a74910e8916e5009aa50da3cf7ea
SHA10953ae0f63d2c65343a7fdade9a767c70b32ffd7
SHA25697c76777fdbe48fb0ad555fa26c7f82fceec059b3f7605c14bc23573fd012f35
SHA5120290082a7dfd1beed055be1e46c667d5ddb1311c2feb8139dd686dd38d5eb6025b673988613918f7c8eeb73d37439bcf7407911e6d9a13a42fa91239ae8a150b
-
Filesize
800B
MD5a3ab5b82d1e6714262bc167f130045c5
SHA194998582d6029b0539b26dcecd2b1050dfcc9d12
SHA2565a0e9a8d8944168ae9afe2d3b50268c83f19f541d33bd6c71c2cd2ed4eea2e17
SHA5121c2c7a4830072cd3625ef291b6b013e3445eed7feb91f54a51eb7b6e776061f8f2df15c60f658dacad72f646f19b384777db2ccd2f164d6682d498e978671d28
-
Filesize
949B
MD518a02e96e6f8060796b4d5f3772c9e9b
SHA18bbcefd7ef25b865bf94461c42f553154bb4698f
SHA256864c6e35c52d56146166a8a9bdadb011b04198cc179b6b1902f9f05ae8ab8a26
SHA5124697774150a929dac6c34e1cde3ef9a6f1ee6711c1e16b068768dfdd03b21664377cd6f54ff7f8b8c92e9379b9bb3817c354c1ab061c64ffe49b76ecd606ccef
-
Filesize
945B
MD5a8e22b6219720d3fab60fc8b96f8c24f
SHA1c1892837d5ccd6dcb3bd4f45aa353b430313a86a
SHA256ca149ca1e50c55155c410e0609b8cea09442dc153d33c9d1682eaa8519d1e89b
SHA512d96706fa4883962d35c7cd89234940fb10304eba14746454f85c09b3233d7ba71ad462ac4c4333a50eed2ebc6d29c12076d3d0b4f74656fca0d27f01a8f164d1
-
Filesize
1KB
MD591cc4989f6d5a642533dfb150f97dadc
SHA161bb275bc5645e131145e4ff57c8175f9669e03c
SHA25684c894e082fd9c8129332a0a516fe8e945b815ee796e801aac80533bd3897821
SHA512d96205dae2feadfbd9e0029a9f097d5515fa5a9aca56811053f1faddf2631cd08152224d84e21fb27be18571891a296dda915cf615aff985ebb12228ed6ad1b5
-
Filesize
1KB
MD5586858afd4ab25de0f002a9f046f1b66
SHA18b713dcaf0818194efa47e821c75f07a2abc406b
SHA25649a14034c6e670acf765ac34a6066b5c92d7dd841848d8a9ac430f00f58609bd
SHA5120f13c8ba1f1f8863c2e04a0c1d5aa0688bbf985def8bcdbd154b9cc5ef9e9653b9fdea332726d28cc505ddf72d45c326cc8fa5c683f9087b54055252059a0414
-
Filesize
8KB