Analysis
-
max time kernel
11s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-09-2022 11:29
Static task
static1
Behavioral task
behavioral1
Sample
9.27USDT·ַʵ.exe
Resource
win7-20220812-en
General
-
Target
9.27USDT·ַʵ.exe
-
Size
36KB
-
MD5
f03f5610257f8dd2968b516d74621b78
-
SHA1
3da92c0ccbe7a331e1dfa7b870f2ad945aaa2045
-
SHA256
fec33611d9bc68875811e7bbac111b2682512e16e4ca6ae0b2db774623978cf2
-
SHA512
fed52e5ad9388fbf4c813801bce31f1f9adf39572ec970871d36b92836e27a62329af3b277e58c815a19460bbfaef3c4f45cb70d6aefe798c660cdc803ef142b
-
SSDEEP
192:600maRBUda7n9JlU2g1jJMOEyKbIYymt5XTtEyKihoynKwHLHTgH9N2tpgRmd8MS:609Bdq9JGqO+NxhjAdN2tpgwd5ASc
Malware Config
Signatures
-
Processes:
9.27USDT·ַʵ.exe9.27USDT·ַʵ.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9.27USDT·ַʵ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 9.27USDT·ַʵ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 9.27USDT·ַʵ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9.27USDT·ַʵ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 9.27USDT·ַʵ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 9.27USDT·ַʵ.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
k4.exek4.exek4.exek4.exepid process 1468 k4.exe 1484 k4.exe 1468 k4.exe 1484 k4.exe -
Loads dropped DLL 4 IoCs
Processes:
9.27USDT·ַʵ.exe9.27USDT·ַʵ.exepid process 1980 9.27USDT·ַʵ.exe 1980 9.27USDT·ַʵ.exe 1980 9.27USDT·ַʵ.exe 1980 9.27USDT·ַʵ.exe -
Processes:
9.27USDT·ַʵ.exe9.27USDT·ַʵ.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9.27USDT·ַʵ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9.27USDT·ַʵ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
k4.exek4.exedescription pid process Token: SeLoadDriverPrivilege 1484 k4.exe Token: SeLoadDriverPrivilege 1484 k4.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
9.27USDT·ַʵ.exe9.27USDT·ַʵ.exepid process 1980 9.27USDT·ַʵ.exe 1980 9.27USDT·ַʵ.exe 1980 9.27USDT·ַʵ.exe 1980 9.27USDT·ַʵ.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
9.27USDT·ַʵ.exe9.27USDT·ַʵ.exedescription pid process target process PID 1980 wrote to memory of 1468 1980 9.27USDT·ַʵ.exe k4.exe PID 1980 wrote to memory of 1468 1980 9.27USDT·ַʵ.exe k4.exe PID 1980 wrote to memory of 1468 1980 9.27USDT·ַʵ.exe k4.exe PID 1980 wrote to memory of 1468 1980 9.27USDT·ַʵ.exe k4.exe PID 1980 wrote to memory of 1484 1980 9.27USDT·ַʵ.exe k4.exe PID 1980 wrote to memory of 1484 1980 9.27USDT·ַʵ.exe k4.exe PID 1980 wrote to memory of 1484 1980 9.27USDT·ַʵ.exe k4.exe PID 1980 wrote to memory of 1484 1980 9.27USDT·ַʵ.exe k4.exe PID 1980 wrote to memory of 1468 1980 9.27USDT·ַʵ.exe k4.exe PID 1980 wrote to memory of 1468 1980 9.27USDT·ַʵ.exe k4.exe PID 1980 wrote to memory of 1468 1980 9.27USDT·ַʵ.exe k4.exe PID 1980 wrote to memory of 1468 1980 9.27USDT·ַʵ.exe k4.exe PID 1980 wrote to memory of 1484 1980 9.27USDT·ַʵ.exe k4.exe PID 1980 wrote to memory of 1484 1980 9.27USDT·ַʵ.exe k4.exe PID 1980 wrote to memory of 1484 1980 9.27USDT·ַʵ.exe k4.exe PID 1980 wrote to memory of 1484 1980 9.27USDT·ַʵ.exe k4.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
9.27USDT·ַʵ.exe9.27USDT·ַʵ.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 9.27USDT·ַʵ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9.27USDT·ַʵ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 9.27USDT·ַʵ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 9.27USDT·ַʵ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9.27USDT·ַʵ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 9.27USDT·ַʵ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9.27USDT·ַʵ.exe"C:\Users\Admin\AppData\Local\Temp\9.27USDT·ַʵ.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe2⤵
- Executes dropped EXE
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe /D2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im k4.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\9.27USDT·ַʵ.exe"C:\Users\Admin\AppData\Local\Temp\9.27USDT·ַʵ.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe2⤵
- Executes dropped EXE
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe /D2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im k4.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
\Users\Public\Documents\RDSv1.dllFilesize
24KB
MD5c68a7ddbed2cd20279b87e733c9008db
SHA1eef926d0069c9b54e609302b64267d4721f8ea7a
SHA2567e05127f15bb1967ca4598d9fa8a4c7867b1658b684e50874a9513e4ff23ee53
SHA512db21961744b62f0a772c7bd309592898630deeb1a18e79c3b289e5d187521cfdcc37e4a6a18149a697ddff7c121ec6f73685a8dce8e1181552558947d13e83bf
-
\Users\Public\Documents\RDSv1.dllFilesize
24KB
MD5c68a7ddbed2cd20279b87e733c9008db
SHA1eef926d0069c9b54e609302b64267d4721f8ea7a
SHA2567e05127f15bb1967ca4598d9fa8a4c7867b1658b684e50874a9513e4ff23ee53
SHA512db21961744b62f0a772c7bd309592898630deeb1a18e79c3b289e5d187521cfdcc37e4a6a18149a697ddff7c121ec6f73685a8dce8e1181552558947d13e83bf
-
\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
memory/1468-59-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmpFilesize
8KB
-
memory/1468-57-0x0000000000000000-mapping.dmp
-
memory/1468-59-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmpFilesize
8KB
-
memory/1468-57-0x0000000000000000-mapping.dmp
-
memory/1484-61-0x0000000000000000-mapping.dmp
-
memory/1484-61-0x0000000000000000-mapping.dmp
-
memory/1980-54-0x00000000756B1000-0x00000000756B3000-memory.dmpFilesize
8KB
-
memory/1980-54-0x00000000756B1000-0x00000000756B3000-memory.dmpFilesize
8KB