3622aaa168be721c29dd27f8d8438f0801fcb26a1c83861e91fed729582dc530

Analysis

max time kernel
157s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3622aaa168be721c29dd27f8d8438f0801fcb26a1c83861e91fed729582dc530.exe
Size

12.3MB
MD5

539f578b64798adbc2e7fd533ab5f3df
SHA1

584787deede001f3ea3de929fa179dc0d1779e16
SHA256

3622aaa168be721c29dd27f8d8438f0801fcb26a1c83861e91fed729582dc530
SHA512

388f9930653152fc7108ef842782355188415069737287c9a8bff4f595da6cd112ef3c471cd44f1463be3d8edddcdb6868a99743ca72775cd921cdd643e7dceb
SSDEEP

196608:dog5iYnsuJhm2ftgF2X+AsIBDcNQlKnLGWcNNsQb2xd9fY61bHEoQebtG:dog5iYnsuzm217hALGWONsQiLlOeU

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	304	msiexec.exe
Token: SeIncreaseQuotaPrivilege	304	msiexec.exe
Token: SeRestorePrivilege	732	msiexec.exe
Token: SeTakeOwnershipPrivilege	732	msiexec.exe
Token: SeSecurityPrivilege	732	msiexec.exe
Token: SeCreateTokenPrivilege	304	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	304	msiexec.exe
Token: SeLockMemoryPrivilege	304	msiexec.exe
Token: SeIncreaseQuotaPrivilege	304	msiexec.exe
Token: SeMachineAccountPrivilege	304	msiexec.exe
Token: SeTcbPrivilege	304	msiexec.exe
Token: SeSecurityPrivilege	304	msiexec.exe
Token: SeTakeOwnershipPrivilege	304	msiexec.exe
Token: SeLoadDriverPrivilege	304	msiexec.exe
Token: SeSystemProfilePrivilege	304	msiexec.exe
Token: SeSystemtimePrivilege	304	msiexec.exe
Token: SeProfSingleProcessPrivilege	304	msiexec.exe
Token: SeIncBasePriorityPrivilege	304	msiexec.exe
Token: SeCreatePagefilePrivilege	304	msiexec.exe
Token: SeCreatePermanentPrivilege	304	msiexec.exe
Token: SeBackupPrivilege	304	msiexec.exe
Token: SeRestorePrivilege	304	msiexec.exe
Token: SeShutdownPrivilege	304	msiexec.exe
Token: SeDebugPrivilege	304	msiexec.exe
Token: SeAuditPrivilege	304	msiexec.exe
Token: SeSystemEnvironmentPrivilege	304	msiexec.exe
Token: SeChangeNotifyPrivilege	304	msiexec.exe
Token: SeRemoteShutdownPrivilege	304	msiexec.exe
Token: SeUndockPrivilege	304	msiexec.exe
Token: SeSyncAgentPrivilege	304	msiexec.exe
Token: SeEnableDelegationPrivilege	304	msiexec.exe
Token: SeManageVolumePrivilege	304	msiexec.exe
Token: SeImpersonatePrivilege	304	msiexec.exe
Token: SeCreateGlobalPrivilege	304	msiexec.exe
Token: SeShutdownPrivilege	892	msiexec.exe
Token: SeIncreaseQuotaPrivilege	892	msiexec.exe
Token: SeCreateTokenPrivilege	892	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	892	msiexec.exe
Token: SeLockMemoryPrivilege	892	msiexec.exe
Token: SeIncreaseQuotaPrivilege	892	msiexec.exe
Token: SeMachineAccountPrivilege	892	msiexec.exe
Token: SeTcbPrivilege	892	msiexec.exe
Token: SeSecurityPrivilege	892	msiexec.exe
Token: SeTakeOwnershipPrivilege	892	msiexec.exe
Token: SeLoadDriverPrivilege	892	msiexec.exe
Token: SeSystemProfilePrivilege	892	msiexec.exe
Token: SeSystemtimePrivilege	892	msiexec.exe
Token: SeProfSingleProcessPrivilege	892	msiexec.exe
Token: SeIncBasePriorityPrivilege	892	msiexec.exe
Token: SeCreatePagefilePrivilege	892	msiexec.exe
Token: SeCreatePermanentPrivilege	892	msiexec.exe
Token: SeBackupPrivilege	892	msiexec.exe
Token: SeRestorePrivilege	892	msiexec.exe
Token: SeShutdownPrivilege	892	msiexec.exe
Token: SeDebugPrivilege	892	msiexec.exe
Token: SeAuditPrivilege	892	msiexec.exe
Token: SeSystemEnvironmentPrivilege	892	msiexec.exe
Token: SeChangeNotifyPrivilege	892	msiexec.exe
Token: SeRemoteShutdownPrivilege	892	msiexec.exe
Token: SeUndockPrivilege	892	msiexec.exe
Token: SeSyncAgentPrivilege	892	msiexec.exe
Token: SeEnableDelegationPrivilege	892	msiexec.exe
Token: SeManageVolumePrivilege	892	msiexec.exe
Token: SeImpersonatePrivilege	892	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
892	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 672	1344	3622aaa168be721c29dd27f8d8438f0801fcb26a1c83861e91fed729582dc530.exe	26
PID 1344 wrote to memory of 672	1344	3622aaa168be721c29dd27f8d8438f0801fcb26a1c83861e91fed729582dc530.exe	26
PID 1344 wrote to memory of 672	1344	3622aaa168be721c29dd27f8d8438f0801fcb26a1c83861e91fed729582dc530.exe	26
PID 1344 wrote to memory of 672	1344	3622aaa168be721c29dd27f8d8438f0801fcb26a1c83861e91fed729582dc530.exe	26
PID 1344 wrote to memory of 672	1344	3622aaa168be721c29dd27f8d8438f0801fcb26a1c83861e91fed729582dc530.exe	26
PID 1344 wrote to memory of 672	1344	3622aaa168be721c29dd27f8d8438f0801fcb26a1c83861e91fed729582dc530.exe	26
PID 1344 wrote to memory of 672	1344	3622aaa168be721c29dd27f8d8438f0801fcb26a1c83861e91fed729582dc530.exe	26
PID 672 wrote to memory of 304	672	cmd.exe	28
PID 672 wrote to memory of 304	672	cmd.exe	28
PID 672 wrote to memory of 304	672	cmd.exe	28
PID 672 wrote to memory of 304	672	cmd.exe	28
PID 672 wrote to memory of 304	672	cmd.exe	28
PID 672 wrote to memory of 304	672	cmd.exe	28
PID 672 wrote to memory of 304	672	cmd.exe	28
PID 672 wrote to memory of 892	672	cmd.exe	30
PID 672 wrote to memory of 892	672	cmd.exe	30
PID 672 wrote to memory of 892	672	cmd.exe	30
PID 672 wrote to memory of 892	672	cmd.exe	30
PID 672 wrote to memory of 892	672	cmd.exe	30
PID 672 wrote to memory of 892	672	cmd.exe	30
PID 672 wrote to memory of 892	672	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\3622aaa168be721c29dd27f8d8438f0801fcb26a1c83861e91fed729582dc530.exe
"C:\Users\Admin\AppData\Local\Temp\3622aaa168be721c29dd27f8d8438f0801fcb26a1c83861e91fed729582dc530.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c .\Setup.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\WINDOWS\SysWOW64\msiexec.exe
    C:\WINDOWS\system32\msiexec.exe /x {0F42CE41-25C8-43E8-878E-61C5D0B1BB00} /quiet
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:304
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7zSB2AD.tmp\GeitRADllCom.msi" /passive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:892

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSB2AD.tmp\GeitRADllCom.msi

Filesize
10.6MB

MD5
ed46088ab1bab6ceffe89cc640419cd6

SHA1
57f0157430f30fc6acad4e8c910315baa6aef9b6

SHA256
a3b3ce84787711f2614703957bcdc1e2b830246be192f004c0b9afea02ff0061

SHA512
90dff963460082bfcb91f091c2f9643073ac224a89538b5388f3a586bbae1b3dda4890c9734b92b23ed5308ce1291dd553a8403994c4fccddad7408938d48c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB2AD.tmp\setup.bat

Filesize
644B

MD5
42b2c59f4007d67d69fc0564177b4867

SHA1
9f03b8eee97fa731d3e34c418f3af744f8904e56

SHA256
088d445aca4a3cfa757ebdf273fa959afca86cd5587c45ebddea4c4bd6a8531e

SHA512
77cdd2eb002ab065716c94067ebfc17f42cb37811df46c5e4ed53d5e0a87979c72c9c3d48a2e5096ad4893b2ae1e187e3e97e1c6798b0179e7643f01b20f5f98

Download Submit
memory/732-60-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download
memory/1344-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download