Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 22:36
Static task
static1
Behavioral task
behavioral1
Sample
Catelog.jpg.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Catelog.jpg.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Samples.jpg.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
Samples.jpg.exe
Resource
win10v2004-20220812-en
General
-
Target
Catelog.jpg.exe
-
Size
123KB
-
MD5
458a2379358ae7cdd5a47059277338ca
-
SHA1
c3753cfa681d226b772a3ab6bc462a5c29791fa0
-
SHA256
d954de23f8e04cff445b91436fdaf60b05c18e115c3dda8afce8460d72fb1fa7
-
SHA512
fe182750f864b963f5ca970013bf5003dd108c7e7d69c981d9b8779b8276727b464fd5a1978dffd68e9e52e809bf7ce23206114d58f6aba3d87d4e8b5d768705
-
SSDEEP
3072:wJQ8sYDCBvQTYMGWdQUkv2Gc1eGktXENiTRWnTuX8Wr:yERqTfGDHv+DvoTROTu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
lsass.exepid process 1276 lsass.exe -
Drops startup file 1 IoCs
Processes:
cvtres.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe cvtres.exe -
Loads dropped DLL 2 IoCs
Processes:
Catelog.jpg.execvtres.exepid process 1696 Catelog.jpg.exe 1356 cvtres.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\XGdES9N8RW = "C:\\Users\\Admin\\AppData\\Roaming\\dGNIWZiH\\seb2plM.exe.lnk" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Catelog.jpg.exedescription pid process target process PID 1696 set thread context of 1356 1696 Catelog.jpg.exe cvtres.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Catelog.jpg.exepid process 1696 Catelog.jpg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Catelog.jpg.execvtres.exedescription pid process Token: SeDebugPrivilege 1696 Catelog.jpg.exe Token: SeDebugPrivilege 1356 cvtres.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Catelog.jpg.execmd.execvtres.exedescription pid process target process PID 1696 wrote to memory of 1224 1696 Catelog.jpg.exe cmd.exe PID 1696 wrote to memory of 1224 1696 Catelog.jpg.exe cmd.exe PID 1696 wrote to memory of 1224 1696 Catelog.jpg.exe cmd.exe PID 1696 wrote to memory of 1224 1696 Catelog.jpg.exe cmd.exe PID 1224 wrote to memory of 1292 1224 cmd.exe reg.exe PID 1224 wrote to memory of 1292 1224 cmd.exe reg.exe PID 1224 wrote to memory of 1292 1224 cmd.exe reg.exe PID 1224 wrote to memory of 1292 1224 cmd.exe reg.exe PID 1696 wrote to memory of 1356 1696 Catelog.jpg.exe cvtres.exe PID 1696 wrote to memory of 1356 1696 Catelog.jpg.exe cvtres.exe PID 1696 wrote to memory of 1356 1696 Catelog.jpg.exe cvtres.exe PID 1696 wrote to memory of 1356 1696 Catelog.jpg.exe cvtres.exe PID 1696 wrote to memory of 1356 1696 Catelog.jpg.exe cvtres.exe PID 1696 wrote to memory of 1356 1696 Catelog.jpg.exe cvtres.exe PID 1696 wrote to memory of 1356 1696 Catelog.jpg.exe cvtres.exe PID 1356 wrote to memory of 1276 1356 cvtres.exe lsass.exe PID 1356 wrote to memory of 1276 1356 cvtres.exe lsass.exe PID 1356 wrote to memory of 1276 1356 cvtres.exe lsass.exe PID 1356 wrote to memory of 1276 1356 cvtres.exe lsass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Catelog.jpg.exe"C:\Users\Admin\AppData\Local\Temp\Catelog.jpg.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "XGdES9N8RW" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\dGNIWZiH\seb2plM.exe.lnk"2⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "XGdES9N8RW" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\dGNIWZiH\seb2plM.exe.lnk"3⤵
- Adds Run key to start application
PID:1292 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"3⤵
- Executes dropped EXE
PID:1276
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exeFilesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exeFilesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
\Users\Admin\AppData\Roaming\dGNIWZiH\seb2plM.exeFilesize
123KB
MD5458a2379358ae7cdd5a47059277338ca
SHA1c3753cfa681d226b772a3ab6bc462a5c29791fa0
SHA256d954de23f8e04cff445b91436fdaf60b05c18e115c3dda8afce8460d72fb1fa7
SHA512fe182750f864b963f5ca970013bf5003dd108c7e7d69c981d9b8779b8276727b464fd5a1978dffd68e9e52e809bf7ce23206114d58f6aba3d87d4e8b5d768705
-
memory/1224-59-0x0000000000000000-mapping.dmp
-
memory/1276-70-0x0000000000000000-mapping.dmp
-
memory/1292-60-0x0000000000000000-mapping.dmp
-
memory/1356-62-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1356-61-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1356-64-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1356-65-0x0000000000401000-mapping.dmp
-
memory/1356-72-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB
-
memory/1696-67-0x0000000074E10000-0x00000000753BB000-memory.dmpFilesize
5.7MB
-
memory/1696-68-0x00000000001A6000-0x00000000001B7000-memory.dmpFilesize
68KB
-
memory/1696-57-0x0000000074E10000-0x00000000753BB000-memory.dmpFilesize
5.7MB
-
memory/1696-56-0x00000000001A6000-0x00000000001B7000-memory.dmpFilesize
68KB
-
memory/1696-55-0x0000000074E10000-0x00000000753BB000-memory.dmpFilesize
5.7MB