ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928

Analysis

max time kernel
79s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
Size

916KB
MD5

050b01e4e61e6e07973f230fbd7b5710
SHA1

cff45b1f2a471b0f329a8167937aaac7fae9b157
SHA256

ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928
SHA512

43daee52faf96a88e8d5f410c9ecb2ea008ad7ea848ef011412d8953617d3626494f812129cfb5a3044cc8f69cd1d9c9f5f1afe9f28fc4deee695043f5549e75
SSDEEP

12288:VtwVHekR9k8FDTJjwPFO1cH10nQSOgQwF2UWamEgp6ScqOeyB6:VtaTkkD1jQFb10D2U+E8rz

Score

8^/10

evasion

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe

Disables Task Manager via registry modification
evasion

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\V:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\X:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\A:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\E:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\J:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\L:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\Z:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\P:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\S:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\T:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\W:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\N:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\Q:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\R:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\F:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\H:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\K:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\M:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\Y:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\B:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\G:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\I:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\U:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 3184	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	83
PID 4852 wrote to memory of 3184	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	83
PID 4852 wrote to memory of 3184	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	83
PID 4852 wrote to memory of 1140	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	84
PID 4852 wrote to memory of 1140	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	84
PID 4852 wrote to memory of 1140	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	84
PID 4852 wrote to memory of 4028	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	87
PID 4852 wrote to memory of 4028	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	87
PID 4852 wrote to memory of 4028	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	87
PID 1140 wrote to memory of 1056	1140	cmd.exe	90
PID 1140 wrote to memory of 1056	1140	cmd.exe	90
PID 1140 wrote to memory of 1056	1140	cmd.exe	90
PID 1056 wrote to memory of 1972	1056	net.exe	91
PID 1056 wrote to memory of 1972	1056	net.exe	91
PID 1056 wrote to memory of 1972	1056	net.exe	91
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55
PID 4852 wrote to memory of 2372	4852	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	55

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2944

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1612

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4696

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3636

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3536

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3368

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:1336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2056
- C:\Users\Admin\AppData\Local\Temp\ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
  "C:\Users\Admin\AppData\Local\Temp\ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart.exe
    3⤵
    PID:3184
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\WINDOWS\SysWOW64\net.exe
      net user administrator websos
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user administrator websos
        5⤵
        
        PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\1exe.cmd
    3⤵
    PID:4028

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2384

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2372

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:620

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:940

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\1exe.cmd

Filesize
24B

MD5
e5fad0eebdbdb290ba8e7e45b783eb80

SHA1
d0134651bc51f9b818508dbdb21690800c5ed127

SHA256
15c12f019428c39e6a96d46fb531b763d0dea5151e23376a6aabe2e05180aa83

SHA512
e61a0756f71654febc40f181a01df302eb0c1328f87e5ae8138b7f9a7414027ad9b913d9d5381a8497f25439fa8fed5b80dbacc3c4b760e8c40f256872857469

Download Submit