67a07c199ce5251db807bc1f3527bb792336ec125afe8ac5eea4716bb127368c

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 22:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

67a07c199ce5251db807bc1f3527bb792336ec125afe8ac5eea4716bb127368c.exe
Size

330KB
MD5

6d2d17f32d10851b470a24e1ba8a3390
SHA1

81d97bac185c7b95772a563ec1877cc60666e7dd
SHA256

67a07c199ce5251db807bc1f3527bb792336ec125afe8ac5eea4716bb127368c
SHA512

719e06446ce9dd2b5004b8c33be37b6442efc993f80d38516e2bb62961fdc8da0a201a35ec2a4d5e0e4f8a44bd784e0901a31cfacc88202b41ae8653d0cd3456
SSDEEP

6144:2Y94NpBfMiwYTFClzmy0us8cBk8ObkyQvaH/ZZAcB84StdGeBo+jsX7nz/g3i8D:d9OPPxRCliy0uGOaAZFB84StdGeBoAsC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
940	rinst.exe

Loads dropped DLL 4 IoCs

pid	Process
1604	67a07c199ce5251db807bc1f3527bb792336ec125afe8ac5eea4716bb127368c.exe
1604	67a07c199ce5251db807bc1f3527bb792336ec125afe8ac5eea4716bb127368c.exe
1604	67a07c199ce5251db807bc1f3527bb792336ec125afe8ac5eea4716bb127368c.exe
1604	67a07c199ce5251db807bc1f3527bb792336ec125afe8ac5eea4716bb127368c.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\bpk.exe	rinst.exe
File created	C:\Windows\SysWOW64\bpkhk.dll	rinst.exe
File created	C:\Windows\SysWOW64\bpkwb.dll	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
940	rinst.exe

Suspicious behavior: MapViewOfSection 22 IoCs

pid	Process
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe
940	rinst.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	rinst.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
520	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 940	1604	67a07c199ce5251db807bc1f3527bb792336ec125afe8ac5eea4716bb127368c.exe	27
PID 1604 wrote to memory of 940	1604	67a07c199ce5251db807bc1f3527bb792336ec125afe8ac5eea4716bb127368c.exe	27
PID 1604 wrote to memory of 940	1604	67a07c199ce5251db807bc1f3527bb792336ec125afe8ac5eea4716bb127368c.exe	27
PID 1604 wrote to memory of 940	1604	67a07c199ce5251db807bc1f3527bb792336ec125afe8ac5eea4716bb127368c.exe	27
PID 940 wrote to memory of 372	940	rinst.exe	5
PID 940 wrote to memory of 372	940	rinst.exe	5
PID 940 wrote to memory of 372	940	rinst.exe	5
PID 940 wrote to memory of 372	940	rinst.exe	5
PID 940 wrote to memory of 372	940	rinst.exe	5
PID 940 wrote to memory of 372	940	rinst.exe	5
PID 940 wrote to memory of 372	940	rinst.exe	5
PID 940 wrote to memory of 384	940	rinst.exe	4
PID 940 wrote to memory of 384	940	rinst.exe	4
PID 940 wrote to memory of 384	940	rinst.exe	4
PID 940 wrote to memory of 384	940	rinst.exe	4
PID 940 wrote to memory of 384	940	rinst.exe	4
PID 940 wrote to memory of 384	940	rinst.exe	4
PID 940 wrote to memory of 384	940	rinst.exe	4
PID 940 wrote to memory of 420	940	rinst.exe	3
PID 940 wrote to memory of 420	940	rinst.exe	3
PID 940 wrote to memory of 420	940	rinst.exe	3
PID 940 wrote to memory of 420	940	rinst.exe	3
PID 940 wrote to memory of 420	940	rinst.exe	3
PID 940 wrote to memory of 420	940	rinst.exe	3
PID 940 wrote to memory of 420	940	rinst.exe	3
PID 940 wrote to memory of 468	940	rinst.exe	2
PID 940 wrote to memory of 468	940	rinst.exe	2
PID 940 wrote to memory of 468	940	rinst.exe	2
PID 940 wrote to memory of 468	940	rinst.exe	2
PID 940 wrote to memory of 468	940	rinst.exe	2
PID 940 wrote to memory of 468	940	rinst.exe	2
PID 940 wrote to memory of 468	940	rinst.exe	2
PID 940 wrote to memory of 476	940	rinst.exe	1
PID 940 wrote to memory of 476	940	rinst.exe	1
PID 940 wrote to memory of 476	940	rinst.exe	1
PID 940 wrote to memory of 476	940	rinst.exe	1
PID 940 wrote to memory of 476	940	rinst.exe	1
PID 940 wrote to memory of 476	940	rinst.exe	1
PID 940 wrote to memory of 476	940	rinst.exe	1
PID 940 wrote to memory of 484	940	rinst.exe	8
PID 940 wrote to memory of 484	940	rinst.exe	8
PID 940 wrote to memory of 484	940	rinst.exe	8
PID 940 wrote to memory of 484	940	rinst.exe	8
PID 940 wrote to memory of 484	940	rinst.exe	8
PID 940 wrote to memory of 484	940	rinst.exe	8
PID 940 wrote to memory of 484	940	rinst.exe	8
PID 940 wrote to memory of 580	940	rinst.exe	25
PID 940 wrote to memory of 580	940	rinst.exe	25
PID 940 wrote to memory of 580	940	rinst.exe	25
PID 940 wrote to memory of 580	940	rinst.exe	25
PID 940 wrote to memory of 580	940	rinst.exe	25
PID 940 wrote to memory of 580	940	rinst.exe	25
PID 940 wrote to memory of 580	940	rinst.exe	25
PID 940 wrote to memory of 660	940	rinst.exe	24
PID 940 wrote to memory of 660	940	rinst.exe	24
PID 940 wrote to memory of 660	940	rinst.exe	24
PID 940 wrote to memory of 660	940	rinst.exe	24
PID 940 wrote to memory of 660	940	rinst.exe	24
PID 940 wrote to memory of 660	940	rinst.exe	24
PID 940 wrote to memory of 660	940	rinst.exe	24
PID 940 wrote to memory of 744	940	rinst.exe	23
PID 940 wrote to memory of 744	940	rinst.exe	23
PID 940 wrote to memory of 744	940	rinst.exe	23
PID 940 wrote to memory of 744	940	rinst.exe	23

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:468
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:796
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1168
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:296
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1036
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1984
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1732
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1120
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:368
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:872
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:836
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:744
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:660
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:580
- - C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:520

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\67a07c199ce5251db807bc1f3527bb792336ec125afe8ac5eea4716bb127368c.exe
  "C:\Users\Admin\AppData\Local\Temp\67a07c199ce5251db807bc1f3527bb792336ec125afe8ac5eea4716bb127368c.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:940

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\RARSFX0\BPK.EXE

Filesize
214KB

MD5
5dd74b030107bc795b682f00a2fee943

SHA1
a9da9372f0ff19972d1ecc919a07b3ce05e64045

SHA256
d6b4cbd14592edfdec41e18dcbbf8fb5149f944653a7cae97352c8628efd28d5

SHA512
1d7638d2f73eb6ccddea24ddc5a811a70154f30eb56b30afb1ed7634b165e6e56e8dad0790d22e106e672c01d9ab3f24dedf5faecc9b62f9fece6f29b700af71

Download Submit
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\RARSFX0\RINST.EXE

Filesize
34KB

MD5
df0a23cbc7302f19b06fd079115e4545

SHA1
89325ead783ccdb682759ece5adc7b7d6b5bd2d1

SHA256
a565c05c6d616c3f3646304ab9cd43c704be0210187e0191b6e25bd8a7af4665

SHA512
c652d199ea42cbf21461910e537b4f87ebb351eb17bcd07dfb6b1810cba69600bcf09080e2507ded70bd5cd0939af244559fd45def9218c4ab571419801d10cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkhk.dll

Filesize
24KB

MD5
58129986fa29f6dacd99ab45f60bcb3c

SHA1
7f21995794a060fc8629e0d113cf568de14c509e

SHA256
525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a

SHA512
62ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkwb.dll

Filesize
40KB

MD5
2e6016325548ab79e2d636640c6ec473

SHA1
586e2b84d46ef00e26c1686033def28e8a9995a5

SHA256
62e2948c3e3857e8304a657b7e7da30cdcb6842f71bd4c678a1734ebbf17198e

SHA512
1dc89b9e15f5835dff3203e278f000df5c0d8d93cbef5059be3f1024ef1e16ae8087a4f8e1131b20b190942984e9dc6079dfe951a52de7f4d4ad7de8721a0e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
996B

MD5
033300cd9317f46311769938d2927325

SHA1
28dbd9dbfe984f0a695bc544d5159c2387615d0e

SHA256
f12ccea94429018ec6cf41269ec28e809b48fd1bb331b311adba7414b593f696

SHA512
42f478622f180915b68e2423d5dde9b58a7e225a62adcfe202881b0c579f0c509075d57516acda73950b9ac420f2da35f0432938abe875074385facab0a87514

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
4KB

MD5
e92d3b693ed68bb050cfaa14891d5560

SHA1
9d00058794158397fd5c75ceaee958b9265eae4b

SHA256
0f8cb47b31274c15f42274825c78d4beb1f24eef36df005c036c05d589933e92

SHA512
4e79e309e6cec06639ca3005f3ec024c27728633bd9df4a66ed866b40daad8275f4e7c086c9fe1628a34da758a3587ce966d52f4c129db3278aeb46b84ff74c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
34KB

MD5
df0a23cbc7302f19b06fd079115e4545

SHA1
89325ead783ccdb682759ece5adc7b7d6b5bd2d1

SHA256
a565c05c6d616c3f3646304ab9cd43c704be0210187e0191b6e25bd8a7af4665

SHA512
c652d199ea42cbf21461910e537b4f87ebb351eb17bcd07dfb6b1810cba69600bcf09080e2507ded70bd5cd0939af244559fd45def9218c4ab571419801d10cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\untitled.bmp

Filesize
98KB

MD5
c19d8e1d13f891fb41f556aa6c7ce3e1

SHA1
3ffdba957456d79dc07b501faec6326812d5c571

SHA256
e663c2dd2accd7fe41f0de8a71b0ee32c3b762d8f71c726cc0ce04c1b5ceebdf

SHA512
4a193a7f0cd8c2bd01e163cd6a2256265d82900127cc2507674af9f468b9fc204ccb7d7614c793334c1f76b9a344d7d5aeb5dcceaa5af9a414af784106dde787

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
34KB

MD5
df0a23cbc7302f19b06fd079115e4545

SHA1
89325ead783ccdb682759ece5adc7b7d6b5bd2d1

SHA256
a565c05c6d616c3f3646304ab9cd43c704be0210187e0191b6e25bd8a7af4665

SHA512
c652d199ea42cbf21461910e537b4f87ebb351eb17bcd07dfb6b1810cba69600bcf09080e2507ded70bd5cd0939af244559fd45def9218c4ab571419801d10cf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
34KB

MD5
df0a23cbc7302f19b06fd079115e4545

SHA1
89325ead783ccdb682759ece5adc7b7d6b5bd2d1

SHA256
a565c05c6d616c3f3646304ab9cd43c704be0210187e0191b6e25bd8a7af4665

SHA512
c652d199ea42cbf21461910e537b4f87ebb351eb17bcd07dfb6b1810cba69600bcf09080e2507ded70bd5cd0939af244559fd45def9218c4ab571419801d10cf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
34KB

MD5
df0a23cbc7302f19b06fd079115e4545

SHA1
89325ead783ccdb682759ece5adc7b7d6b5bd2d1

SHA256
a565c05c6d616c3f3646304ab9cd43c704be0210187e0191b6e25bd8a7af4665

SHA512
c652d199ea42cbf21461910e537b4f87ebb351eb17bcd07dfb6b1810cba69600bcf09080e2507ded70bd5cd0939af244559fd45def9218c4ab571419801d10cf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
34KB

MD5
df0a23cbc7302f19b06fd079115e4545

SHA1
89325ead783ccdb682759ece5adc7b7d6b5bd2d1

SHA256
a565c05c6d616c3f3646304ab9cd43c704be0210187e0191b6e25bd8a7af4665

SHA512
c652d199ea42cbf21461910e537b4f87ebb351eb17bcd07dfb6b1810cba69600bcf09080e2507ded70bd5cd0939af244559fd45def9218c4ab571419801d10cf

Download Submit
memory/940-69-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1604-70-0x0000000000830000-0x000000000083D000-memory.dmp

Filesize
52KB

Download
memory/1604-71-0x0000000000830000-0x000000000083D000-memory.dmp

Filesize
52KB

Download
memory/1604-72-0x0000000000840000-0x000000000084D000-memory.dmp

Filesize
52KB

Download
memory/1604-73-0x0000000000840000-0x000000000084D000-memory.dmp

Filesize
52KB

Download
memory/1604-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1604-75-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download