3a11f80648031aa8c2404d28b1f3a14ece5908a76db842f0bceb8f7ee3620592

Analysis

max time kernel
150s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a11f80648031aa8c2404d28b1f3a14ece5908a76db842f0bceb8f7ee3620592.exe
Size

160KB
MD5

4b39dcffcb563cad580e70fa399344e0
SHA1

9d3931c34eb15bc3405d66fb3e2cba37afb46a65
SHA256

3a11f80648031aa8c2404d28b1f3a14ece5908a76db842f0bceb8f7ee3620592
SHA512

419f94b225898317b7187b93800d8aa55f69e25618bc722450c629902c6ef5d0adee34172928440659ee4aa6b06e58e701135e2f9403a060c8a685bce9fd5778
SSDEEP

3072:eGzsrBGoe5g+GwJs8K9YUoIrJaRuSZ/JlQPj/PYv2wM0B2vmkHgHAGFAhl4oQZip:eGwrfP9YErMRuSZ/JlQLHYv2PvzGAMA9

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3a11f80648031aa8c2404d28b1f3a14ece5908a76db842f0bceb8f7ee3620592.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lwcir.exe

Executes dropped EXE 1 IoCs

pid	Process
892	lwcir.exe

Loads dropped DLL 2 IoCs

pid	Process
1644	3a11f80648031aa8c2404d28b1f3a14ece5908a76db842f0bceb8f7ee3620592.exe
1644	3a11f80648031aa8c2404d28b1f3a14ece5908a76db842f0bceb8f7ee3620592.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /Z"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /i"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /S"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /U"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /F"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /L"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /T"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /v"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /w"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /q"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /j"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /Q"	lwcir.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	3a11f80648031aa8c2404d28b1f3a14ece5908a76db842f0bceb8f7ee3620592.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /B"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /G"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /c"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /V"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /X"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /P"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /C"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /K"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /o"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /M"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /k"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /x"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /R"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /a"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /t"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /H"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /N"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /h"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /z"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /s"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /y"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /t"	3a11f80648031aa8c2404d28b1f3a14ece5908a76db842f0bceb8f7ee3620592.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /W"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /D"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /f"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /Y"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /l"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /e"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /u"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /p"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /O"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /r"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /b"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /A"	lwcir.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /d"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /I"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /J"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /m"	lwcir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwcir = "C:\\Users\\Admin\\lwcir.exe /n"	lwcir.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1644	3a11f80648031aa8c2404d28b1f3a14ece5908a76db842f0bceb8f7ee3620592.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe
892	lwcir.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1644	3a11f80648031aa8c2404d28b1f3a14ece5908a76db842f0bceb8f7ee3620592.exe
892	lwcir.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 892	1644	3a11f80648031aa8c2404d28b1f3a14ece5908a76db842f0bceb8f7ee3620592.exe	27
PID 1644 wrote to memory of 892	1644	3a11f80648031aa8c2404d28b1f3a14ece5908a76db842f0bceb8f7ee3620592.exe	27
PID 1644 wrote to memory of 892	1644	3a11f80648031aa8c2404d28b1f3a14ece5908a76db842f0bceb8f7ee3620592.exe	27
PID 1644 wrote to memory of 892	1644	3a11f80648031aa8c2404d28b1f3a14ece5908a76db842f0bceb8f7ee3620592.exe	27

C:\Users\Admin\AppData\Local\Temp\3a11f80648031aa8c2404d28b1f3a14ece5908a76db842f0bceb8f7ee3620592.exe
"C:\Users\Admin\AppData\Local\Temp\3a11f80648031aa8c2404d28b1f3a14ece5908a76db842f0bceb8f7ee3620592.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\lwcir.exe
  "C:\Users\Admin\lwcir.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\lwcir.exe

Filesize
160KB

MD5
fe64f7a20d4d850368f9453ffeb0dd7b

SHA1
c5dbb80219468ac7df6e990be43f823685a9bc8f

SHA256
1f5c34940292ef0557ba908ab289f67308c16badc5898c21e848d2de33975008

SHA512
792d55ae69a1f16dd5ab30089ba4a047dc816ea8273757709beac7ddc1028bdade927d247b59f3b5bf92cec47dff97c8afcca30b2f41e80c0a05f1ee8e1c0d39

Download Submit
C:\Users\Admin\lwcir.exe

Filesize
160KB

MD5
fe64f7a20d4d850368f9453ffeb0dd7b

SHA1
c5dbb80219468ac7df6e990be43f823685a9bc8f

SHA256
1f5c34940292ef0557ba908ab289f67308c16badc5898c21e848d2de33975008

SHA512
792d55ae69a1f16dd5ab30089ba4a047dc816ea8273757709beac7ddc1028bdade927d247b59f3b5bf92cec47dff97c8afcca30b2f41e80c0a05f1ee8e1c0d39

Download Submit
\Users\Admin\lwcir.exe

Filesize
160KB

MD5
fe64f7a20d4d850368f9453ffeb0dd7b

SHA1
c5dbb80219468ac7df6e990be43f823685a9bc8f

SHA256
1f5c34940292ef0557ba908ab289f67308c16badc5898c21e848d2de33975008

SHA512
792d55ae69a1f16dd5ab30089ba4a047dc816ea8273757709beac7ddc1028bdade927d247b59f3b5bf92cec47dff97c8afcca30b2f41e80c0a05f1ee8e1c0d39

Download Submit
\Users\Admin\lwcir.exe

Filesize
160KB

MD5
fe64f7a20d4d850368f9453ffeb0dd7b

SHA1
c5dbb80219468ac7df6e990be43f823685a9bc8f

SHA256
1f5c34940292ef0557ba908ab289f67308c16badc5898c21e848d2de33975008

SHA512
792d55ae69a1f16dd5ab30089ba4a047dc816ea8273757709beac7ddc1028bdade927d247b59f3b5bf92cec47dff97c8afcca30b2f41e80c0a05f1ee8e1c0d39

Download Submit
memory/1644-56-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download