9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e

Analysis

max time kernel
83s
max time network
88s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe
Size

85KB
MD5

6e032993d60b0418ccbf429a286c7707
SHA1

887de4741139d9becedc4eec8c348b48b1f75c60
SHA256

9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e
SHA512

345bc05026b166d8656dc33088f913232ce13d1d42fbdea8cfffc354a38da7ff4eb2da49ede72c7185ff17591e29294f827ce60110817d12cfe7b3f5c13f8674
SSDEEP

1536:i3LSNZSOyF6Aewor4ZXkl3CkSRpliHyPm:UutyxfVxIyLiS

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
836	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\3039414000 = "C:\\Users\\Admin\\3039414000.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1988	9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe
Token: SeShutdownPrivilege	856	shutdown.exe
Token: SeRemoteShutdownPrivilege	856	shutdown.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1988	9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1756	1988	9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe	27
PID 1988 wrote to memory of 1756	1988	9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe	27
PID 1988 wrote to memory of 1756	1988	9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe	27
PID 1988 wrote to memory of 1756	1988	9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe	27
PID 1756 wrote to memory of 1508	1756	cmd.exe	29
PID 1756 wrote to memory of 1508	1756	cmd.exe	29
PID 1756 wrote to memory of 1508	1756	cmd.exe	29
PID 1756 wrote to memory of 1508	1756	cmd.exe	29
PID 1988 wrote to memory of 856	1988	9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe	30
PID 1988 wrote to memory of 856	1988	9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe	30
PID 1988 wrote to memory of 856	1988	9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe	30
PID 1988 wrote to memory of 856	1988	9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe	30
PID 1988 wrote to memory of 836	1988	9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe	32
PID 1988 wrote to memory of 836	1988	9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe	32
PID 1988 wrote to memory of 836	1988	9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe	32
PID 1988 wrote to memory of 836	1988	9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe	32

C:\Users\Admin\AppData\Local\Temp\9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe
"C:\Users\Admin\AppData\Local\Temp\9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 3039414000 /t REG_SZ /d "%userprofile%\3039414000.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 3039414000 /t REG_SZ /d "C:\Users\Admin\3039414000.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1508
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /f /t 3
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9CF608~1.EXE > nul
  2⤵
  - Deletes itself
  PID:836

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1572

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1572-61-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download
memory/1988-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1988-60-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1988-59-0x00000000002A0000-0x00000000002B9000-memory.dmp

Filesize
100KB

Download