Overview

overview

10

Static

static

b07e2ab5bc...ae.exe

windows7-x64

10

b07e2ab5bc...ae.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    77s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 02:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b07e2ab5bc00089f4d2f9c9c07381cd979a65802e6ddcbc27869a4a6275cccae.exe

  • Size

    554KB

  • MD5

    672d6fc27866ed1b169eefbd345528a2

  • SHA1

    3632c923020b963e245ace4f9fd752a34c450ffc

  • SHA256

    b07e2ab5bc00089f4d2f9c9c07381cd979a65802e6ddcbc27869a4a6275cccae

  • SHA512

    f35def01af4527c7bfe257c6c77e89ad626503837b03b056bc626236c037767cf851532ecdaf268acbf8ccf7f19612e88715a64ce28f481cdcb0b9761032bbee

  • SSDEEP

    6144:nJlQdETNux0Domh0l0WHMVGOfj2wqrpdN+sXGCJzsDzCErXW0DnBtJSqvKcysxV6:nJDTNNomKHM4y6TPBJIDzCoXW0tbNxiR

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 7 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 55 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious use of UnmapMainImage
    PID:332
  • C:\Users\Admin\AppData\Local\Temp\b07e2ab5bc00089f4d2f9c9c07381cd979a65802e6ddcbc27869a4a6275cccae.exe
    "C:\Users\Admin\AppData\Local\Temp\b07e2ab5bc00089f4d2f9c9c07381cd979a65802e6ddcbc27869a4a6275cccae.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Users\Admin\FnfkMdrzTmNc1yAh.exe
      FnfkMdrzTmNc1yAh.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Users\Admin\ceuikek.exe
        "C:\Users\Admin\ceuikek.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:904
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del FnfkMdrzTmNc1yAh.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:536
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1728
    • C:\Users\Admin\gob.exe
      gob.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Users\Admin\gob.exe
        gob.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:980
    • C:\Users\Admin\hob.exe
      hob.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Users\Admin\hob.exe
        hob.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1500
        • C:\Windows\explorer.exe
          0000003C*
          4⤵
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1472
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del b07e2ab5bc00089f4d2f9c9c07381cd979a65802e6ddcbc27869a4a6275cccae.exe
      2⤵
      • Deletes itself
      PID:1344

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\FnfkMdrzTmNc1yAh.exe
          Filesize

          156KB

          MD5

          79ae16815b3dc635f6b3997e9e27bac5

          SHA1

          6747cb105b76177fe0f30f409992ebcbe79d9031

          SHA256

          b7bc54022c40a0919f8e70729e460b807f4fab47f1570429642cefaf1a84825c

          SHA512

          e2fa7b07936a6a03ce6399f087913460da814f903e2e30b77c36ab741f0b3a2daa755307dda86f6c220814dfb7173087fcc9419b0946feb3652992101551509e

          Download Submit

        • C:\Users\Admin\FnfkMdrzTmNc1yAh.exe
          Filesize

          156KB

          MD5

          79ae16815b3dc635f6b3997e9e27bac5

          SHA1

          6747cb105b76177fe0f30f409992ebcbe79d9031

          SHA256

          b7bc54022c40a0919f8e70729e460b807f4fab47f1570429642cefaf1a84825c

          SHA512

          e2fa7b07936a6a03ce6399f087913460da814f903e2e30b77c36ab741f0b3a2daa755307dda86f6c220814dfb7173087fcc9419b0946feb3652992101551509e

          Download Submit

        • C:\Users\Admin\ceuikek.exe
          Filesize

          156KB

          MD5

          cb126e3fb83dc477c7af7aae2a25c8f9

          SHA1

          a5e4b02e7af4667bb14d7aa5eb81172ecceaeb79

          SHA256

          750ce816a575202c3ef4380909cf1dfabcdcd17da51434a2e6f9610920460b7e

          SHA512

          ab8a19866f09f61fa8d7f7272c7ca34fb3fbbb8d4390864d171cb24c3380c29875cd26f4c5698a40a85ad26bb44ee4da6735a247c2c22131ea3309116142fd55

          Download Submit

        • C:\Users\Admin\ceuikek.exe
          Filesize

          156KB

          MD5

          cb126e3fb83dc477c7af7aae2a25c8f9

          SHA1

          a5e4b02e7af4667bb14d7aa5eb81172ecceaeb79

          SHA256

          750ce816a575202c3ef4380909cf1dfabcdcd17da51434a2e6f9610920460b7e

          SHA512

          ab8a19866f09f61fa8d7f7272c7ca34fb3fbbb8d4390864d171cb24c3380c29875cd26f4c5698a40a85ad26bb44ee4da6735a247c2c22131ea3309116142fd55

          Download Submit

        • C:\Users\Admin\gob.exe
          Filesize

          161KB

          MD5

          4b6fa8ae2b0e19379b5714c4c7f092de

          SHA1

          2dfd145fc1d36a563fd6a635e4821333b35a806c

          SHA256

          afd1981bc28c9d72032f728a1590b38bec3e62d0865b23b9b234efce197e461b

          SHA512

          3c5e95f37a3af9beec52a6c868ebf83ebde30db4ee74bbf2d50b45fbad5b56fb5c5807b3d9b8b1964835bf733e0d979961ffe60a1ff5a8e3ccc68f3dd306d666

          Download Submit

        • C:\Users\Admin\gob.exe
          Filesize

          161KB

          MD5

          4b6fa8ae2b0e19379b5714c4c7f092de

          SHA1

          2dfd145fc1d36a563fd6a635e4821333b35a806c

          SHA256

          afd1981bc28c9d72032f728a1590b38bec3e62d0865b23b9b234efce197e461b

          SHA512

          3c5e95f37a3af9beec52a6c868ebf83ebde30db4ee74bbf2d50b45fbad5b56fb5c5807b3d9b8b1964835bf733e0d979961ffe60a1ff5a8e3ccc68f3dd306d666

          Download Submit

        • C:\Users\Admin\gob.exe
          Filesize

          161KB

          MD5

          4b6fa8ae2b0e19379b5714c4c7f092de

          SHA1

          2dfd145fc1d36a563fd6a635e4821333b35a806c

          SHA256

          afd1981bc28c9d72032f728a1590b38bec3e62d0865b23b9b234efce197e461b

          SHA512

          3c5e95f37a3af9beec52a6c868ebf83ebde30db4ee74bbf2d50b45fbad5b56fb5c5807b3d9b8b1964835bf733e0d979961ffe60a1ff5a8e3ccc68f3dd306d666

          Download Submit

        • C:\Users\Admin\hob.exe
          Filesize

          251KB

          MD5

          16444106daf5666cdc067c2a83f22756

          SHA1

          2c913d2e8688cda3cdab7373a8a6b1fa3bb7cdb8

          SHA256

          b14c99c27463e136c110f474a76fed9992eba37e7e5d46ef1ba7312e3997ba55

          SHA512

          59ecd51441d13add17328d01680db4a428803effc9caabda9303c0bd8f8824b599c53c289d77a843c3f1c57656439be052e0f90031b22d8cda9e6b54bdd70772

          Download Submit

        • C:\Users\Admin\hob.exe
          Filesize

          251KB

          MD5

          16444106daf5666cdc067c2a83f22756

          SHA1

          2c913d2e8688cda3cdab7373a8a6b1fa3bb7cdb8

          SHA256

          b14c99c27463e136c110f474a76fed9992eba37e7e5d46ef1ba7312e3997ba55

          SHA512

          59ecd51441d13add17328d01680db4a428803effc9caabda9303c0bd8f8824b599c53c289d77a843c3f1c57656439be052e0f90031b22d8cda9e6b54bdd70772

          Download Submit

        • C:\Users\Admin\hob.exe
          Filesize

          251KB

          MD5

          16444106daf5666cdc067c2a83f22756

          SHA1

          2c913d2e8688cda3cdab7373a8a6b1fa3bb7cdb8

          SHA256

          b14c99c27463e136c110f474a76fed9992eba37e7e5d46ef1ba7312e3997ba55

          SHA512

          59ecd51441d13add17328d01680db4a428803effc9caabda9303c0bd8f8824b599c53c289d77a843c3f1c57656439be052e0f90031b22d8cda9e6b54bdd70772

          Download Submit

        • C:\Windows\system32\consrv.DLL
          Filesize

          52KB

          MD5

          1812577ddfa736694a8dbad896d329d7

          SHA1

          a6831421aa2c04b93078df35d4bd2eed62985060

          SHA256

          c9173337e91ef6a59658dd60f713517eddd8cb43196dcc970266cbc12c33d5df

          SHA512

          d470c44c8e969b182dae8b2451075b525a9f1fc349737db19966581cb76289b1cac00cf6b7920c53959aaaedabd47385acc6b74dce2cc8f6a54a5ed882901d34

          Download Submit

        • \Users\Admin\FnfkMdrzTmNc1yAh.exe
          Filesize

          156KB

          MD5

          79ae16815b3dc635f6b3997e9e27bac5

          SHA1

          6747cb105b76177fe0f30f409992ebcbe79d9031

          SHA256

          b7bc54022c40a0919f8e70729e460b807f4fab47f1570429642cefaf1a84825c

          SHA512

          e2fa7b07936a6a03ce6399f087913460da814f903e2e30b77c36ab741f0b3a2daa755307dda86f6c220814dfb7173087fcc9419b0946feb3652992101551509e

          Download Submit

        • \Users\Admin\FnfkMdrzTmNc1yAh.exe
          Filesize

          156KB

          MD5

          79ae16815b3dc635f6b3997e9e27bac5

          SHA1

          6747cb105b76177fe0f30f409992ebcbe79d9031

          SHA256

          b7bc54022c40a0919f8e70729e460b807f4fab47f1570429642cefaf1a84825c

          SHA512

          e2fa7b07936a6a03ce6399f087913460da814f903e2e30b77c36ab741f0b3a2daa755307dda86f6c220814dfb7173087fcc9419b0946feb3652992101551509e

          Download Submit

        • \Users\Admin\ceuikek.exe
          Filesize

          156KB

          MD5

          cb126e3fb83dc477c7af7aae2a25c8f9

          SHA1

          a5e4b02e7af4667bb14d7aa5eb81172ecceaeb79

          SHA256

          750ce816a575202c3ef4380909cf1dfabcdcd17da51434a2e6f9610920460b7e

          SHA512

          ab8a19866f09f61fa8d7f7272c7ca34fb3fbbb8d4390864d171cb24c3380c29875cd26f4c5698a40a85ad26bb44ee4da6735a247c2c22131ea3309116142fd55

          Download Submit

        • \Users\Admin\ceuikek.exe
          Filesize

          156KB

          MD5

          cb126e3fb83dc477c7af7aae2a25c8f9

          SHA1

          a5e4b02e7af4667bb14d7aa5eb81172ecceaeb79

          SHA256

          750ce816a575202c3ef4380909cf1dfabcdcd17da51434a2e6f9610920460b7e

          SHA512

          ab8a19866f09f61fa8d7f7272c7ca34fb3fbbb8d4390864d171cb24c3380c29875cd26f4c5698a40a85ad26bb44ee4da6735a247c2c22131ea3309116142fd55

          Download Submit

        • \Users\Admin\gob.exe
          Filesize

          161KB

          MD5

          4b6fa8ae2b0e19379b5714c4c7f092de

          SHA1

          2dfd145fc1d36a563fd6a635e4821333b35a806c

          SHA256

          afd1981bc28c9d72032f728a1590b38bec3e62d0865b23b9b234efce197e461b

          SHA512

          3c5e95f37a3af9beec52a6c868ebf83ebde30db4ee74bbf2d50b45fbad5b56fb5c5807b3d9b8b1964835bf733e0d979961ffe60a1ff5a8e3ccc68f3dd306d666

          Download Submit

        • \Users\Admin\gob.exe
          Filesize

          161KB

          MD5

          4b6fa8ae2b0e19379b5714c4c7f092de

          SHA1

          2dfd145fc1d36a563fd6a635e4821333b35a806c

          SHA256

          afd1981bc28c9d72032f728a1590b38bec3e62d0865b23b9b234efce197e461b

          SHA512

          3c5e95f37a3af9beec52a6c868ebf83ebde30db4ee74bbf2d50b45fbad5b56fb5c5807b3d9b8b1964835bf733e0d979961ffe60a1ff5a8e3ccc68f3dd306d666

          Download Submit

        • \Users\Admin\hob.exe
          Filesize

          251KB

          MD5

          16444106daf5666cdc067c2a83f22756

          SHA1

          2c913d2e8688cda3cdab7373a8a6b1fa3bb7cdb8

          SHA256

          b14c99c27463e136c110f474a76fed9992eba37e7e5d46ef1ba7312e3997ba55

          SHA512

          59ecd51441d13add17328d01680db4a428803effc9caabda9303c0bd8f8824b599c53c289d77a843c3f1c57656439be052e0f90031b22d8cda9e6b54bdd70772

          Download Submit

        • \Users\Admin\hob.exe
          Filesize

          251KB

          MD5

          16444106daf5666cdc067c2a83f22756

          SHA1

          2c913d2e8688cda3cdab7373a8a6b1fa3bb7cdb8

          SHA256

          b14c99c27463e136c110f474a76fed9992eba37e7e5d46ef1ba7312e3997ba55

          SHA512

          59ecd51441d13add17328d01680db4a428803effc9caabda9303c0bd8f8824b599c53c289d77a843c3f1c57656439be052e0f90031b22d8cda9e6b54bdd70772

          Download Submit

        • \Windows\System32\consrv.dll
          Filesize

          52KB

          MD5

          1812577ddfa736694a8dbad896d329d7

          SHA1

          a6831421aa2c04b93078df35d4bd2eed62985060

          SHA256

          c9173337e91ef6a59658dd60f713517eddd8cb43196dcc970266cbc12c33d5df

          SHA512

          d470c44c8e969b182dae8b2451075b525a9f1fc349737db19966581cb76289b1cac00cf6b7920c53959aaaedabd47385acc6b74dce2cc8f6a54a5ed882901d34

          Download Submit

        • memory/332-131-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/980-89-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/980-83-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/980-81-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/980-79-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/980-77-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/980-75-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/980-74-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/980-85-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1472-117-0x00000000003F0000-0x0000000000409000-memory.dmp

          Filesize

          100KB

          Download

        • memory/1472-128-0x0000000000060000-0x0000000000075000-memory.dmp

          Filesize

          84KB

          Download

        • memory/1472-127-0x00000000003F0000-0x0000000000409000-memory.dmp

          Filesize

          100KB

          Download

        • memory/1472-122-0x00000000003F0000-0x0000000000409000-memory.dmp

          Filesize

          100KB

          Download

        • memory/1500-111-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/1500-101-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/1500-115-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/1500-100-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/1500-103-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/1500-109-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/1500-107-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/1500-105-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/2008-54-0x0000000076181000-0x0000000076183000-memory.dmp

          Filesize

          8KB

          Download