c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb

Analysis

max time kernel
67s
max time network
68s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 08:37

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb.exe
Size

85KB
MD5

091bcddb5ceaa1f0c7e2d507c539c60f
SHA1

e3cf67fe5611716ef26de6a18042500d9cfc4c39
SHA256

c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb
SHA512

61ccb06ae2a9cdec6ce919578edb6f598ba78c67b1a0426add56584676299009f3f33043f149608be5d8ff649edebbdae0d1f53045d26753f7c6af31a846a43a
SSDEEP

1536:5JXLSNZSOyF/lewor4ZXkl3CkSRpliHyPm:5FutyjfVxIyLiS

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
952	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\424927117 = "C:\\Users\\Admin\\424927117.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2000	c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb.exe
Token: SeShutdownPrivilege	2028	shutdown.exe
Token: SeRemoteShutdownPrivilege	2028	shutdown.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2000	c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1372	2000	c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb.exe	28
PID 2000 wrote to memory of 1372	2000	c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb.exe	28
PID 2000 wrote to memory of 1372	2000	c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb.exe	28
PID 2000 wrote to memory of 1372	2000	c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb.exe	28
PID 1372 wrote to memory of 1348	1372	cmd.exe	30
PID 1372 wrote to memory of 1348	1372	cmd.exe	30
PID 1372 wrote to memory of 1348	1372	cmd.exe	30
PID 1372 wrote to memory of 1348	1372	cmd.exe	30
PID 2000 wrote to memory of 2028	2000	c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb.exe	31
PID 2000 wrote to memory of 2028	2000	c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb.exe	31
PID 2000 wrote to memory of 2028	2000	c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb.exe	31
PID 2000 wrote to memory of 2028	2000	c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb.exe	31
PID 2000 wrote to memory of 952	2000	c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb.exe	33
PID 2000 wrote to memory of 952	2000	c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb.exe	33
PID 2000 wrote to memory of 952	2000	c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb.exe	33
PID 2000 wrote to memory of 952	2000	c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb.exe	33

C:\Users\Admin\AppData\Local\Temp\c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb.exe
"C:\Users\Admin\AppData\Local\Temp\c352d11f858c6d9cedf320cd5120db475c52c19b3d2e9352ba8c8b6bf4fde0fb.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 424927117 /t REG_SZ /d "%userprofile%\424927117.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 424927117 /t REG_SZ /d "C:\Users\Admin\424927117.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1348
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /f /t 3
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C352D1~1.EXE > nul
  2⤵
  - Deletes itself
  PID:952

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1236

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1236-61-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download
memory/2000-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/2000-55-0x00000000003A0000-0x00000000003B9000-memory.dmp

Filesize
100KB

Download
memory/2000-56-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download