d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79

Analysis

max time kernel
122s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2022, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
Size

5.7MB
MD5

48f8b740502412cccc79cecdbf7f4064
SHA1

9e8d1e5a67781ec6ba27822063009057a63c5cf0
SHA256

d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79
SHA512

9e97f7ec44f04ed3412fc51f0e0a3c70f0c9c00766f82a9212c407fb40a111ae5920c0e3dabcf416ae93963a5f5784d57ae5596216cd4c646d51112aff01fdb3
SSDEEP

98304:rufaRACOnSgipE1UZQaYNeX6GcSLAzINGhDiL4j92JKAWl0PMbGfo3acSGoh:KUY2QmlYAXYSLzNuDisj92UAWl+gGiad

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2724	ver.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4772	netsh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
1464	taskkill.exe
4892	taskkill.exe
3532	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1704	regedit.exe
1976	regedit.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4032	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
4032	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
4032	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
4032	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	4892	taskkill.exe
Token: SeDebugPrivilege	3532	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4032	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
4032	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
4032	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
4032	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 2724	4032	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe	90
PID 4032 wrote to memory of 2724	4032	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe	90
PID 4032 wrote to memory of 2724	4032	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe	90
PID 2724 wrote to memory of 1244	2724	ver.exe	92
PID 2724 wrote to memory of 1244	2724	ver.exe	92
PID 1244 wrote to memory of 1464	1244	cmd.exe	93
PID 1244 wrote to memory of 1464	1244	cmd.exe	93
PID 1244 wrote to memory of 4892	1244	cmd.exe	94
PID 1244 wrote to memory of 4892	1244	cmd.exe	94
PID 1244 wrote to memory of 3532	1244	cmd.exe	95
PID 1244 wrote to memory of 3532	1244	cmd.exe	95
PID 1244 wrote to memory of 1704	1244	cmd.exe	96
PID 1244 wrote to memory of 1704	1244	cmd.exe	96
PID 1244 wrote to memory of 1976	1244	cmd.exe	98
PID 1244 wrote to memory of 1976	1244	cmd.exe	98
PID 1244 wrote to memory of 3924	1244	cmd.exe	99
PID 1244 wrote to memory of 3924	1244	cmd.exe	99
PID 1244 wrote to memory of 4336	1244	cmd.exe	100
PID 1244 wrote to memory of 4336	1244	cmd.exe	100
PID 1244 wrote to memory of 4696	1244	cmd.exe	101
PID 1244 wrote to memory of 4696	1244	cmd.exe	101
PID 1244 wrote to memory of 2244	1244	cmd.exe	102
PID 1244 wrote to memory of 2244	1244	cmd.exe	102
PID 1244 wrote to memory of 3268	1244	cmd.exe	103
PID 1244 wrote to memory of 3268	1244	cmd.exe	103
PID 1244 wrote to memory of 1864	1244	cmd.exe	104
PID 1244 wrote to memory of 1864	1244	cmd.exe	104
PID 1244 wrote to memory of 1836	1244	cmd.exe	105
PID 1244 wrote to memory of 1836	1244	cmd.exe	105
PID 1244 wrote to memory of 3132	1244	cmd.exe	106
PID 1244 wrote to memory of 3132	1244	cmd.exe	106
PID 1244 wrote to memory of 4576	1244	cmd.exe	107
PID 1244 wrote to memory of 4576	1244	cmd.exe	107
PID 1244 wrote to memory of 4772	1244	cmd.exe	108
PID 1244 wrote to memory of 4772	1244	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
"C:\Users\Admin\AppData\Local\Temp\d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\AppData\Local\Temp\ver.exe
  C:\Users\Admin\AppData\Local\Temp\ver.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C597.tmp\C598.tmp\C599.bat C:\Users\Admin\AppData\Local\Temp\ver.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im openvpn.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1464
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im openvpn-gui.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4892
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cstrike-online.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3532
  - - C:\Windows\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\OpenVPN\reg\HKLM\*.reg"
      4⤵
      Runs .reg file with regedit
      PID:1704
  - - C:\Windows\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\OpenVPN\reg\HKCU\*.reg"
      4⤵
      Runs .reg file with regedit
      PID:1976
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\SOFTWARE\OpenVPN-GUI" /v config_dir /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OpenVPN\config" /f
      4⤵
      PID:3924
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\OpenVPN-GUI" /v exe_path /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OpenVPN\bin\openvpn.exe" /f
      4⤵
      PID:4336
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\OpenVPN-GUI" /v config_dir /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OpenVPN\config" /f
      4⤵
      PID:4696
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\OpenVPN-GUI" /v log_dir /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OpenVPN\log" /f
      4⤵
      PID:2244
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\OpenVPN" /v exe_path /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OpenVPN\bin\openvpn.exe" /f
      4⤵
      PID:3268
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\OpenVPN" /v config_dir /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OpenVPN\config" /f
      4⤵
      PID:1864
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\OpenVPN" /v log_dir /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OpenVPN\log" /f
      4⤵
      PID:1836
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\OpenVPN" /ve /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OpenVPN" /f
      4⤵
      PID:3132
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Software\Nexon\CStrike-Online\Settings" /V EngineD3D /T REG_DWORD /D 0 /F
      4⤵
      PID:4576
  - - C:\Windows\system32\netsh.exe
      NetSh Advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:4772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C597.tmp\C598.tmp\C599.bat

Filesize
1KB

MD5
38711e5bd4bb651014ceabadf817ac8b

SHA1
3da32daf684e261fe228cfc2ed4470e26ea8c891

SHA256
c6adb8338163a42c0c32f98f86617eade59641f8ad99ed6a07d9264330611e41

SHA512
633180c2aad2787467c20a237be9fa8c62c1e1c686ac80e8ec323997b16b29b69e6f674469937d53ef9512350a37abb725aa6bae9823babd0eb125d0eb9f7142

Download Submit
C:\Users\Admin\AppData\Local\Temp\ver.exe

Filesize
113KB

MD5
717448338d945a169c78b051d7ecb397

SHA1
dc924a97785d3be9d85d205a054650bc17840ecf

SHA256
d394ffe8b88174635f30ff2d9cd34a53c038e47ff208945cf0abd99518555ea8

SHA512
7b814a33485b7aa426eb2957ba01812a9bd297223d6fead99f65b77e5e185e75a54e60de9018823dc62e55279fbad658c14b980b2bb827d86549b214fba62057

Download Submit
C:\Users\Admin\AppData\Local\Temp\ver.exe

Filesize
113KB

MD5
717448338d945a169c78b051d7ecb397

SHA1
dc924a97785d3be9d85d205a054650bc17840ecf

SHA256
d394ffe8b88174635f30ff2d9cd34a53c038e47ff208945cf0abd99518555ea8

SHA512
7b814a33485b7aa426eb2957ba01812a9bd297223d6fead99f65b77e5e185e75a54e60de9018823dc62e55279fbad658c14b980b2bb827d86549b214fba62057

Download Submit