feb81e1b4ff1bd5cc83dc87f6a67629b5c64bc4f8460c6b5084022512c5c426d

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2022 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fgh.exe
Size

695KB
MD5

c980c7e6f4087c91113528f72c824192
SHA1

4e2bba5c5ced0a245e372fed825c829ba47ba5f2
SHA256

feb81e1b4ff1bd5cc83dc87f6a67629b5c64bc4f8460c6b5084022512c5c426d
SHA512

32b034aa526717e99f736a80091f1378a6fc6fdee1ef066288484ebc0779e9b11c0038db82e61123e89d3ef68a381edbadd1c56b11d4294521992181cb6063f3
SSDEEP

12288:RNmuYu9aooBha0zajauQwTVnTAI8KzjGFg7XvZA7CFTGSEZTjU4Ptl4hDEJ2UZ0e:RNmLuAoon6mwhnz1jGFgzvZAmLEZ84VH

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1924	jhhbqiui.exe

Loads dropped DLL 2 IoCs

pid	Process
2260	jhhbqiui.exe
4012	jhhbqiui.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1924 set thread context of 2260	1924	jhhbqiui.exe	86
PID 1924 set thread context of 4012	1924	jhhbqiui.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2260	jhhbqiui.exe
2260	jhhbqiui.exe
4012	jhhbqiui.exe
4012	jhhbqiui.exe
2732	powershell.exe
3196	powershell.exe
3196	powershell.exe
2732	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	jhhbqiui.exe
Token: SeDebugPrivilege	4012	jhhbqiui.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	3196	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1924	1508	fgh.exe	84
PID 1508 wrote to memory of 1924	1508	fgh.exe	84
PID 1508 wrote to memory of 1924	1508	fgh.exe	84
PID 1924 wrote to memory of 2260	1924	jhhbqiui.exe	86
PID 1924 wrote to memory of 2260	1924	jhhbqiui.exe	86
PID 1924 wrote to memory of 2260	1924	jhhbqiui.exe	86
PID 1924 wrote to memory of 2260	1924	jhhbqiui.exe	86
PID 1924 wrote to memory of 4012	1924	jhhbqiui.exe	87
PID 1924 wrote to memory of 4012	1924	jhhbqiui.exe	87
PID 1924 wrote to memory of 4012	1924	jhhbqiui.exe	87
PID 1924 wrote to memory of 4012	1924	jhhbqiui.exe	87
PID 4012 wrote to memory of 3044	4012	jhhbqiui.exe	92
PID 4012 wrote to memory of 3044	4012	jhhbqiui.exe	92
PID 4012 wrote to memory of 3044	4012	jhhbqiui.exe	92
PID 2260 wrote to memory of 3588	2260	jhhbqiui.exe	91
PID 2260 wrote to memory of 3588	2260	jhhbqiui.exe	91
PID 2260 wrote to memory of 3588	2260	jhhbqiui.exe	91
PID 3044 wrote to memory of 3196	3044	cmd.exe	96
PID 3044 wrote to memory of 3196	3044	cmd.exe	96
PID 3044 wrote to memory of 3196	3044	cmd.exe	96
PID 3588 wrote to memory of 2732	3588	cmd.exe	95
PID 3588 wrote to memory of 2732	3588	cmd.exe	95
PID 3588 wrote to memory of 2732	3588	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\fgh.exe
"C:\Users\Admin\AppData\Local\Temp\fgh.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\jhhbqiui.exe
  "C:\Users\Admin\AppData\Local\Temp\jhhbqiui.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\jhhbqiui.exe
    "C:\Users\Admin\AppData\Local\Temp\jhhbqiui.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\jhhbqiui.exe' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3588
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\jhhbqiui.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
- - C:\Users\Admin\AppData\Local\Temp\jhhbqiui.exe
    "C:\Users\Admin\AppData\Local\Temp\jhhbqiui.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\jhhbqiui.exe' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\jhhbqiui.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jhhbqiui.exe.log

Filesize
994B

MD5
334ac3d2e55f80a9b69e02d1dbc44947

SHA1
dea2b26b13eca80ad781cfeeaf7082e0d0dc4f2e

SHA256
cfc8439b36fdd0455772cdb646d04b93858f9bc44fc94473bf73b253c2e4f25d

SHA512
83b5111afd7b24bf4bc193b01587ce590655d25ae9d0f333f6dbd1ddd2d93c2b22b48f5a52aa3c7d7d5833d774fcc729a7f6f9d1faf7277d1fc8deec16efd649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1b7b15961e5e3e0c1302ecadaddac223

SHA1
37b28a2f50381d42a55055132610f3d90ce5b3db

SHA256
a8dddc9ce7c284c4c0faa23e6c6d0967595228dd32c5a4bcd5938f26ed783f1e

SHA512
3dc99f0a8b008c041421e7bd8d0b0be42b8c8f496edc1ead6b46f33637a607a005fbe6d9dfe7152c16e4b26d5a4ebd99db9ed329032ef47ed62c432e1f803d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxhdzjtc.tsq

Filesize
789KB

MD5
f4ad3ae924badc2c1723c9570c25ef28

SHA1
896db1851073fbc39b635900d2a98c192ac93782

SHA256
798e904651423afb836a588dfc4882268f59273113e7609836eca6da33a46be9

SHA512
ef7c4b0d1ceccab678a3db805e1e0bed52720e7583fe96a83360a961c2aa2214847fb8ff39128b0266770000d7a7ba64b45fd77dbc19dbd887a0f8023269dc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhhbqiui.exe

Filesize
6KB

MD5
ce904e329b38ce9266a0117d7a9670bf

SHA1
02e84372e2cd09b10b4a5aa9e267504984187f8e

SHA256
2164fd18f21eef4682a956a84c45a63d3cb47ddad81fdc69a79443bf7fba7bf6

SHA512
aae956016615fb078c93c0863976c63c12c3d966891698aad572458671323fb3a5d366b90e2b54ffe9d30dfdc56ceb37100d02395d3f2700a781919e5fab8e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhhbqiui.exe

Filesize
6KB

MD5
ce904e329b38ce9266a0117d7a9670bf

SHA1
02e84372e2cd09b10b4a5aa9e267504984187f8e

SHA256
2164fd18f21eef4682a956a84c45a63d3cb47ddad81fdc69a79443bf7fba7bf6

SHA512
aae956016615fb078c93c0863976c63c12c3d966891698aad572458671323fb3a5d366b90e2b54ffe9d30dfdc56ceb37100d02395d3f2700a781919e5fab8e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhhbqiui.exe

Filesize
6KB

MD5
ce904e329b38ce9266a0117d7a9670bf

SHA1
02e84372e2cd09b10b4a5aa9e267504984187f8e

SHA256
2164fd18f21eef4682a956a84c45a63d3cb47ddad81fdc69a79443bf7fba7bf6

SHA512
aae956016615fb078c93c0863976c63c12c3d966891698aad572458671323fb3a5d366b90e2b54ffe9d30dfdc56ceb37100d02395d3f2700a781919e5fab8e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhhbqiui.exe

Filesize
6KB

MD5
ce904e329b38ce9266a0117d7a9670bf

SHA1
02e84372e2cd09b10b4a5aa9e267504984187f8e

SHA256
2164fd18f21eef4682a956a84c45a63d3cb47ddad81fdc69a79443bf7fba7bf6

SHA512
aae956016615fb078c93c0863976c63c12c3d966891698aad572458671323fb3a5d366b90e2b54ffe9d30dfdc56ceb37100d02395d3f2700a781919e5fab8e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmyqizhdnsw.m

Filesize
4KB

MD5
3ae1e92fdb4d94a3450296358659f81d

SHA1
3da9f669552a0ddc138d3b9987acb43c353f25ed

SHA256
97f4850c50402a73f7c89ed99bd8cec847fdd2bf0c2f0c3e33a887f30ad80f09

SHA512
baaedcdd57088abbc76cec78c05c82099a2d6b9e4721631dbc2a076f7dc0c0e79ce3c5c7663cc998e57152385bcd570c99f07d2f4cf881163f5ff54b31378d61

Download Submit
memory/2260-147-0x0000000006380000-0x0000000006412000-memory.dmp

Filesize
584KB

Download
memory/2260-146-0x0000000005AB0000-0x0000000005B16000-memory.dmp

Filesize
408KB

Download
memory/2732-161-0x00000000060E0000-0x0000000006102000-memory.dmp

Filesize
136KB

Download
memory/2732-154-0x0000000004C00000-0x0000000005228000-memory.dmp

Filesize
6.2MB

Download
memory/2732-156-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/2732-159-0x0000000006000000-0x000000000601A000-memory.dmp

Filesize
104KB

Download
memory/3196-160-0x0000000006E40000-0x0000000006ED6000-memory.dmp

Filesize
600KB

Download
memory/3196-153-0x0000000002480000-0x00000000024B6000-memory.dmp

Filesize
216KB

Download
memory/3196-155-0x0000000004E00000-0x0000000004E22000-memory.dmp

Filesize
136KB

Download
memory/3196-157-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

Filesize
120KB

Download
memory/3196-158-0x0000000007420000-0x0000000007A9A000-memory.dmp

Filesize
6.5MB

Download
memory/4012-145-0x00000000055E0000-0x000000000567C000-memory.dmp

Filesize
624KB

Download
memory/4012-144-0x0000000005B90000-0x0000000006134000-memory.dmp

Filesize
5.6MB

Download