456fe60fbf0cd11b90936a3ed9158b3e6f02042bbac7a4a616f77359382a9489

Analysis

max time kernel
7s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/10/2022, 19:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

456fe60fbf0cd11b90936a3ed9158b3e6f02042bbac7a4a616f77359382a9489.exe
Size

5.4MB
MD5

83c5057f1fa30303d82b2f297f490250
SHA1

09a1b52cad55296d96fcb8cd878d03835a8f1cd8
SHA256

456fe60fbf0cd11b90936a3ed9158b3e6f02042bbac7a4a616f77359382a9489
SHA512

69487ad49fe21b6d58ce0392062fe26e508a577f7ab0f2f5cf8f87dc8de084e62414eaaf6b1b28383a95ebd0a369a8d5f69fb8ce83f81f3cbc49c2838f504241
SSDEEP

98304:pQsy1LMYkQI1/+eD+B+5xBgGEtW6/nZ4X2cuzZPxFxTJ+DqoV8cazT+ymv3QAOU:0hsD+BOS/+y0BOU

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
988	netconfig.exe
1316	Devcon.exe
524	Devcon.exe

Loads dropped DLL 8 IoCs

pid	Process
1128	456fe60fbf0cd11b90936a3ed9158b3e6f02042bbac7a4a616f77359382a9489.exe
1128	456fe60fbf0cd11b90936a3ed9158b3e6f02042bbac7a4a616f77359382a9489.exe
988	netconfig.exe
988	netconfig.exe
988	netconfig.exe
988	netconfig.exe
1072	Process not Found
560	Process not Found

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\CurrentVersion\Run	netconfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\netcap = "c:\\netconfig\\netconfig.exe"	netconfig.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	Devcon.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	Devcon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	524	Devcon.exe
Token: SeLoadDriverPrivilege	1316	Devcon.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
988	netconfig.exe
988	netconfig.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
988	netconfig.exe
988	netconfig.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1128	456fe60fbf0cd11b90936a3ed9158b3e6f02042bbac7a4a616f77359382a9489.exe
1128	456fe60fbf0cd11b90936a3ed9158b3e6f02042bbac7a4a616f77359382a9489.exe
988	netconfig.exe
988	netconfig.exe
988	netconfig.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 988	1128	456fe60fbf0cd11b90936a3ed9158b3e6f02042bbac7a4a616f77359382a9489.exe	27
PID 1128 wrote to memory of 988	1128	456fe60fbf0cd11b90936a3ed9158b3e6f02042bbac7a4a616f77359382a9489.exe	27
PID 1128 wrote to memory of 988	1128	456fe60fbf0cd11b90936a3ed9158b3e6f02042bbac7a4a616f77359382a9489.exe	27
PID 1128 wrote to memory of 988	1128	456fe60fbf0cd11b90936a3ed9158b3e6f02042bbac7a4a616f77359382a9489.exe	27
PID 988 wrote to memory of 1316	988	netconfig.exe	28
PID 988 wrote to memory of 1316	988	netconfig.exe	28
PID 988 wrote to memory of 1316	988	netconfig.exe	28
PID 988 wrote to memory of 1316	988	netconfig.exe	28
PID 988 wrote to memory of 524	988	netconfig.exe	30
PID 988 wrote to memory of 524	988	netconfig.exe	30
PID 988 wrote to memory of 524	988	netconfig.exe	30
PID 988 wrote to memory of 524	988	netconfig.exe	30

C:\Users\Admin\AppData\Local\Temp\456fe60fbf0cd11b90936a3ed9158b3e6f02042bbac7a4a616f77359382a9489.exe
"C:\Users\Admin\AppData\Local\Temp\456fe60fbf0cd11b90936a3ed9158b3e6f02042bbac7a4a616f77359382a9489.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128
- \??\c:\netconfig\netconfig.exe
  c:\netconfig\netconfig.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\netconfig\Devcon.exe
    "C:\netconfig\Devcon.exe" disable "@PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- - C:\netconfig\Devcon.exe
    "C:\netconfig\Devcon.exe" disable "@PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\netconfig\Devcon.exe

Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\netconfig\Devcon.exe

Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\netconfig\netconfig.exe

Filesize
2.6MB

MD5
4fd44e8f02a8b64b4321797aa3ab7727

SHA1
645f67288db9b7396e03e72877ff9e179b280e4e

SHA256
3cb359f86fdd305ef535b77d0f562dc17e277278c3de7ab9c53e3e369f104f6f

SHA512
11437e9a6faf76f52b593c8381ca0fc17be6cc357ccb7ded37b71965f1330a5c1fe6241ac4bd7e2e6543b9cd01c0409011d0ee68a2382d689edd14b1e7c770b2

Download Submit
\??\c:\netconfig\ExuiKrnln.dll

Filesize
1.0MB

MD5
f6edea0a634d072c93b9a1e2400d8548

SHA1
4002d49350c7c6cf4b4cc6505928e0ec9e8828a5

SHA256
8131e6ec6a305c627dcb3da016f4dd902609f1a56c68442ebae556d41596679a

SHA512
544cbf6903e33dc279e88f1fbab0ce6d99e510eebdc1c2f85b99dc364bcb17f33b80ec52703964121baef669c019da7542caa3c1f2f10400539a3f2b67d1d7d4

Download Submit
\??\c:\netconfig\Ð¶ÔØ.exe

Filesize
1.0MB

MD5
9786aef25dbce42b0240f721360cf6c2

SHA1
5b973bcb2178fb506b87a06851b564a0749e221b

SHA256
a549dbe04e9ed504576c98e3a78ec762edb436715420f4f678af5a06404a547d

SHA512
55070c3dbee23ef1f64d546b9f29fed5e8ac2ef90c8df49db22269afba9b541372aa1b849d154153a97cb2df4ac3278e762fbe63dec859c475a54b43957c639e

Download Submit
\netconfig\Devcon.exe

Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
\netconfig\Devcon.exe

Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
\netconfig\Devcon.exe

Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
\netconfig\Devcon.exe

Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
\netconfig\Devcon.exe

Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
\netconfig\exuikrnln.dll

Filesize
1.0MB

MD5
f6edea0a634d072c93b9a1e2400d8548

SHA1
4002d49350c7c6cf4b4cc6505928e0ec9e8828a5

SHA256
8131e6ec6a305c627dcb3da016f4dd902609f1a56c68442ebae556d41596679a

SHA512
544cbf6903e33dc279e88f1fbab0ce6d99e510eebdc1c2f85b99dc364bcb17f33b80ec52703964121baef669c019da7542caa3c1f2f10400539a3f2b67d1d7d4

Download Submit
\netconfig\netconfig.exe

Filesize
2.6MB

MD5
4fd44e8f02a8b64b4321797aa3ab7727

SHA1
645f67288db9b7396e03e72877ff9e179b280e4e

SHA256
3cb359f86fdd305ef535b77d0f562dc17e277278c3de7ab9c53e3e369f104f6f

SHA512
11437e9a6faf76f52b593c8381ca0fc17be6cc357ccb7ded37b71965f1330a5c1fe6241ac4bd7e2e6543b9cd01c0409011d0ee68a2382d689edd14b1e7c770b2

Download Submit
\netconfig\netconfig.exe

Filesize
2.6MB

MD5
4fd44e8f02a8b64b4321797aa3ab7727

SHA1
645f67288db9b7396e03e72877ff9e179b280e4e

SHA256
3cb359f86fdd305ef535b77d0f562dc17e277278c3de7ab9c53e3e369f104f6f

SHA512
11437e9a6faf76f52b593c8381ca0fc17be6cc357ccb7ded37b71965f1330a5c1fe6241ac4bd7e2e6543b9cd01c0409011d0ee68a2382d689edd14b1e7c770b2

Download Submit
memory/1128-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download