8834c84cfd7e086f74a2ffa5b14ced2c039d78feda4bad610aba1c6bb4a6ce7f

Resubmissions

10/10/2022, 12:26

221010-pl6vysbgc6 8

Analysis

max time kernel
91s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10/10/2022, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sd.exe
Size

529KB
MD5

08aaa7f4e2c1278c0e9b06ce4e6c217d
SHA1

2cb4b4fb1ec8305ef03e1802f56be22b12379a0c
SHA256

8834c84cfd7e086f74a2ffa5b14ced2c039d78feda4bad610aba1c6bb4a6ce7f
SHA512

7a40ae329864cddf73acbc6435e7d8e977c44c2a91a71f8aaaf7a52d2d898b5392f0c7b3e4d9d2b34dcd55437c1ab68bd0d40480440eb600c0a606b53e179e03
SSDEEP

6144:yNYl/n0+1JZi7al4y3FMLv2fVvmcMnNtEmdOJ3jsdp5K/GmdNpK5IL03:yNYl/0Val4GVed7RdOZczCK2LC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1172	Snap2HTML.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SnipeDrives\C.html	Snap2HTML.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 26 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 52003100000000004a554d73100057696e646f7773003c0008000400efbeee3a851a4a554d732a0000008a020000000001000000000000000000000000000000570069006e0064006f0077007300000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5c003100000000004a556e731000534e495045447e310000440008000400efbe4a554d734a556e732a0000001a31010000000700000000000000000000000000000053006e00690070006500440072006900760065007300000018000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	explorer.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1240	WMIC.exe
Token: SeSecurityPrivilege	1240	WMIC.exe
Token: SeTakeOwnershipPrivilege	1240	WMIC.exe
Token: SeLoadDriverPrivilege	1240	WMIC.exe
Token: SeSystemProfilePrivilege	1240	WMIC.exe
Token: SeSystemtimePrivilege	1240	WMIC.exe
Token: SeProfSingleProcessPrivilege	1240	WMIC.exe
Token: SeIncBasePriorityPrivilege	1240	WMIC.exe
Token: SeCreatePagefilePrivilege	1240	WMIC.exe
Token: SeBackupPrivilege	1240	WMIC.exe
Token: SeRestorePrivilege	1240	WMIC.exe
Token: SeShutdownPrivilege	1240	WMIC.exe
Token: SeDebugPrivilege	1240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1240	WMIC.exe
Token: SeRemoteShutdownPrivilege	1240	WMIC.exe
Token: SeUndockPrivilege	1240	WMIC.exe
Token: SeManageVolumePrivilege	1240	WMIC.exe
Token: 33	1240	WMIC.exe
Token: 34	1240	WMIC.exe
Token: 35	1240	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1240	WMIC.exe
Token: SeSecurityPrivilege	1240	WMIC.exe
Token: SeTakeOwnershipPrivilege	1240	WMIC.exe
Token: SeLoadDriverPrivilege	1240	WMIC.exe
Token: SeSystemProfilePrivilege	1240	WMIC.exe
Token: SeSystemtimePrivilege	1240	WMIC.exe
Token: SeProfSingleProcessPrivilege	1240	WMIC.exe
Token: SeIncBasePriorityPrivilege	1240	WMIC.exe
Token: SeCreatePagefilePrivilege	1240	WMIC.exe
Token: SeBackupPrivilege	1240	WMIC.exe
Token: SeRestorePrivilege	1240	WMIC.exe
Token: SeShutdownPrivilege	1240	WMIC.exe
Token: SeDebugPrivilege	1240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1240	WMIC.exe
Token: SeRemoteShutdownPrivilege	1240	WMIC.exe
Token: SeUndockPrivilege	1240	WMIC.exe
Token: SeManageVolumePrivilege	1240	WMIC.exe
Token: 33	1240	WMIC.exe
Token: 34	1240	WMIC.exe
Token: 35	1240	WMIC.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 968	1836	sd.exe	27
PID 1836 wrote to memory of 968	1836	sd.exe	27
PID 1836 wrote to memory of 968	1836	sd.exe	27
PID 968 wrote to memory of 1404	968	cmd.exe	29
PID 968 wrote to memory of 1404	968	cmd.exe	29
PID 968 wrote to memory of 1404	968	cmd.exe	29
PID 968 wrote to memory of 1216	968	cmd.exe	30
PID 968 wrote to memory of 1216	968	cmd.exe	30
PID 968 wrote to memory of 1216	968	cmd.exe	30
PID 1216 wrote to memory of 1240	1216	cmd.exe	31
PID 1216 wrote to memory of 1240	1216	cmd.exe	31
PID 1216 wrote to memory of 1240	1216	cmd.exe	31
PID 968 wrote to memory of 1172	968	cmd.exe	33
PID 968 wrote to memory of 1172	968	cmd.exe	33
PID 968 wrote to memory of 1172	968	cmd.exe	33
PID 968 wrote to memory of 576	968	cmd.exe	34
PID 968 wrote to memory of 576	968	cmd.exe	34
PID 968 wrote to memory of 576	968	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\sd.exe
"C:\Users\Admin\AppData\Local\Temp\sd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\snapHTM.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\system32\mode.com
    mode con: cols=50 lines=15
    3⤵
    PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk where "drivetype=3" get name /format:value
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk where "drivetype=3" get name /format:value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1240
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Snap2HTML.exe
    Snap2HTML.exe -path:C:\ -outfile:C:\Windows\SnipeDrives\C.html -silent
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1172
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" C:\Windows\SnipeDrives\
    3⤵
    PID:576

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Snap2HTML.exe

Filesize
161KB

MD5
db9677194f84ed3ec78454a538c73704

SHA1
486e6d7166fdc2ec0b0e0f922931b1f92d665739

SHA256
fce7db964bef4b37f2f430c6ea99f439e5be06e047f6386222826df133b3a047

SHA512
4d494ef85ac86fd6026fcc7c0dd61fc7ca4f036a1fe98bf7416d79aa2dc80bbb4fbbf1d20ada82100c50568f80de8267ef2cfbe0b8f1a3f294b0ba3324b70d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Snap2HTML.exe

Filesize
161KB

MD5
db9677194f84ed3ec78454a538c73704

SHA1
486e6d7166fdc2ec0b0e0f922931b1f92d665739

SHA256
fce7db964bef4b37f2f430c6ea99f439e5be06e047f6386222826df133b3a047

SHA512
4d494ef85ac86fd6026fcc7c0dd61fc7ca4f036a1fe98bf7416d79aa2dc80bbb4fbbf1d20ada82100c50568f80de8267ef2cfbe0b8f1a3f294b0ba3324b70d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\snapHTM.bat

Filesize
1KB

MD5
4d6a4e6d7e3ca01d5960d3c563e5d911

SHA1
62a98f4dcb213b59b3ed2edbbcfa5e226e3be8e2

SHA256
b699e6e9cbab88965f8fc357e6d98fa0e27bd446148af3664876066fc21a2937

SHA512
eced432e8e71d5fa7dc0b03b1104a2de2bc61021a8f53a0cd9a61fced8c525345f6de94d9deef5a46b55b060d17957892ca1a0dedd43b155e285a576a8b4f1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\template.html

Filesize
236KB

MD5
20e082682be1c6c3a008eaf63dc89317

SHA1
c7fa37b1e22222a7adfd0940ee496f3c4c15604d

SHA256
00656afe4f9b0c80b701008bc4008485f6941eefc46f480876170e4897f60594

SHA512
72891c062eb091df7db1310661b351b75f2c16419f8bd0fcc0233b7c276a7168f8febe097db72a50e237474f777882abc65b9ad967465d9b28de40b49de98543

Download Submit
C:\Windows\SnipeDrives\C.html

Filesize
13.6MB

MD5
92be66cdc5e62bbdb7d8bb97412f4dcd

SHA1
d7804d98cb9c216bf823e42dab31b80c0dbe96a3

SHA256
6b603bd1d2aac19c81883de0a0c54e739b944db6ef4b40eb3e129b733e27b1db

SHA512
51838e7169786a7be461267386157363316127dd1e583e914481b25ebc7b27ec7facae232bef3b6869df7658c16820916c8b377af2c425476ce9dc1e3dac2f16

Download Submit
memory/1172-68-0x000000001B5A7000-0x000000001B5C6000-memory.dmp

Filesize
124KB

Download
memory/1172-63-0x00000000002F0000-0x000000000031E000-memory.dmp

Filesize
184KB

Download
memory/1172-65-0x000000001B5A7000-0x000000001B5C6000-memory.dmp

Filesize
124KB

Download
memory/1172-66-0x000000001B5A7000-0x000000001B5C6000-memory.dmp

Filesize
124KB

Download
memory/1696-89-0x0000000003A00000-0x0000000003A10000-memory.dmp

Filesize
64KB

Download
memory/1836-54-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download