Analysis
-
max time kernel
16s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 06:04
Behavioral task
behavioral1
Sample
1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe
Resource
win10v2004-20220812-en
General
-
Target
1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe
-
Size
899KB
-
MD5
6da56cea43476a4f55d54df747649200
-
SHA1
e8f8474fc51e67bbd9eeee53675f9cee2063f2ae
-
SHA256
1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838
-
SHA512
ed1e6f874d613488c8f542b03f906bea8bf59c0353680cb9278e462b9ce858cf4dd86340843a32428e2e7523b8bc0930c4b1dfb0edd4485cb1aa60596a2a599d
-
SSDEEP
24576:VTAmBpVKHu0Mu9Xo20VGLVP5TKIe5GiyseoV:VTAmKZVUGkrV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\msdssvc\\csrss.exe" KKKKKKKKK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\msdssvc\\csrss.exe" KKKKKKKKK.EXE -
Executes dropped EXE 4 IoCs
pid Process 1316 KKKKKKKKK.EXE 572 csrss.exe 1316 KKKKKKKKK.EXE 572 csrss.exe -
Loads dropped DLL 8 IoCs
pid Process 1768 1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe 1768 1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe 1316 KKKKKKKKK.EXE 1316 KKKKKKKKK.EXE 1768 1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe 1768 1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe 1316 KKKKKKKKK.EXE 1316 KKKKKKKKK.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\Users\\Admin\\AppData\\Roaming\\msdssvc\\csrss.exe" KKKKKKKKK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\Users\\Admin\\AppData\\Roaming\\msdssvc\\csrss.exe" KKKKKKKKK.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1512 PING.EXE 1512 PING.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1316 KKKKKKKKK.EXE Token: SeSecurityPrivilege 1316 KKKKKKKKK.EXE Token: SeTakeOwnershipPrivilege 1316 KKKKKKKKK.EXE Token: SeLoadDriverPrivilege 1316 KKKKKKKKK.EXE Token: SeSystemProfilePrivilege 1316 KKKKKKKKK.EXE Token: SeSystemtimePrivilege 1316 KKKKKKKKK.EXE Token: SeProfSingleProcessPrivilege 1316 KKKKKKKKK.EXE Token: SeIncBasePriorityPrivilege 1316 KKKKKKKKK.EXE Token: SeCreatePagefilePrivilege 1316 KKKKKKKKK.EXE Token: SeBackupPrivilege 1316 KKKKKKKKK.EXE Token: SeRestorePrivilege 1316 KKKKKKKKK.EXE Token: SeShutdownPrivilege 1316 KKKKKKKKK.EXE Token: SeDebugPrivilege 1316 KKKKKKKKK.EXE Token: SeSystemEnvironmentPrivilege 1316 KKKKKKKKK.EXE Token: SeChangeNotifyPrivilege 1316 KKKKKKKKK.EXE Token: SeRemoteShutdownPrivilege 1316 KKKKKKKKK.EXE Token: SeUndockPrivilege 1316 KKKKKKKKK.EXE Token: SeManageVolumePrivilege 1316 KKKKKKKKK.EXE Token: SeImpersonatePrivilege 1316 KKKKKKKKK.EXE Token: SeCreateGlobalPrivilege 1316 KKKKKKKKK.EXE Token: 33 1316 KKKKKKKKK.EXE Token: 34 1316 KKKKKKKKK.EXE Token: 35 1316 KKKKKKKKK.EXE Token: SeIncreaseQuotaPrivilege 572 csrss.exe Token: SeSecurityPrivilege 572 csrss.exe Token: SeTakeOwnershipPrivilege 572 csrss.exe Token: SeLoadDriverPrivilege 572 csrss.exe Token: SeSystemProfilePrivilege 572 csrss.exe Token: SeSystemtimePrivilege 572 csrss.exe Token: SeProfSingleProcessPrivilege 572 csrss.exe Token: SeIncBasePriorityPrivilege 572 csrss.exe Token: SeCreatePagefilePrivilege 572 csrss.exe Token: SeBackupPrivilege 572 csrss.exe Token: SeRestorePrivilege 572 csrss.exe Token: SeShutdownPrivilege 572 csrss.exe Token: SeDebugPrivilege 572 csrss.exe Token: SeSystemEnvironmentPrivilege 572 csrss.exe Token: SeChangeNotifyPrivilege 572 csrss.exe Token: SeRemoteShutdownPrivilege 572 csrss.exe Token: SeUndockPrivilege 572 csrss.exe Token: SeManageVolumePrivilege 572 csrss.exe Token: SeImpersonatePrivilege 572 csrss.exe Token: SeCreateGlobalPrivilege 572 csrss.exe Token: 33 572 csrss.exe Token: 34 572 csrss.exe Token: 35 572 csrss.exe Token: SeIncreaseQuotaPrivilege 1316 KKKKKKKKK.EXE Token: SeSecurityPrivilege 1316 KKKKKKKKK.EXE Token: SeTakeOwnershipPrivilege 1316 KKKKKKKKK.EXE Token: SeLoadDriverPrivilege 1316 KKKKKKKKK.EXE Token: SeSystemProfilePrivilege 1316 KKKKKKKKK.EXE Token: SeSystemtimePrivilege 1316 KKKKKKKKK.EXE Token: SeProfSingleProcessPrivilege 1316 KKKKKKKKK.EXE Token: SeIncBasePriorityPrivilege 1316 KKKKKKKKK.EXE Token: SeCreatePagefilePrivilege 1316 KKKKKKKKK.EXE Token: SeBackupPrivilege 1316 KKKKKKKKK.EXE Token: SeRestorePrivilege 1316 KKKKKKKKK.EXE Token: SeShutdownPrivilege 1316 KKKKKKKKK.EXE Token: SeDebugPrivilege 1316 KKKKKKKKK.EXE Token: SeSystemEnvironmentPrivilege 1316 KKKKKKKKK.EXE Token: SeChangeNotifyPrivilege 1316 KKKKKKKKK.EXE Token: SeRemoteShutdownPrivilege 1316 KKKKKKKKK.EXE Token: SeUndockPrivilege 1316 KKKKKKKKK.EXE Token: SeManageVolumePrivilege 1316 KKKKKKKKK.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1668 DllHost.exe 1668 DllHost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1768 wrote to memory of 1316 1768 1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe 27 PID 1768 wrote to memory of 1316 1768 1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe 27 PID 1768 wrote to memory of 1316 1768 1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe 27 PID 1768 wrote to memory of 1316 1768 1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe 27 PID 1316 wrote to memory of 572 1316 KKKKKKKKK.EXE 29 PID 1316 wrote to memory of 572 1316 KKKKKKKKK.EXE 29 PID 1316 wrote to memory of 572 1316 KKKKKKKKK.EXE 29 PID 1316 wrote to memory of 572 1316 KKKKKKKKK.EXE 29 PID 1316 wrote to memory of 380 1316 KKKKKKKKK.EXE 30 PID 1316 wrote to memory of 380 1316 KKKKKKKKK.EXE 30 PID 1316 wrote to memory of 380 1316 KKKKKKKKK.EXE 30 PID 1316 wrote to memory of 380 1316 KKKKKKKKK.EXE 30 PID 380 wrote to memory of 1512 380 cmd.exe 32 PID 380 wrote to memory of 1512 380 cmd.exe 32 PID 380 wrote to memory of 1512 380 cmd.exe 32 PID 380 wrote to memory of 1512 380 cmd.exe 32 PID 1768 wrote to memory of 1316 1768 1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe 59 PID 1768 wrote to memory of 1316 1768 1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe 59 PID 1768 wrote to memory of 1316 1768 1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe 59 PID 1768 wrote to memory of 1316 1768 1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe 59 PID 1316 wrote to memory of 572 1316 KKKKKKKKK.EXE 61 PID 1316 wrote to memory of 572 1316 KKKKKKKKK.EXE 61 PID 1316 wrote to memory of 572 1316 KKKKKKKKK.EXE 61 PID 1316 wrote to memory of 572 1316 KKKKKKKKK.EXE 61 PID 1316 wrote to memory of 380 1316 KKKKKKKKK.EXE 62 PID 1316 wrote to memory of 380 1316 KKKKKKKKK.EXE 62 PID 1316 wrote to memory of 380 1316 KKKKKKKKK.EXE 62 PID 1316 wrote to memory of 380 1316 KKKKKKKKK.EXE 62 PID 380 wrote to memory of 1512 380 cmd.exe 64 PID 380 wrote to memory of 1512 380 cmd.exe 64 PID 380 wrote to memory of 1512 380 cmd.exe 64 PID 380 wrote to memory of 1512 380 cmd.exe 64
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe"C:\Users\Admin\AppData\Local\Temp\1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\KKKKKKKKK.EXE"C:\Users\Admin\AppData\Local\Temp\KKKKKKKKK.EXE"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Roaming\msdssvc\csrss.exe"C:\Users\Admin\AppData\Roaming\msdssvc\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\KKKKKKKKK.EXE"3⤵
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
PID:1512
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1668
-
C:\Users\Admin\AppData\Local\Temp\1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe"C:\Users\Admin\AppData\Local\Temp\1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\KKKKKKKKK.EXE"C:\Users\Admin\AppData\Local\Temp\KKKKKKKKK.EXE"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Roaming\msdssvc\csrss.exe"C:\Users\Admin\AppData\Roaming\msdssvc\csrss.exe"3⤵
- Executes dropped EXE
PID:572
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\KKKKKKKKK.EXE"3⤵
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
PID:1512
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1668
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c
-
Filesize
197KB
MD5d220784f629aac587cb1d81527c9fe64
SHA1ad448315bf7d7d046fe4eddd5923e47d6bd4c354
SHA25613dd6e5ba7c193eebda4b4f100fe1c9a2e23e8fd83cb0a0230ecc325a17c70ca
SHA5122e779f06b621a19bc6a4be478ef54cb7d3efc561b127e121100893d7dafa19f552b9d533f88f36c76a28900e64c1c3fd1e173223ccb3c110f1cfa4fbbb5ad52e
-
Filesize
197KB
MD5d220784f629aac587cb1d81527c9fe64
SHA1ad448315bf7d7d046fe4eddd5923e47d6bd4c354
SHA25613dd6e5ba7c193eebda4b4f100fe1c9a2e23e8fd83cb0a0230ecc325a17c70ca
SHA5122e779f06b621a19bc6a4be478ef54cb7d3efc561b127e121100893d7dafa19f552b9d533f88f36c76a28900e64c1c3fd1e173223ccb3c110f1cfa4fbbb5ad52e
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c