8c7f180e2a057fc51fd7938952399b5e96a81387bbb0a354fbc7b34698cb3948

Analysis

max time kernel
154s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2022 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c7f180e2a057fc51fd7938952399b5e96a81387bbb0a354fbc7b34698cb3948.exe
Size

145KB
MD5

68d4c449e0ec74f705c9e2479cb2c3c0
SHA1

5ea7e321c1ae379a60283e58eb2801d6d638afe2
SHA256

8c7f180e2a057fc51fd7938952399b5e96a81387bbb0a354fbc7b34698cb3948
SHA512

46944a0262b81db5ead00a6927bdf87f3eef0a3debb68dcc5af0ac9e10a5dbc6ce05509cf27676f69fa37a890f36d48d629b47fb8894ca54b87a4243b39b2207
SSDEEP

3072:Cnj9VtfUIINndIc0JU3BhoWVPN+q8HwLSO2dQFEDk3UToPzp/8I:CjfeigCWD+fMyk3UcPzp/1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1368	.Download-Server.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FD27A.exe.exe	.Download-Server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FD27A.exe.exe	.Download-Server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8c7f180e2a057fc51fd7938952399b5e96a81387bbb0a354fbc7b34698cb3948.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8c7f180e2a057fc51fd7938952399b5e96a81387bbb0a354fbc7b34698cb3948.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1368	.Download-Server.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 1368	4648	8c7f180e2a057fc51fd7938952399b5e96a81387bbb0a354fbc7b34698cb3948.exe	81
PID 4648 wrote to memory of 1368	4648	8c7f180e2a057fc51fd7938952399b5e96a81387bbb0a354fbc7b34698cb3948.exe	81
PID 4648 wrote to memory of 1368	4648	8c7f180e2a057fc51fd7938952399b5e96a81387bbb0a354fbc7b34698cb3948.exe	81
PID 1368 wrote to memory of 5096	1368	.Download-Server.exe	82
PID 1368 wrote to memory of 5096	1368	.Download-Server.exe	82
PID 1368 wrote to memory of 5096	1368	.Download-Server.exe	82
PID 5096 wrote to memory of 1884	5096	net.exe	84
PID 5096 wrote to memory of 1884	5096	net.exe	84
PID 5096 wrote to memory of 1884	5096	net.exe	84

C:\Users\Admin\AppData\Local\Temp\8c7f180e2a057fc51fd7938952399b5e96a81387bbb0a354fbc7b34698cb3948.exe
"C:\Users\Admin\AppData\Local\Temp\8c7f180e2a057fc51fd7938952399b5e96a81387bbb0a354fbc7b34698cb3948.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.Download-Server.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.Download-Server.exe
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.Download-Server.exe

Filesize
76KB

MD5
ca8c0aca646aae4a7029ae898efc346d

SHA1
785ca48171fd02481769f46d504897f025f42d41

SHA256
67ba1b63d2ccd57013b42cccc4bcfd4537c9cab98a128f1a1e365c86645a67c6

SHA512
7fbb337e5cb97a05217ac679523d926f213007d053d9823fa980b46ef091557be74c933034ff5ea3efb301915d00d6dfe60f8a7d39c54cdc6946ca0abac1223a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.Download-Server.exe

Filesize
76KB

MD5
ca8c0aca646aae4a7029ae898efc346d

SHA1
785ca48171fd02481769f46d504897f025f42d41

SHA256
67ba1b63d2ccd57013b42cccc4bcfd4537c9cab98a128f1a1e365c86645a67c6

SHA512
7fbb337e5cb97a05217ac679523d926f213007d053d9823fa980b46ef091557be74c933034ff5ea3efb301915d00d6dfe60f8a7d39c54cdc6946ca0abac1223a

Download Submit
memory/1368-132-0x0000000000000000-mapping.dmp

Download
memory/1884-138-0x0000000000000000-mapping.dmp

Download
memory/5096-137-0x0000000000000000-mapping.dmp

Download