07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d

Analysis

max time kernel
110s
max time network
65s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14/10/2022, 09:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe
Size

97KB
MD5

677553b62c68b73d8aa1b32233988f40
SHA1

11fe891f2367e1efe0d4d28d78ed94d704130bb2
SHA256

07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d
SHA512

53fb6b5d2d6059de3d7f39f281bdbde1c4b8ea1328f2ba4bd07005578bdfa4f52cb366338cf32105d6554d1b87fe6d2c891b360d910b14124a085c0c9b97aa1d
SSDEEP

3072:yAhAhAXkEEmJ9op1W+IdUkZwV+oADasNsgAs4ni9tm6:yUUnEEmJ9cM+fbADLashL

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
0212205258

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1888	%tmp%.exe
1332	svhost.exe
952	svhost.exe
1304	svhost.exe
1968	svhost.exe
328	panje.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\panje .exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\panje .exe	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe
864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe
864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe
864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe
864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe
864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe
864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe
864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe
864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
328	panje.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1584	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	28
PID 864 wrote to memory of 1584	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	28
PID 864 wrote to memory of 1584	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	28
PID 864 wrote to memory of 1584	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	28
PID 1584 wrote to memory of 1688	1584	cmd.exe	30
PID 1584 wrote to memory of 1688	1584	cmd.exe	30
PID 1584 wrote to memory of 1688	1584	cmd.exe	30
PID 1584 wrote to memory of 1688	1584	cmd.exe	30
PID 864 wrote to memory of 1332	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	31
PID 864 wrote to memory of 1332	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	31
PID 864 wrote to memory of 1332	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	31
PID 864 wrote to memory of 1332	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	31
PID 864 wrote to memory of 1968	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	32
PID 864 wrote to memory of 1968	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	32
PID 864 wrote to memory of 1968	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	32
PID 864 wrote to memory of 1968	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	32
PID 864 wrote to memory of 952	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	33
PID 864 wrote to memory of 952	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	33
PID 864 wrote to memory of 952	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	33
PID 864 wrote to memory of 952	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	33
PID 864 wrote to memory of 1304	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	34
PID 864 wrote to memory of 1304	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	34
PID 864 wrote to memory of 1304	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	34
PID 864 wrote to memory of 1304	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	34
PID 864 wrote to memory of 1888	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	35
PID 864 wrote to memory of 1888	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	35
PID 864 wrote to memory of 1888	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	35
PID 864 wrote to memory of 1888	864	07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe	35
PID 1688 wrote to memory of 612	1688	wscript.exe	36
PID 1688 wrote to memory of 612	1688	wscript.exe	36
PID 1688 wrote to memory of 612	1688	wscript.exe	36
PID 1688 wrote to memory of 612	1688	wscript.exe	36
PID 1888 wrote to memory of 328	1888	%tmp%.exe	38
PID 1888 wrote to memory of 328	1888	%tmp%.exe	38
PID 1888 wrote to memory of 328	1888	%tmp%.exe	38

C:\Users\Admin\AppData\Local\Temp\07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe
"C:\Users\Admin\AppData\Local\Temp\07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\java.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Roaming\invs.vbs" "C:\Users\Admin\AppData\Roaming\java2.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\java2.bat" "
      4⤵
      Drops startup file
      PID:612
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
  "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Roaming\panje.exe
    "C:\Users\Admin\AppData\Roaming\panje.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\%tmp%.exe

Filesize
26KB

MD5
e1781e1c707dc8060003b3892a4080c0

SHA1
128a66882a03cbac5e89791ba21cbef68f90f89c

SHA256
88a79da108c6eac43b1b69244f6b43e58892d4a78720639b7a3ab5f82163416e

SHA512
a69ca43cae737b07742378e83c97c5665c84353666d9c6cf8549beba5369c3777ac9fa663c72709552ada84b5d4e48770b198cb46a6d8caa25ec6da62917b119

Download Submit
C:\Users\Admin\AppData\Local\Temp\%tmp%.exe

Filesize
26KB

MD5
e1781e1c707dc8060003b3892a4080c0

SHA1
128a66882a03cbac5e89791ba21cbef68f90f89c

SHA256
88a79da108c6eac43b1b69244f6b43e58892d4a78720639b7a3ab5f82163416e

SHA512
a69ca43cae737b07742378e83c97c5665c84353666d9c6cf8549beba5369c3777ac9fa663c72709552ada84b5d4e48770b198cb46a6d8caa25ec6da62917b119

Download Submit
C:\Users\Admin\AppData\Roaming\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\java.bat

Filesize
53B

MD5
1896de26a454df8628034ca3e0649905

SHA1
76b98d95a85d043539706b89194c46cf14464abe

SHA256
d85e713743c7e622166fb0f79478de5eabd53d3fe92bd2011ab441bc85ef2208

SHA512
ef69dacd7e717dff05f8a70c5b9a94011f2df3201cc41d5f8cc030f350b069dc090c5b0d3d0bd19098a187977a82d570e1ee153849f609a65889ba789da953d2

Download Submit
C:\Users\Admin\AppData\Roaming\java2.bat

Filesize
154B

MD5
10c77563b801e15c4884c015f05d4c66

SHA1
fe2259e47c406cfac98b7f084fdbd094a2c48047

SHA256
ce93d874013a91a8a4e441bb874bd7bd39dfb7b0d5cf35f2e38c207f8145f43b

SHA512
725efe7c05f83bb6b88c3ac3aa0019b6cad50fd9ca5d05898e4f47c12bd6566bdb0fffb935db20c92ab3cc23b39e24c662327f8ed9fab9631bbd3197100613ed

Download Submit
C:\Users\Admin\AppData\Roaming\panje .exe

Filesize
97KB

MD5
677553b62c68b73d8aa1b32233988f40

SHA1
11fe891f2367e1efe0d4d28d78ed94d704130bb2

SHA256
07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d

SHA512
53fb6b5d2d6059de3d7f39f281bdbde1c4b8ea1328f2ba4bd07005578bdfa4f52cb366338cf32105d6554d1b87fe6d2c891b360d910b14124a085c0c9b97aa1d

Download Submit
C:\Users\Admin\AppData\Roaming\panje.exe

Filesize
26KB

MD5
e1781e1c707dc8060003b3892a4080c0

SHA1
128a66882a03cbac5e89791ba21cbef68f90f89c

SHA256
88a79da108c6eac43b1b69244f6b43e58892d4a78720639b7a3ab5f82163416e

SHA512
a69ca43cae737b07742378e83c97c5665c84353666d9c6cf8549beba5369c3777ac9fa663c72709552ada84b5d4e48770b198cb46a6d8caa25ec6da62917b119

Download Submit
C:\Users\Admin\AppData\Roaming\panje.exe

Filesize
26KB

MD5
e1781e1c707dc8060003b3892a4080c0

SHA1
128a66882a03cbac5e89791ba21cbef68f90f89c

SHA256
88a79da108c6eac43b1b69244f6b43e58892d4a78720639b7a3ab5f82163416e

SHA512
a69ca43cae737b07742378e83c97c5665c84353666d9c6cf8549beba5369c3777ac9fa663c72709552ada84b5d4e48770b198cb46a6d8caa25ec6da62917b119

Download Submit
C:\Users\Admin\AppData\Roaming\rundll32-.txt

Filesize
97KB

MD5
677553b62c68b73d8aa1b32233988f40

SHA1
11fe891f2367e1efe0d4d28d78ed94d704130bb2

SHA256
07895e7381e8e3825486f9fc85a929ac46f31a902fce3c6da2fd0e2b65dd1a0d

SHA512
53fb6b5d2d6059de3d7f39f281bdbde1c4b8ea1328f2ba4bd07005578bdfa4f52cb366338cf32105d6554d1b87fe6d2c891b360d910b14124a085c0c9b97aa1d

Download Submit
C:\Windows\Temp\svhost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\Temp\svhost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\Temp\svhost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\Temp\svhost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Temp\%tmp%.exe

Filesize
26KB

MD5
e1781e1c707dc8060003b3892a4080c0

SHA1
128a66882a03cbac5e89791ba21cbef68f90f89c

SHA256
88a79da108c6eac43b1b69244f6b43e58892d4a78720639b7a3ab5f82163416e

SHA512
a69ca43cae737b07742378e83c97c5665c84353666d9c6cf8549beba5369c3777ac9fa663c72709552ada84b5d4e48770b198cb46a6d8caa25ec6da62917b119

Download Submit
\Users\Admin\AppData\Local\Temp\%tmp%.exe

Filesize
26KB

MD5
e1781e1c707dc8060003b3892a4080c0

SHA1
128a66882a03cbac5e89791ba21cbef68f90f89c

SHA256
88a79da108c6eac43b1b69244f6b43e58892d4a78720639b7a3ab5f82163416e

SHA512
a69ca43cae737b07742378e83c97c5665c84353666d9c6cf8549beba5369c3777ac9fa663c72709552ada84b5d4e48770b198cb46a6d8caa25ec6da62917b119

Download Submit
\Windows\Temp\svhost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windows\Temp\svhost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/328-85-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmp

Filesize
8KB

Download
memory/328-83-0x000007FEF46F0000-0x000007FEF5113000-memory.dmp

Filesize
10.1MB

Download
memory/328-89-0x0000000000B06000-0x0000000000B25000-memory.dmp

Filesize
124KB

Download
memory/328-84-0x000007FEF3650000-0x000007FEF46E6000-memory.dmp

Filesize
16.6MB

Download
memory/328-87-0x0000000000B06000-0x0000000000B25000-memory.dmp

Filesize
124KB

Download
memory/864-77-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/864-79-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/864-72-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/864-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1888-86-0x0000000001F36000-0x0000000001F55000-memory.dmp

Filesize
124KB

Download
memory/1888-76-0x000007FEF3650000-0x000007FEF46E6000-memory.dmp

Filesize
16.6MB

Download
memory/1888-88-0x0000000001F36000-0x0000000001F55000-memory.dmp

Filesize
124KB

Download
memory/1888-74-0x000007FEF46F0000-0x000007FEF5113000-memory.dmp

Filesize
10.1MB

Download