Analysis
-
max time kernel
150s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
18/10/2022, 13:00
Static task
static1
Behavioral task
behavioral1
Sample
e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe
Resource
win10v2004-20220812-en
General
-
Target
e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe
-
Size
206KB
-
MD5
31544ee3caa4bbee6b4acdcfc6a62d00
-
SHA1
85c674a12e471e81d7d31354e28ccdd26c78ff30
-
SHA256
e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da
-
SHA512
8f667a7ae266a87f8227fad14788080136cb38fdb7edb0442076e3f7e51b095a2b4e7dc719cf7d0ef7d1cc1eb304d78d3120cc388949d4f8af8d0b59f65a20e5
-
SSDEEP
3072:2vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6uniNeZ:2vEN2U+T6i5LirrllHy4HUcMQY6VEZ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1724 explorer.exe 840 spoolsv.exe 1144 svchost.exe 1544 spoolsv.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Loads dropped DLL 8 IoCs
pid Process 1964 e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe 1964 e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe 1724 explorer.exe 1724 explorer.exe 840 spoolsv.exe 840 spoolsv.exe 1144 svchost.exe 1144 svchost.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1964 e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1144 svchost.exe 1144 svchost.exe 1144 svchost.exe 1724 explorer.exe 1724 explorer.exe 1144 svchost.exe 1144 svchost.exe 1724 explorer.exe 1144 svchost.exe 1724 explorer.exe 1144 svchost.exe 1724 explorer.exe 1144 svchost.exe 1724 explorer.exe 1144 svchost.exe 1724 explorer.exe 1724 explorer.exe 1144 svchost.exe 1144 svchost.exe 1724 explorer.exe 1724 explorer.exe 1144 svchost.exe 1144 svchost.exe 1724 explorer.exe 1724 explorer.exe 1144 svchost.exe 1144 svchost.exe 1724 explorer.exe 1724 explorer.exe 1144 svchost.exe 1144 svchost.exe 1724 explorer.exe 1144 svchost.exe 1724 explorer.exe 1144 svchost.exe 1724 explorer.exe 1724 explorer.exe 1144 svchost.exe 1144 svchost.exe 1724 explorer.exe 1144 svchost.exe 1724 explorer.exe 1724 explorer.exe 1144 svchost.exe 1144 svchost.exe 1724 explorer.exe 1724 explorer.exe 1144 svchost.exe 1144 svchost.exe 1724 explorer.exe 1724 explorer.exe 1144 svchost.exe 1144 svchost.exe 1724 explorer.exe 1144 svchost.exe 1724 explorer.exe 1724 explorer.exe 1144 svchost.exe 1724 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1724 explorer.exe 1144 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1964 e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe 1964 e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe 1724 explorer.exe 1724 explorer.exe 840 spoolsv.exe 840 spoolsv.exe 1144 svchost.exe 1144 svchost.exe 1544 spoolsv.exe 1544 spoolsv.exe 1724 explorer.exe 1724 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1964 wrote to memory of 1724 1964 e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe 28 PID 1964 wrote to memory of 1724 1964 e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe 28 PID 1964 wrote to memory of 1724 1964 e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe 28 PID 1964 wrote to memory of 1724 1964 e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe 28 PID 1724 wrote to memory of 840 1724 explorer.exe 29 PID 1724 wrote to memory of 840 1724 explorer.exe 29 PID 1724 wrote to memory of 840 1724 explorer.exe 29 PID 1724 wrote to memory of 840 1724 explorer.exe 29 PID 840 wrote to memory of 1144 840 spoolsv.exe 30 PID 840 wrote to memory of 1144 840 spoolsv.exe 30 PID 840 wrote to memory of 1144 840 spoolsv.exe 30 PID 840 wrote to memory of 1144 840 spoolsv.exe 30 PID 1144 wrote to memory of 1544 1144 svchost.exe 31 PID 1144 wrote to memory of 1544 1144 svchost.exe 31 PID 1144 wrote to memory of 1544 1144 svchost.exe 31 PID 1144 wrote to memory of 1544 1144 svchost.exe 31 PID 1144 wrote to memory of 384 1144 svchost.exe 32 PID 1144 wrote to memory of 384 1144 svchost.exe 32 PID 1144 wrote to memory of 384 1144 svchost.exe 32 PID 1144 wrote to memory of 384 1144 svchost.exe 32 PID 1144 wrote to memory of 1304 1144 svchost.exe 34 PID 1144 wrote to memory of 1304 1144 svchost.exe 34 PID 1144 wrote to memory of 1304 1144 svchost.exe 34 PID 1144 wrote to memory of 1304 1144 svchost.exe 34 PID 1144 wrote to memory of 776 1144 svchost.exe 36 PID 1144 wrote to memory of 776 1144 svchost.exe 36 PID 1144 wrote to memory of 776 1144 svchost.exe 36 PID 1144 wrote to memory of 776 1144 svchost.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe"C:\Users\Admin\AppData\Local\Temp\e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1544
-
-
C:\Windows\SysWOW64\at.exeat 15:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:384
-
-
C:\Windows\SysWOW64\at.exeat 15:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1304
-
-
C:\Windows\SysWOW64\at.exeat 15:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:776
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5ef640aff37a59dc8a4fac88c86682f56
SHA119b404e2a33215a70ada01ef881e3583479e87f2
SHA2562907e804b27c7373e100c86494783454e16c683d632c630e8caa44700a8a947f
SHA5129d3193ccf029173b6259d4862a4e49c204dc376894d652d7169740beac2ec60bf0350b19d47c7810de6751ce0ebb3df8d14aec70c0856ef20fb50abe6e0a31e9
-
Filesize
206KB
MD5aa0fdc67766c0ccafc1e900dbea1a67e
SHA105256ff0e117481d6a506d57e4cdd45fa10132dd
SHA256bc368d0ebe95339e10ab769ebe0592e2d84cbb910d14c975c247c46189116c1b
SHA51270c049a6c4fd2d0231b112b4d5f848c48f23e13e4b863747ffb92249792513dcdb2a1d0558777883a4878f0c3604ce2b5f5d30d2732cd01c14724d908a58c420
-
Filesize
206KB
MD593e7ad6b10a3a9f9f87da99afa00f594
SHA1ca8075501be0bfecab56d6ff61db7ef413ff6360
SHA2560cec3c4f25bbe976b2fde7a0ce73dd09c356d4516000000b7c5ec24cff68ac53
SHA512036c90b9e4b84f59768f279ec509fa73708fe414bdf771549c914d4b3c57b5f0d74f72a42b9032f7ebcae79a2ab3a54c8d2c839066533adad70a9c87342f4200
-
Filesize
206KB
MD593e7ad6b10a3a9f9f87da99afa00f594
SHA1ca8075501be0bfecab56d6ff61db7ef413ff6360
SHA2560cec3c4f25bbe976b2fde7a0ce73dd09c356d4516000000b7c5ec24cff68ac53
SHA512036c90b9e4b84f59768f279ec509fa73708fe414bdf771549c914d4b3c57b5f0d74f72a42b9032f7ebcae79a2ab3a54c8d2c839066533adad70a9c87342f4200
-
Filesize
206KB
MD5ce7d6a8a69c205a7c8e23475c98b7e85
SHA1ec4acb00dee57052d175c82ab4554c4e28079248
SHA2562e80b1e7a20c48e8ccd1d3b55430c6676b960f6ce2650a4135f6e904544ffb72
SHA512b324560e44068c1ecd80ec056d4c80d1f43d6ca95b49d8250934716d0c14da634ea57680c74361b88fa0dd2b9d887ea1ad20eff606e05d6a82c96a4fe09dba7b
-
Filesize
206KB
MD5aa0fdc67766c0ccafc1e900dbea1a67e
SHA105256ff0e117481d6a506d57e4cdd45fa10132dd
SHA256bc368d0ebe95339e10ab769ebe0592e2d84cbb910d14c975c247c46189116c1b
SHA51270c049a6c4fd2d0231b112b4d5f848c48f23e13e4b863747ffb92249792513dcdb2a1d0558777883a4878f0c3604ce2b5f5d30d2732cd01c14724d908a58c420
-
Filesize
206KB
MD593e7ad6b10a3a9f9f87da99afa00f594
SHA1ca8075501be0bfecab56d6ff61db7ef413ff6360
SHA2560cec3c4f25bbe976b2fde7a0ce73dd09c356d4516000000b7c5ec24cff68ac53
SHA512036c90b9e4b84f59768f279ec509fa73708fe414bdf771549c914d4b3c57b5f0d74f72a42b9032f7ebcae79a2ab3a54c8d2c839066533adad70a9c87342f4200
-
Filesize
206KB
MD5ce7d6a8a69c205a7c8e23475c98b7e85
SHA1ec4acb00dee57052d175c82ab4554c4e28079248
SHA2562e80b1e7a20c48e8ccd1d3b55430c6676b960f6ce2650a4135f6e904544ffb72
SHA512b324560e44068c1ecd80ec056d4c80d1f43d6ca95b49d8250934716d0c14da634ea57680c74361b88fa0dd2b9d887ea1ad20eff606e05d6a82c96a4fe09dba7b
-
Filesize
206KB
MD5aa0fdc67766c0ccafc1e900dbea1a67e
SHA105256ff0e117481d6a506d57e4cdd45fa10132dd
SHA256bc368d0ebe95339e10ab769ebe0592e2d84cbb910d14c975c247c46189116c1b
SHA51270c049a6c4fd2d0231b112b4d5f848c48f23e13e4b863747ffb92249792513dcdb2a1d0558777883a4878f0c3604ce2b5f5d30d2732cd01c14724d908a58c420
-
Filesize
206KB
MD5aa0fdc67766c0ccafc1e900dbea1a67e
SHA105256ff0e117481d6a506d57e4cdd45fa10132dd
SHA256bc368d0ebe95339e10ab769ebe0592e2d84cbb910d14c975c247c46189116c1b
SHA51270c049a6c4fd2d0231b112b4d5f848c48f23e13e4b863747ffb92249792513dcdb2a1d0558777883a4878f0c3604ce2b5f5d30d2732cd01c14724d908a58c420
-
Filesize
206KB
MD593e7ad6b10a3a9f9f87da99afa00f594
SHA1ca8075501be0bfecab56d6ff61db7ef413ff6360
SHA2560cec3c4f25bbe976b2fde7a0ce73dd09c356d4516000000b7c5ec24cff68ac53
SHA512036c90b9e4b84f59768f279ec509fa73708fe414bdf771549c914d4b3c57b5f0d74f72a42b9032f7ebcae79a2ab3a54c8d2c839066533adad70a9c87342f4200
-
Filesize
206KB
MD593e7ad6b10a3a9f9f87da99afa00f594
SHA1ca8075501be0bfecab56d6ff61db7ef413ff6360
SHA2560cec3c4f25bbe976b2fde7a0ce73dd09c356d4516000000b7c5ec24cff68ac53
SHA512036c90b9e4b84f59768f279ec509fa73708fe414bdf771549c914d4b3c57b5f0d74f72a42b9032f7ebcae79a2ab3a54c8d2c839066533adad70a9c87342f4200
-
Filesize
206KB
MD593e7ad6b10a3a9f9f87da99afa00f594
SHA1ca8075501be0bfecab56d6ff61db7ef413ff6360
SHA2560cec3c4f25bbe976b2fde7a0ce73dd09c356d4516000000b7c5ec24cff68ac53
SHA512036c90b9e4b84f59768f279ec509fa73708fe414bdf771549c914d4b3c57b5f0d74f72a42b9032f7ebcae79a2ab3a54c8d2c839066533adad70a9c87342f4200
-
Filesize
206KB
MD593e7ad6b10a3a9f9f87da99afa00f594
SHA1ca8075501be0bfecab56d6ff61db7ef413ff6360
SHA2560cec3c4f25bbe976b2fde7a0ce73dd09c356d4516000000b7c5ec24cff68ac53
SHA512036c90b9e4b84f59768f279ec509fa73708fe414bdf771549c914d4b3c57b5f0d74f72a42b9032f7ebcae79a2ab3a54c8d2c839066533adad70a9c87342f4200
-
Filesize
206KB
MD5ce7d6a8a69c205a7c8e23475c98b7e85
SHA1ec4acb00dee57052d175c82ab4554c4e28079248
SHA2562e80b1e7a20c48e8ccd1d3b55430c6676b960f6ce2650a4135f6e904544ffb72
SHA512b324560e44068c1ecd80ec056d4c80d1f43d6ca95b49d8250934716d0c14da634ea57680c74361b88fa0dd2b9d887ea1ad20eff606e05d6a82c96a4fe09dba7b
-
Filesize
206KB
MD5ce7d6a8a69c205a7c8e23475c98b7e85
SHA1ec4acb00dee57052d175c82ab4554c4e28079248
SHA2562e80b1e7a20c48e8ccd1d3b55430c6676b960f6ce2650a4135f6e904544ffb72
SHA512b324560e44068c1ecd80ec056d4c80d1f43d6ca95b49d8250934716d0c14da634ea57680c74361b88fa0dd2b9d887ea1ad20eff606e05d6a82c96a4fe09dba7b