Analysis

  • max time kernel
    150s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2022, 13:00

General

  • Target

    e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe

  • Size

    206KB

  • MD5

    31544ee3caa4bbee6b4acdcfc6a62d00

  • SHA1

    85c674a12e471e81d7d31354e28ccdd26c78ff30

  • SHA256

    e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da

  • SHA512

    8f667a7ae266a87f8227fad14788080136cb38fdb7edb0442076e3f7e51b095a2b4e7dc719cf7d0ef7d1cc1eb304d78d3120cc388949d4f8af8d0b59f65a20e5

  • SSDEEP

    3072:2vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6uniNeZ:2vEN2U+T6i5LirrllHy4HUcMQY6VEZ

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe
    "C:\Users\Admin\AppData\Local\Temp\e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3916
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2448
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1132
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2824
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:372
          • C:\Windows\SysWOW64\at.exe
            at 15:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1820
            • C:\Windows\SysWOW64\at.exe
              at 15:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2508
              • C:\Windows\SysWOW64\at.exe
                at 15:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3348

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          206KB

          MD5

          5784fa21b6f17303b49ffcb6d63dcddd

          SHA1

          cb47b47a84c4f5153da9bde818856d47c6f9c6e9

          SHA256

          083f07759b79cf98aca5485e6e1b6f89da8c42da4223b482cd2f7819399e4e8f

          SHA512

          cc52bbf78a8d1b68c94887cdcbf32dcaa10e32e3ba91e97eb897667079bf0727351a4aad7515157027c61f6dd09b90b7a198dd2cad49e3592d37e1f97c3b1e2c

        • C:\Windows\System\explorer.exe

          Filesize

          206KB

          MD5

          ee53e1bf46ee85a4a5828056568d0d05

          SHA1

          3957c33931d6253b4418a2d8410bd61d66f21b21

          SHA256

          bd3be09ab606d6ef7a1ef0033070ce40e018c854bf038432ea92904cd6a01355

          SHA512

          529e7ef2eb5b3116b434db803b904038dbe6b7d8dc4cebe7fa216916ba036acd6b08a977266231bef0c957fb2d3a1f04c056fa2e143606f40506a7f08e474f4f

        • C:\Windows\System\spoolsv.exe

          Filesize

          206KB

          MD5

          26fbd416deb89229644bf199abf34fd4

          SHA1

          12488ea1d467ccc88f7d57b168b89ca33e07c7a6

          SHA256

          ba99d69d1b05558648887fcc919b47bd603c3a1aa0b4090463afb5f98f339090

          SHA512

          a3304e9d2ffd992e8c9536bbc761ee71e2aa1f64168642e232db19e8f2e62534e879737cb4fa60734abfe6fa2c9e07560323f74cb080a720d3121e4fc78317d3

        • C:\Windows\System\spoolsv.exe

          Filesize

          206KB

          MD5

          26fbd416deb89229644bf199abf34fd4

          SHA1

          12488ea1d467ccc88f7d57b168b89ca33e07c7a6

          SHA256

          ba99d69d1b05558648887fcc919b47bd603c3a1aa0b4090463afb5f98f339090

          SHA512

          a3304e9d2ffd992e8c9536bbc761ee71e2aa1f64168642e232db19e8f2e62534e879737cb4fa60734abfe6fa2c9e07560323f74cb080a720d3121e4fc78317d3

        • C:\Windows\System\svchost.exe

          Filesize

          206KB

          MD5

          48dd95b4aa1cf84aefedada1efc03c9f

          SHA1

          944e1e1d7acd6ec3c22251276d1d999f3f056406

          SHA256

          81d9c07547fb9408b0f48ae192562ca2f649164a698eb58d36ee9a8a4cdc4ad9

          SHA512

          8b966bcb3dc8783af25e9e4e08c467c095f4e2812f4e1bfdc94e6b1b8fdb9a50168ca970bf5b4fd87739abbcf20fb47c903a9cf664fc96db1c19907cb1c78592

        • \??\c:\windows\system\explorer.exe

          Filesize

          206KB

          MD5

          ee53e1bf46ee85a4a5828056568d0d05

          SHA1

          3957c33931d6253b4418a2d8410bd61d66f21b21

          SHA256

          bd3be09ab606d6ef7a1ef0033070ce40e018c854bf038432ea92904cd6a01355

          SHA512

          529e7ef2eb5b3116b434db803b904038dbe6b7d8dc4cebe7fa216916ba036acd6b08a977266231bef0c957fb2d3a1f04c056fa2e143606f40506a7f08e474f4f

        • \??\c:\windows\system\spoolsv.exe

          Filesize

          206KB

          MD5

          26fbd416deb89229644bf199abf34fd4

          SHA1

          12488ea1d467ccc88f7d57b168b89ca33e07c7a6

          SHA256

          ba99d69d1b05558648887fcc919b47bd603c3a1aa0b4090463afb5f98f339090

          SHA512

          a3304e9d2ffd992e8c9536bbc761ee71e2aa1f64168642e232db19e8f2e62534e879737cb4fa60734abfe6fa2c9e07560323f74cb080a720d3121e4fc78317d3

        • \??\c:\windows\system\svchost.exe

          Filesize

          206KB

          MD5

          48dd95b4aa1cf84aefedada1efc03c9f

          SHA1

          944e1e1d7acd6ec3c22251276d1d999f3f056406

          SHA256

          81d9c07547fb9408b0f48ae192562ca2f649164a698eb58d36ee9a8a4cdc4ad9

          SHA512

          8b966bcb3dc8783af25e9e4e08c467c095f4e2812f4e1bfdc94e6b1b8fdb9a50168ca970bf5b4fd87739abbcf20fb47c903a9cf664fc96db1c19907cb1c78592

        • memory/372-161-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/1132-149-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/1132-162-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2448-148-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2448-168-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2824-166-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/3916-132-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/3916-163-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB