09b7511097ba23a64526b00cd50ef478f468d8f515a2946e8f0878fa8b260811

Analysis

max time kernel
152s
max time network
173s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 23:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

09b7511097ba23a64526b00cd50ef478f468d8f515a2946e8f0878fa8b260811.exe
Size

565KB
MD5

a0e1b8505074e7e78fa9cbbb72ebf330
SHA1

e2c7955194b711704621cb115671d98c69bbaaff
SHA256

09b7511097ba23a64526b00cd50ef478f468d8f515a2946e8f0878fa8b260811
SHA512

f75cff64c6ddf713cddb6a14ba2d5a610b158dc022c0369ed9bb1377376718873b90208c3f926b3bc15573c41a03f5e31d720fdcac15f0fc938010141eb0eef8
SSDEEP

12288:ydPq/BBaASp08yFqcoNxBOHkR9kc8QcUnCE4pEf6bg06:8Pq/3aZ08UEbrt8GCESZ006

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 5 IoCs

pid	Process
1144	62EA.tmp
1036	6F49.tmp
1500	update.exe
460	Process not Found
672	Update.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dfb5f6db.exe	explorer.exe

Loads dropped DLL 6 IoCs

pid	Process
1508	09b7511097ba23a64526b00cd50ef478f468d8f515a2946e8f0878fa8b260811.exe
1508	09b7511097ba23a64526b00cd50ef478f468d8f515a2946e8f0878fa8b260811.exe
1508	09b7511097ba23a64526b00cd50ef478f468d8f515a2946e8f0878fa8b260811.exe
1036	6F49.tmp
1036	6F49.tmp
460	Process not Found

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfb5f6d = "C:\\dfb5f6db\\dfb5f6db.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fb5f6d = "C:\\dfb5f6db\\dfb5f6db.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfb5f6db = "C:\\Users\\Admin\\AppData\\Roaming\\dfb5f6db.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fb5f6db = "C:\\Users\\Admin\\AppData\\Roaming\\dfb5f6db.exe"	explorer.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-addr.es
4	myexternalip.com
6	myexternalip.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Update.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\FrameworkUpdate\Update.exe	Update.exe
File created	C:\Windows\FrameworkUpdate\Update.exe	update.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1160	vssadmin.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Update.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
672	Update.exe
672	Update.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1144	62EA.tmp
1388	explorer.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeBackupPrivilege	1752	vssvc.exe
Token: SeRestorePrivilege	1752	vssvc.exe
Token: SeAuditPrivilege	1752	vssvc.exe
Token: SeImpersonatePrivilege	1036	6F49.tmp
Token: SeTcbPrivilege	1036	6F49.tmp
Token: SeChangeNotifyPrivilege	1036	6F49.tmp
Token: SeCreateTokenPrivilege	1036	6F49.tmp
Token: SeBackupPrivilege	1036	6F49.tmp
Token: SeIncreaseQuotaPrivilege	1036	6F49.tmp
Token: SeAssignPrimaryTokenPrivilege	1036	6F49.tmp
Token: SeImpersonatePrivilege	1500	update.exe
Token: SeTcbPrivilege	1500	update.exe
Token: SeChangeNotifyPrivilege	1500	update.exe
Token: SeCreateTokenPrivilege	1500	update.exe
Token: SeBackupPrivilege	1500	update.exe
Token: SeIncreaseQuotaPrivilege	1500	update.exe
Token: SeAssignPrimaryTokenPrivilege	1500	update.exe
Token: SeImpersonatePrivilege	672	Update.exe
Token: SeTcbPrivilege	672	Update.exe
Token: SeChangeNotifyPrivilege	672	Update.exe
Token: SeCreateTokenPrivilege	672	Update.exe
Token: SeBackupPrivilege	672	Update.exe
Token: SeIncreaseQuotaPrivilege	672	Update.exe
Token: SeAssignPrimaryTokenPrivilege	672	Update.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1144	1508	09b7511097ba23a64526b00cd50ef478f468d8f515a2946e8f0878fa8b260811.exe	27
PID 1508 wrote to memory of 1144	1508	09b7511097ba23a64526b00cd50ef478f468d8f515a2946e8f0878fa8b260811.exe	27
PID 1508 wrote to memory of 1144	1508	09b7511097ba23a64526b00cd50ef478f468d8f515a2946e8f0878fa8b260811.exe	27
PID 1508 wrote to memory of 1144	1508	09b7511097ba23a64526b00cd50ef478f468d8f515a2946e8f0878fa8b260811.exe	27
PID 1144 wrote to memory of 1388	1144	62EA.tmp	28
PID 1144 wrote to memory of 1388	1144	62EA.tmp	28
PID 1144 wrote to memory of 1388	1144	62EA.tmp	28
PID 1144 wrote to memory of 1388	1144	62EA.tmp	28
PID 1388 wrote to memory of 1376	1388	explorer.exe	29
PID 1388 wrote to memory of 1376	1388	explorer.exe	29
PID 1388 wrote to memory of 1376	1388	explorer.exe	29
PID 1388 wrote to memory of 1376	1388	explorer.exe	29
PID 1388 wrote to memory of 1160	1388	explorer.exe	30
PID 1388 wrote to memory of 1160	1388	explorer.exe	30
PID 1388 wrote to memory of 1160	1388	explorer.exe	30
PID 1388 wrote to memory of 1160	1388	explorer.exe	30
PID 1508 wrote to memory of 1036	1508	09b7511097ba23a64526b00cd50ef478f468d8f515a2946e8f0878fa8b260811.exe	34
PID 1508 wrote to memory of 1036	1508	09b7511097ba23a64526b00cd50ef478f468d8f515a2946e8f0878fa8b260811.exe	34
PID 1508 wrote to memory of 1036	1508	09b7511097ba23a64526b00cd50ef478f468d8f515a2946e8f0878fa8b260811.exe	34
PID 1508 wrote to memory of 1036	1508	09b7511097ba23a64526b00cd50ef478f468d8f515a2946e8f0878fa8b260811.exe	34
PID 1036 wrote to memory of 1500	1036	6F49.tmp	36
PID 1036 wrote to memory of 1500	1036	6F49.tmp	36
PID 1036 wrote to memory of 1500	1036	6F49.tmp	36
PID 1036 wrote to memory of 1500	1036	6F49.tmp	36

C:\Users\Admin\AppData\Local\Temp\09b7511097ba23a64526b00cd50ef478f468d8f515a2946e8f0878fa8b260811.exe
"C:\Users\Admin\AppData\Local\Temp\09b7511097ba23a64526b00cd50ef478f468d8f515a2946e8f0878fa8b260811.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\62EA.tmp
  C:\Users\Admin\AppData\Local\Temp\62EA.tmp
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\syswow64\explorer.exe
    "C:\Windows\syswow64\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\syswow64\svchost.exe
      -k netsvcs
      4⤵
      PID:1376
  - - C:\Windows\syswow64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:1160
- C:\Users\Admin\AppData\Local\Temp\6F49.tmp
  C:\Users\Admin\AppData\Local\Temp\6F49.tmp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\update.exe
    C:\Users\Admin\AppData\Local\Temp\\update.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\FrameworkUpdate\Update.exe
C:\Windows\FrameworkUpdate\Update.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\62EA.tmp

Filesize
175KB

MD5
476fea35297f445161c39be5236344ff

SHA1
60ef089dabee000aca37025559b8d93b286ffe4f

SHA256
704ce59a7be0c606a9baa00219d1d2c3f09dfeec6d4eb0e67e3b4f177a9f9a49

SHA512
8254c959c8550e0b23d0e25dc65db5b0f088c4539a85d11b7702ecd3de8181796c407f0b1a03b6d9d9dd34d4f0c3e8f9d4052a810d66bda732cc5449642c010e

Download Submit
C:\Users\Admin\AppData\Local\Temp\62EA.tmp

Filesize
175KB

MD5
476fea35297f445161c39be5236344ff

SHA1
60ef089dabee000aca37025559b8d93b286ffe4f

SHA256
704ce59a7be0c606a9baa00219d1d2c3f09dfeec6d4eb0e67e3b4f177a9f9a49

SHA512
8254c959c8550e0b23d0e25dc65db5b0f088c4539a85d11b7702ecd3de8181796c407f0b1a03b6d9d9dd34d4f0c3e8f9d4052a810d66bda732cc5449642c010e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F49.tmp

Filesize
268KB

MD5
e191ab11f72fc649ae12256ed72a4c30

SHA1
87592306de7e4011daa553a69378405c2c442ca5

SHA256
d0ed28f4a96e96978bc75c28d723d6299ae5fec3f53b4b127574ba16322588a0

SHA512
9e481f721209de6a7c9467f613a873eca1577348741ff7bcdf9bbf7bcc7c23f7739f95c1ad4ce48d591dcaf144d31b8c759349c9eb18b876878f2a985d3f1de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
93KB

MD5
af4eefc758646b324b94c1befebb1374

SHA1
723f690d6daa09d00fcd26fbc52b5e5d253ed1ed

SHA256
9e5b18ce78cec7f96f9ca79c5f87782c7c40a962d412aeb1d8e25e5ea1f339e5

SHA512
f2e0a604fc2e3e91d463db9548839d9e371a3030bf5cbe43327c92c4f7f5855c9bba75845de80d73094c03d020255773c28f05c5107b98adecbd2c0a101bb3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
93KB

MD5
af4eefc758646b324b94c1befebb1374

SHA1
723f690d6daa09d00fcd26fbc52b5e5d253ed1ed

SHA256
9e5b18ce78cec7f96f9ca79c5f87782c7c40a962d412aeb1d8e25e5ea1f339e5

SHA512
f2e0a604fc2e3e91d463db9548839d9e371a3030bf5cbe43327c92c4f7f5855c9bba75845de80d73094c03d020255773c28f05c5107b98adecbd2c0a101bb3c2

Download Submit
C:\Windows\FrameworkUpdate\Update.exe

Filesize
93KB

MD5
af4eefc758646b324b94c1befebb1374

SHA1
723f690d6daa09d00fcd26fbc52b5e5d253ed1ed

SHA256
9e5b18ce78cec7f96f9ca79c5f87782c7c40a962d412aeb1d8e25e5ea1f339e5

SHA512
f2e0a604fc2e3e91d463db9548839d9e371a3030bf5cbe43327c92c4f7f5855c9bba75845de80d73094c03d020255773c28f05c5107b98adecbd2c0a101bb3c2

Download Submit
C:\Windows\FrameworkUpdate\Update.exe

Filesize
93KB

MD5
af4eefc758646b324b94c1befebb1374

SHA1
723f690d6daa09d00fcd26fbc52b5e5d253ed1ed

SHA256
9e5b18ce78cec7f96f9ca79c5f87782c7c40a962d412aeb1d8e25e5ea1f339e5

SHA512
f2e0a604fc2e3e91d463db9548839d9e371a3030bf5cbe43327c92c4f7f5855c9bba75845de80d73094c03d020255773c28f05c5107b98adecbd2c0a101bb3c2

Download Submit
\Users\Admin\AppData\Local\Temp\62EA.tmp

Filesize
175KB

MD5
476fea35297f445161c39be5236344ff

SHA1
60ef089dabee000aca37025559b8d93b286ffe4f

SHA256
704ce59a7be0c606a9baa00219d1d2c3f09dfeec6d4eb0e67e3b4f177a9f9a49

SHA512
8254c959c8550e0b23d0e25dc65db5b0f088c4539a85d11b7702ecd3de8181796c407f0b1a03b6d9d9dd34d4f0c3e8f9d4052a810d66bda732cc5449642c010e

Download Submit
\Users\Admin\AppData\Local\Temp\6F49.tmp

Filesize
268KB

MD5
e191ab11f72fc649ae12256ed72a4c30

SHA1
87592306de7e4011daa553a69378405c2c442ca5

SHA256
d0ed28f4a96e96978bc75c28d723d6299ae5fec3f53b4b127574ba16322588a0

SHA512
9e481f721209de6a7c9467f613a873eca1577348741ff7bcdf9bbf7bcc7c23f7739f95c1ad4ce48d591dcaf144d31b8c759349c9eb18b876878f2a985d3f1de7

Download Submit
\Users\Admin\AppData\Local\Temp\6F49.tmp

Filesize
268KB

MD5
e191ab11f72fc649ae12256ed72a4c30

SHA1
87592306de7e4011daa553a69378405c2c442ca5

SHA256
d0ed28f4a96e96978bc75c28d723d6299ae5fec3f53b4b127574ba16322588a0

SHA512
9e481f721209de6a7c9467f613a873eca1577348741ff7bcdf9bbf7bcc7c23f7739f95c1ad4ce48d591dcaf144d31b8c759349c9eb18b876878f2a985d3f1de7

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
93KB

MD5
af4eefc758646b324b94c1befebb1374

SHA1
723f690d6daa09d00fcd26fbc52b5e5d253ed1ed

SHA256
9e5b18ce78cec7f96f9ca79c5f87782c7c40a962d412aeb1d8e25e5ea1f339e5

SHA512
f2e0a604fc2e3e91d463db9548839d9e371a3030bf5cbe43327c92c4f7f5855c9bba75845de80d73094c03d020255773c28f05c5107b98adecbd2c0a101bb3c2

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
93KB

MD5
af4eefc758646b324b94c1befebb1374

SHA1
723f690d6daa09d00fcd26fbc52b5e5d253ed1ed

SHA256
9e5b18ce78cec7f96f9ca79c5f87782c7c40a962d412aeb1d8e25e5ea1f339e5

SHA512
f2e0a604fc2e3e91d463db9548839d9e371a3030bf5cbe43327c92c4f7f5855c9bba75845de80d73094c03d020255773c28f05c5107b98adecbd2c0a101bb3c2

Download Submit
\Windows\FrameworkUpdate\Update.exe

Filesize
93KB

MD5
af4eefc758646b324b94c1befebb1374

SHA1
723f690d6daa09d00fcd26fbc52b5e5d253ed1ed

SHA256
9e5b18ce78cec7f96f9ca79c5f87782c7c40a962d412aeb1d8e25e5ea1f339e5

SHA512
f2e0a604fc2e3e91d463db9548839d9e371a3030bf5cbe43327c92c4f7f5855c9bba75845de80d73094c03d020255773c28f05c5107b98adecbd2c0a101bb3c2

Download Submit
\Windows\FrameworkUpdate\Update.exe

Filesize
93KB

MD5
af4eefc758646b324b94c1befebb1374

SHA1
723f690d6daa09d00fcd26fbc52b5e5d253ed1ed

SHA256
9e5b18ce78cec7f96f9ca79c5f87782c7c40a962d412aeb1d8e25e5ea1f339e5

SHA512
f2e0a604fc2e3e91d463db9548839d9e371a3030bf5cbe43327c92c4f7f5855c9bba75845de80d73094c03d020255773c28f05c5107b98adecbd2c0a101bb3c2

Download Submit
memory/672-94-0x0000000140000000-0x0000000140048000-memory.dmp

Filesize
288KB

Download
memory/672-91-0x0000000140000000-0x0000000140048000-memory.dmp

Filesize
288KB

Download
memory/1036-84-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1036-78-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1144-64-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/1144-62-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download
memory/1376-79-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/1376-75-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/1388-65-0x0000000074451000-0x0000000074453000-memory.dmp

Filesize
8KB

Download
memory/1388-66-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/1500-85-0x0000000140000000-0x0000000140048000-memory.dmp

Filesize
288KB

Download
memory/1500-90-0x0000000140000000-0x0000000140048000-memory.dmp

Filesize
288KB

Download
memory/1500-93-0x0000000140000000-0x0000000140048000-memory.dmp

Filesize
288KB

Download
memory/1508-76-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1508-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1508-56-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1508-55-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download