00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca

Analysis

max time kernel
44s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-10-2022 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
Size

416KB
MD5

827ac41e1c88869a611420074b7ef735
SHA1

7c3287eaf21c5df3bdaed00544079b3584e03381
SHA256

00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca
SHA512

47a1ddb491e4bd2ab50118d3fd7078e4a621e59c9a4b796bd5748d0a12199b8d8bb9ab5cdd1671ff6de6cf16f783244ccb11f806c9d136e86e9ec7ec400ff637
SSDEEP

12288:hxG8wgVFzxyQfwLVmuDqE871hkgQuoWiM/lM0v/C:hrnFzUKwxmmc7HQfe/lM03C

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\22945 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\cciozy.cmd"	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
60752	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
60848	msiexec.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1352-54-0x0000000000400000-0x000000000078C000-memory.dmp	upx
behavioral1/files/0x000600000001460b-56.dat	upx
behavioral1/files/0x000600000001460b-69.dat	upx
behavioral1/memory/1352-71-0x0000000000400000-0x000000000078C000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
60752	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
60752	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
60752	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
60752	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
60848	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1352 set thread context of 60752	1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	26

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\cciozy.cmd	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
60752	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
60848	msiexec.exe
60848	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 60752	1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	26
PID 1352 wrote to memory of 60752	1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	26
PID 1352 wrote to memory of 60752	1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	26
PID 1352 wrote to memory of 60752	1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	26
PID 1352 wrote to memory of 60752	1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	26
PID 1352 wrote to memory of 60752	1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	26
PID 1352 wrote to memory of 60752	1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	26
PID 1352 wrote to memory of 60752	1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	26
PID 1352 wrote to memory of 60752	1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	26
PID 1352 wrote to memory of 60752	1352	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	26
PID 60752 wrote to memory of 60848	60752	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	27
PID 60752 wrote to memory of 60848	60752	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	27
PID 60752 wrote to memory of 60848	60752	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	27
PID 60752 wrote to memory of 60848	60752	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	27
PID 60752 wrote to memory of 60848	60752	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	27
PID 60752 wrote to memory of 60848	60752	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	27
PID 60752 wrote to memory of 60848	60752	00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe	27
PID 60848 wrote to memory of 60900	60848	msiexec.exe	28
PID 60848 wrote to memory of 60900	60848	msiexec.exe	28
PID 60848 wrote to memory of 60900	60848	msiexec.exe	28
PID 60848 wrote to memory of 60900	60848	msiexec.exe	28

C:\Users\Admin\AppData\Local\Temp\00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
"C:\Users\Admin\AppData\Local\Temp\00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe
  "C:\Users\Admin\AppData\Local\Temp\00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:60752
- - C:\Users\Admin\AppData\Local\Temp\_install_\msiexec.exe
    "C:\Users\Admin\AppData\Local\Temp\_install_\msiexec.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:60848
  - - C:\Windows\syswow64\svchost.exe
      C:\Windows\syswow64\svchost.exe
      4⤵
      Adds policy Run key to start application
      Drops file in Program Files directory
      PID:60900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe

Filesize
416KB

MD5
827ac41e1c88869a611420074b7ef735

SHA1
7c3287eaf21c5df3bdaed00544079b3584e03381

SHA256
00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca

SHA512
47a1ddb491e4bd2ab50118d3fd7078e4a621e59c9a4b796bd5748d0a12199b8d8bb9ab5cdd1671ff6de6cf16f783244ccb11f806c9d136e86e9ec7ec400ff637

Download Submit
C:\Users\Admin\AppData\Local\Temp\_install_\msiexec.exe

Filesize
277KB

MD5
d47f069cd335095c3c2e1ee3d165dd33

SHA1
bc06e31739b7604e80f541203104045cc202da10

SHA256
7d72f243e7219c56cbfd22f03b0a8bfa6be57b521a4e0beb501822f9d752ac7f

SHA512
34a29d5bfc94e12a377f78e80911cb00be53bde51f00294fbe58b327fdb946108dbb972eb8006dcb2213acd9331a502c530a049426e389998a2a389e245aa5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_install_\msiexec.exe

Filesize
277KB

MD5
d47f069cd335095c3c2e1ee3d165dd33

SHA1
bc06e31739b7604e80f541203104045cc202da10

SHA256
7d72f243e7219c56cbfd22f03b0a8bfa6be57b521a4e0beb501822f9d752ac7f

SHA512
34a29d5bfc94e12a377f78e80911cb00be53bde51f00294fbe58b327fdb946108dbb972eb8006dcb2213acd9331a502c530a049426e389998a2a389e245aa5a2

Download Submit
\Users\Admin\AppData\Local\Temp\00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca.exe

Filesize
416KB

MD5
827ac41e1c88869a611420074b7ef735

SHA1
7c3287eaf21c5df3bdaed00544079b3584e03381

SHA256
00c54a66734dc2d982767451c957e251dcb85d0bf594cde05d23a4079a83dfca

SHA512
47a1ddb491e4bd2ab50118d3fd7078e4a621e59c9a4b796bd5748d0a12199b8d8bb9ab5cdd1671ff6de6cf16f783244ccb11f806c9d136e86e9ec7ec400ff637

Download Submit
\Users\Admin\AppData\Local\Temp\_install_\msiexec.exe

Filesize
277KB

MD5
d47f069cd335095c3c2e1ee3d165dd33

SHA1
bc06e31739b7604e80f541203104045cc202da10

SHA256
7d72f243e7219c56cbfd22f03b0a8bfa6be57b521a4e0beb501822f9d752ac7f

SHA512
34a29d5bfc94e12a377f78e80911cb00be53bde51f00294fbe58b327fdb946108dbb972eb8006dcb2213acd9331a502c530a049426e389998a2a389e245aa5a2

Download Submit
\Users\Admin\AppData\Local\Temp\_install_\msiexec.exe

Filesize
277KB

MD5
d47f069cd335095c3c2e1ee3d165dd33

SHA1
bc06e31739b7604e80f541203104045cc202da10

SHA256
7d72f243e7219c56cbfd22f03b0a8bfa6be57b521a4e0beb501822f9d752ac7f

SHA512
34a29d5bfc94e12a377f78e80911cb00be53bde51f00294fbe58b327fdb946108dbb972eb8006dcb2213acd9331a502c530a049426e389998a2a389e245aa5a2

Download Submit
\Users\Admin\AppData\Local\Temp\_install_\msiexec.exe

Filesize
277KB

MD5
d47f069cd335095c3c2e1ee3d165dd33

SHA1
bc06e31739b7604e80f541203104045cc202da10

SHA256
7d72f243e7219c56cbfd22f03b0a8bfa6be57b521a4e0beb501822f9d752ac7f

SHA512
34a29d5bfc94e12a377f78e80911cb00be53bde51f00294fbe58b327fdb946108dbb972eb8006dcb2213acd9331a502c530a049426e389998a2a389e245aa5a2

Download Submit
\Users\Admin\AppData\Local\Temp\_install_\msiexec.exe

Filesize
277KB

MD5
d47f069cd335095c3c2e1ee3d165dd33

SHA1
bc06e31739b7604e80f541203104045cc202da10

SHA256
7d72f243e7219c56cbfd22f03b0a8bfa6be57b521a4e0beb501822f9d752ac7f

SHA512
34a29d5bfc94e12a377f78e80911cb00be53bde51f00294fbe58b327fdb946108dbb972eb8006dcb2213acd9331a502c530a049426e389998a2a389e245aa5a2

Download Submit
\Users\Admin\AppData\Local\Temp\_install_\msiexec.exe

Filesize
277KB

MD5
d47f069cd335095c3c2e1ee3d165dd33

SHA1
bc06e31739b7604e80f541203104045cc202da10

SHA256
7d72f243e7219c56cbfd22f03b0a8bfa6be57b521a4e0beb501822f9d752ac7f

SHA512
34a29d5bfc94e12a377f78e80911cb00be53bde51f00294fbe58b327fdb946108dbb972eb8006dcb2213acd9331a502c530a049426e389998a2a389e245aa5a2

Download Submit
memory/1352-71-0x0000000000400000-0x000000000078C000-memory.dmp

Filesize
3.5MB

Download
memory/1352-55-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1352-54-0x0000000000400000-0x000000000078C000-memory.dmp

Filesize
3.5MB

Download
memory/60752-64-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/60752-81-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/60752-67-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/60752-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/60752-62-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/60752-57-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/60752-60-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/60752-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/60752-73-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/60848-84-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/60900-86-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/60900-87-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/60900-88-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/60900-90-0x0000000000200000-0x0000000000213000-memory.dmp

Filesize
76KB

Download
memory/60900-91-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download