Analysis
-
max time kernel
130s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2022 02:17
Static task
static1
Behavioral task
behavioral1
Sample
eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe
Resource
win7-20220812-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe
-
Size
603KB
-
MD5
81065bd2f8f783eaabc3ce5c6d922fe0
-
SHA1
1d8b9371820b51ab95b2bd907c19b3deb9c53321
-
SHA256
eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff
-
SHA512
5531b12121346ee98b227627dc5840a38727d2e71c400cd354cd332401b57ec4fcb2f36ead4e459695df919816d67b7545eae8d5a0ac081f63f8bd86b7d7583f
-
SSDEEP
12288:U3TdtLW5WIj1dSSdFxsySXyMzBUWb9lx/9AgFLo8OW+rB:eDsj1YEcycJ9nPx/igxp+
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe regsvr.exe" eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe -
Disables Task Manager via registry modification
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Msn Messsenger = "C:\\Windows\\system32\\regsvr.exe" eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\a: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\f: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\g: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\h: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\j: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\b: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\o: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\u: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\x: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\v: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\y: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\l: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\m: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\r: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\s: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\t: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\w: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\z: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\e: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\i: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\n: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\p: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened (read-only) \??\q: eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2084-137-0x0000000000400000-0x00000000004BB000-memory.dmp autoit_exe -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\28463 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File created C:\Windows\SysWOW64\regsvr.exe eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened for modification C:\Windows\SysWOW64\regsvr.exe eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File created C:\Windows\SysWOW64\svchost .exe eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened for modification C:\Windows\SysWOW64\svchost .exe eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened for modification C:\Windows\SysWOW64\setting.ini eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File created C:\Windows\SysWOW64\28463\svchost.001 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened for modification C:\Windows\SysWOW64\28463\svchost.001 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened for modification C:\Windows\SysWOW64\setup.ini eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File created C:\Windows\SysWOW64\setting.ini eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\regsvr.exe eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe File opened for modification C:\Windows\regsvr.exe eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2084 wrote to memory of 3988 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 81 PID 2084 wrote to memory of 3988 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 81 PID 2084 wrote to memory of 3988 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 81 PID 3988 wrote to memory of 3340 3988 cmd.exe 83 PID 3988 wrote to memory of 3340 3988 cmd.exe 83 PID 3988 wrote to memory of 3340 3988 cmd.exe 83 PID 2084 wrote to memory of 432 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 84 PID 2084 wrote to memory of 432 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 84 PID 2084 wrote to memory of 432 2084 eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe 84 PID 432 wrote to memory of 4436 432 cmd.exe 86 PID 432 wrote to memory of 4436 432 cmd.exe 86 PID 432 wrote to memory of 4436 432 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe"C:\Users\Admin\AppData\Local\Temp\eba54685344fb75ce7cc1c1bbab125a287eb139640a8b9dbabe975a1270684ff.exe"1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵PID:3340
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\svchost .exe2⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\svchost .exe3⤵PID:4436
-
-