58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db

Analysis

max time kernel
147s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 16:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe
Size

107KB
MD5

96d80fc2389c7a9fdf25f9f9c517f460
SHA1

5b9ed94e4ace2a40f64e3c1278a88f90e5dc63c1
SHA256

58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db
SHA512

9330fd2aae1cd879f7cd53a6294245c462af523d0efcb9289a5074e85dcf71ce0c5359577858e01965c2839f8280426196bc5eba3f20b3851bd0254381bebffb
SSDEEP

1536:L1aqsSj3jJBVZ8bFOfww7As050n1VO1oNlkMPwTIyMo+GPmKdk3duGiGvZCfkagI:53sSXv8bFOlAst1uS7SJtRyFjvov1

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	sgaspf080422.exe

Executes dropped EXE 2 IoCs

pid	Process
316	svchosts.exe
1104	sgaspf080422.exe

Deletes itself 1 IoCs

pid	Process
316	svchosts.exe

Loads dropped DLL 7 IoCs

pid	Process
520	58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe
316	svchosts.exe
316	svchosts.exe
316	svchosts.exe
316	svchosts.exe
1720	cmd.exe
1720	cmd.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lwias16_080422.dll	58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe
File created	C:\Windows\SysWOW64\inf\svchosts.exe	58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe
File opened for modification	C:\Windows\SysWOW64\inf\svchosts.exe	58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe
File created	C:\Windows\SysWOW64\inf\scrs080422.scr	58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe
File created	C:\Windows\SysWOW64\mwasys32_080422.dll	58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe
File created	C:\Windows\SysWOW64\inf\scsys16_080422.dll	58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pwisys.ini	58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe
File created	C:\Windows\system\sgaspf080422.exe	58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe
File opened for modification	C:\Windows\pwisys.ini	svchosts.exe
File opened for modification	C:\Windows\pwisys.ini	sgaspf080422.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
520	58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe
520	58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe
1104	sgaspf080422.exe
1104	sgaspf080422.exe
1104	sgaspf080422.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	520	58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe
Token: SeDebugPrivilege	520	58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe
Token: SeDebugPrivilege	1104	sgaspf080422.exe
Token: SeDebugPrivilege	1104	sgaspf080422.exe
Token: SeDebugPrivilege	1104	sgaspf080422.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 316	520	58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe	28
PID 520 wrote to memory of 316	520	58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe	28
PID 520 wrote to memory of 316	520	58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe	28
PID 520 wrote to memory of 316	520	58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe	28
PID 316 wrote to memory of 1720	316	svchosts.exe	29
PID 316 wrote to memory of 1720	316	svchosts.exe	29
PID 316 wrote to memory of 1720	316	svchosts.exe	29
PID 316 wrote to memory of 1720	316	svchosts.exe	29
PID 1720 wrote to memory of 1104	1720	cmd.exe	31
PID 1720 wrote to memory of 1104	1720	cmd.exe	31
PID 1720 wrote to memory of 1104	1720	cmd.exe	31
PID 1720 wrote to memory of 1104	1720	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe
"C:\Users\Admin\AppData\Local\Temp\58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520
- C:\Windows\SysWOW64\inf\svchosts.exe
  "C:\Windows\system32\inf\svchosts.exe" C:\Windows\system32\lwias16_080422.dll tanlt88
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\system\sgaspf080422.exe
      "C:\Windows\system\sgaspf080422.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\inf\svchosts.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\inf\svchosts.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\lwias16_080422.dll

Filesize
29KB

MD5
2191d33e25b73ffc27703a238d59007f

SHA1
8e598c958bb401740dc82960bba60bfd41c94017

SHA256
3d6d281df8d98965a82ccef79dadc5a1246e561fcfd1ebf5a274432b63b86673

SHA512
9c2674c5b256b6e2fc590b5ab6ef00cb8887f54fd84b5f640f2dceb5f8fb452c0b7d3ba7c7cede057418d8c84298287e6d6f41efb57710c6db2babebf327e87f

Download Submit
C:\Windows\pwisys.ini

Filesize
467B

MD5
8e37004bc96127f540b189e14d5bd062

SHA1
4e1c0a3d4d25e94b8bcfee5a932d6f0e824d73a7

SHA256
453271f6cf29ebd3590681138ec45b45641995e7140b81781483df92bbbc1bde

SHA512
a35dcd61824555ed75d148bedc1ffe2e4a1610fa3570bb0ff27f634c041198edc3aa1183ef008fb77c1589aca8498d2f8293c4a4c5653e0185d26e98ebfeefe1

Download Submit
C:\Windows\pwisys.ini

Filesize
365B

MD5
b7eaf0386f1fe7797ffb71f6874afb4c

SHA1
e56b1935c068f675ab920aee84b5f5a0212afa03

SHA256
980eeb04f5b8cf999904c54c742ebf50b9987ab9c4114b21ccb8c4ebe6233b84

SHA512
f250a1fceeefa69e48d281899ccaa3aeb1e67cd694376c8ae8f88e6165852b095dd4ca52358469ed9dee4e5eeb5311a2af28679d0ec8a08a32fa0b4808a21926

Download Submit
C:\Windows\pwisys.ini

Filesize
393B

MD5
d074aa9bd1d7bae05ab78c1a732617b3

SHA1
b4851e0043b12951de5ffa30b296292909b0facb

SHA256
0d662952c37fe276eb3f5863f639976cf328720d2e85afea6a21db9e54a2ef33

SHA512
240e2585cd33bc4db3cddf277c65dff871e13f01d56b1961b02fc048bf6c67c1fb936226d8fb02c53d0e31dc4591d4f4f44df68fe4424c58b104221d6e4aa28f

Download Submit
C:\Windows\system\sgaspf080422.exe

Filesize
107KB

MD5
96d80fc2389c7a9fdf25f9f9c517f460

SHA1
5b9ed94e4ace2a40f64e3c1278a88f90e5dc63c1

SHA256
58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db

SHA512
9330fd2aae1cd879f7cd53a6294245c462af523d0efcb9289a5074e85dcf71ce0c5359577858e01965c2839f8280426196bc5eba3f20b3851bd0254381bebffb

Download Submit
C:\Windows\system\sgaspf080422.exe

Filesize
107KB

MD5
96d80fc2389c7a9fdf25f9f9c517f460

SHA1
5b9ed94e4ace2a40f64e3c1278a88f90e5dc63c1

SHA256
58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db

SHA512
9330fd2aae1cd879f7cd53a6294245c462af523d0efcb9289a5074e85dcf71ce0c5359577858e01965c2839f8280426196bc5eba3f20b3851bd0254381bebffb

Download Submit
\??\c:\mylstecj.bat

Filesize
48B

MD5
0ebc61129834fd3c0139fad0797940cd

SHA1
6f522479c4c42cfc230c4a580ed158362669a7ba

SHA256
cbfc19baec9bdd98edce56aee2640c005a121ba8d13664d11640e08e1a2b6709

SHA512
41225473b86e1e68e577f9651fc8c409e462201602adb4a1c0b85aa876789bfc7da53b2dd551ec4e72666d4feb915f023afe42319b55fca60cf36916ba53371c

Download Submit
\Windows\SysWOW64\inf\svchosts.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\lwias16_080422.dll

Filesize
29KB

MD5
2191d33e25b73ffc27703a238d59007f

SHA1
8e598c958bb401740dc82960bba60bfd41c94017

SHA256
3d6d281df8d98965a82ccef79dadc5a1246e561fcfd1ebf5a274432b63b86673

SHA512
9c2674c5b256b6e2fc590b5ab6ef00cb8887f54fd84b5f640f2dceb5f8fb452c0b7d3ba7c7cede057418d8c84298287e6d6f41efb57710c6db2babebf327e87f

Download Submit
\Windows\SysWOW64\lwias16_080422.dll

Filesize
29KB

MD5
2191d33e25b73ffc27703a238d59007f

SHA1
8e598c958bb401740dc82960bba60bfd41c94017

SHA256
3d6d281df8d98965a82ccef79dadc5a1246e561fcfd1ebf5a274432b63b86673

SHA512
9c2674c5b256b6e2fc590b5ab6ef00cb8887f54fd84b5f640f2dceb5f8fb452c0b7d3ba7c7cede057418d8c84298287e6d6f41efb57710c6db2babebf327e87f

Download Submit
\Windows\SysWOW64\lwias16_080422.dll

Filesize
29KB

MD5
2191d33e25b73ffc27703a238d59007f

SHA1
8e598c958bb401740dc82960bba60bfd41c94017

SHA256
3d6d281df8d98965a82ccef79dadc5a1246e561fcfd1ebf5a274432b63b86673

SHA512
9c2674c5b256b6e2fc590b5ab6ef00cb8887f54fd84b5f640f2dceb5f8fb452c0b7d3ba7c7cede057418d8c84298287e6d6f41efb57710c6db2babebf327e87f

Download Submit
\Windows\SysWOW64\lwias16_080422.dll

Filesize
29KB

MD5
2191d33e25b73ffc27703a238d59007f

SHA1
8e598c958bb401740dc82960bba60bfd41c94017

SHA256
3d6d281df8d98965a82ccef79dadc5a1246e561fcfd1ebf5a274432b63b86673

SHA512
9c2674c5b256b6e2fc590b5ab6ef00cb8887f54fd84b5f640f2dceb5f8fb452c0b7d3ba7c7cede057418d8c84298287e6d6f41efb57710c6db2babebf327e87f

Download Submit
\Windows\system\sgaspf080422.exe

Filesize
107KB

MD5
96d80fc2389c7a9fdf25f9f9c517f460

SHA1
5b9ed94e4ace2a40f64e3c1278a88f90e5dc63c1

SHA256
58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db

SHA512
9330fd2aae1cd879f7cd53a6294245c462af523d0efcb9289a5074e85dcf71ce0c5359577858e01965c2839f8280426196bc5eba3f20b3851bd0254381bebffb

Download Submit
\Windows\system\sgaspf080422.exe

Filesize
107KB

MD5
96d80fc2389c7a9fdf25f9f9c517f460

SHA1
5b9ed94e4ace2a40f64e3c1278a88f90e5dc63c1

SHA256
58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db

SHA512
9330fd2aae1cd879f7cd53a6294245c462af523d0efcb9289a5074e85dcf71ce0c5359577858e01965c2839f8280426196bc5eba3f20b3851bd0254381bebffb

Download Submit
memory/316-64-0x0000000000140000-0x000000000014D000-memory.dmp

Filesize
52KB

Download
memory/520-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download