Overview

overview

10

Static

static

7b0ce96021...e8.exe

windows7-x64

10

7b0ce96021...e8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    21-10-2022 02:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe

  • Size

    390KB

  • MD5

    4529fecf664706a64c26f877cb00fa42

  • SHA1

    8275776b9ea9bb6b29d34fe083d7295b824a19aa

  • SHA256

    7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8

  • SHA512

    2928b8b04fd33e3beb25807f0fc4b9c2f72d955b3bce7d300c001ff4b859bb2fe75e47d17c2ea3e060b3f8cd6d77d46b699339d10508bad6dbf534666114f0d9

  • SSDEEP

    6144:LoJNVPEqg/pAtAhGmwdQ/Qvx5BIxhYBDmow3MBjknT/Ls/VhddiglZXT:LEVPKpmAhJe20x5GwBSoQodT4q

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 13 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe
    "C:\Users\Admin\AppData\Local\Temp\7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:852
    • C:\Users\Admin\AppData\Local\Temp\7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe
      7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Users\Admin\gsSL32G1g4.exe
        C:\Users\Admin\gsSL32G1g4.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Users\Admin\gaiipox.exe
          "C:\Users\Admin\gaiipox.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:1200
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del gsSL32G1g4.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1692
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1344
      • C:\Users\Admin\awhost.exe
        C:\Users\Admin\awhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 140
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:836
      • C:\Users\Admin\bwhost.exe
        C:\Users\Admin\bwhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\Users\Admin\bwhost.exe
          "C:\Users\Admin\bwhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1968
          • C:\Windows\explorer.exe
            0000003C*
            5⤵
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1456
      • C:\Users\Admin\cwhost.exe
        C:\Users\Admin\cwhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1332
  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious use of UnmapMainImage
    PID:332

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\awhost.exe
    Filesize

    147KB

    MD5

    c1f93ef271b9b62ba07e68c653e19a52

    SHA1

    92844479d30e93c8b3136d898322809c9e72df2b

    SHA256

    c109fe9a2bd01b52b0281b9ad5cc8b7a0e79beaee86fcbd86dab49649c8e249e

    SHA512

    196224afe15ab4782bfa805b0ea98c66065e935f4a17ba0b42f9db7bd6108454e58f2145ee75525b0e587f303ff9f0a46b28eb3c8414b68fb531085b305d1e30

    Download Submit

  • C:\Users\Admin\awhost.exe
    Filesize

    147KB

    MD5

    c1f93ef271b9b62ba07e68c653e19a52

    SHA1

    92844479d30e93c8b3136d898322809c9e72df2b

    SHA256

    c109fe9a2bd01b52b0281b9ad5cc8b7a0e79beaee86fcbd86dab49649c8e249e

    SHA512

    196224afe15ab4782bfa805b0ea98c66065e935f4a17ba0b42f9db7bd6108454e58f2145ee75525b0e587f303ff9f0a46b28eb3c8414b68fb531085b305d1e30

    Download Submit

  • C:\Users\Admin\bwhost.exe
    Filesize

    124KB

    MD5

    345faacdb016f476ad5096acd0812b46

    SHA1

    e942cd79ef99684196ad2cef6899f2bee28142dd

    SHA256

    a4776d7fa21fcc77beacb95896cd749218185bba56e77e77f641795ed3285570

    SHA512

    2cedd0d8e2b20e76c5b643326b5598f9033458628bf1a795c9bca7b267225c14da241e7c585bbbfb0591ac696a4b3aa6434cfe851403efc3b4f3a8f2e26d1fe2

    Download Submit

  • C:\Users\Admin\bwhost.exe
    Filesize

    124KB

    MD5

    345faacdb016f476ad5096acd0812b46

    SHA1

    e942cd79ef99684196ad2cef6899f2bee28142dd

    SHA256

    a4776d7fa21fcc77beacb95896cd749218185bba56e77e77f641795ed3285570

    SHA512

    2cedd0d8e2b20e76c5b643326b5598f9033458628bf1a795c9bca7b267225c14da241e7c585bbbfb0591ac696a4b3aa6434cfe851403efc3b4f3a8f2e26d1fe2

    Download Submit

  • C:\Users\Admin\bwhost.exe
    Filesize

    124KB

    MD5

    345faacdb016f476ad5096acd0812b46

    SHA1

    e942cd79ef99684196ad2cef6899f2bee28142dd

    SHA256

    a4776d7fa21fcc77beacb95896cd749218185bba56e77e77f641795ed3285570

    SHA512

    2cedd0d8e2b20e76c5b643326b5598f9033458628bf1a795c9bca7b267225c14da241e7c585bbbfb0591ac696a4b3aa6434cfe851403efc3b4f3a8f2e26d1fe2

    Download Submit

  • C:\Users\Admin\cwhost.exe
    Filesize

    24KB

    MD5

    eac84f965bc8ddbe04c1c35fc1ff6a16

    SHA1

    06d0a39476450e8657612d7df2905dffeb30d3c6

    SHA256

    d16fbdf475ae84c7831249c8f1188110a49066df22d4626cb262ea1b2a9a0af5

    SHA512

    cca2e4904d7bdcb483306413846f1683451dd75dbbbe29e0b2bfd22f7abc343045a94cdd67b355a8ea48331372baf18ca401d5cc15387154f05863693f986b51

    Download Submit

  • C:\Users\Admin\gaiipox.exe
    Filesize

    156KB

    MD5

    47c6e5e0a537d6389c8ce2545510fb67

    SHA1

    63ca21325139c763c0da62d07a10b161f48242e0

    SHA256

    dbe6a627f36f9b950c157b19e904db425c3723204f6e13e8c99d99c4fd399ef9

    SHA512

    888eb61b4fd4ecb554eafeae16514a25559be48c7d1111e4452870b25e88d01c9f241af6477de3cf17c93ffa82585517e13a6828cc31b4c720605b11a866baf7

    Download Submit

  • C:\Users\Admin\gaiipox.exe
    Filesize

    156KB

    MD5

    47c6e5e0a537d6389c8ce2545510fb67

    SHA1

    63ca21325139c763c0da62d07a10b161f48242e0

    SHA256

    dbe6a627f36f9b950c157b19e904db425c3723204f6e13e8c99d99c4fd399ef9

    SHA512

    888eb61b4fd4ecb554eafeae16514a25559be48c7d1111e4452870b25e88d01c9f241af6477de3cf17c93ffa82585517e13a6828cc31b4c720605b11a866baf7

    Download Submit

  • C:\Users\Admin\gsSL32G1g4.exe
    Filesize

    156KB

    MD5

    38222ccc41836dee63bf60b5511575dd

    SHA1

    a60e47ef0f8979ecc9ef11a2e446003b52e0e1a1

    SHA256

    6cc93c8c02fdb2f11a9290049aadf87f30521a14b715da3a9b78362be2eb5c96

    SHA512

    c8447f42b4c63f879b266fa068ced3bef2505c522dfea16d800a7d476cdc2ae8eff022b441c0f003293088bb22d43c4d8bf0ee753604644f4e5d80ee809054aa

    Download Submit

  • C:\Users\Admin\gsSL32G1g4.exe
    Filesize

    156KB

    MD5

    38222ccc41836dee63bf60b5511575dd

    SHA1

    a60e47ef0f8979ecc9ef11a2e446003b52e0e1a1

    SHA256

    6cc93c8c02fdb2f11a9290049aadf87f30521a14b715da3a9b78362be2eb5c96

    SHA512

    c8447f42b4c63f879b266fa068ced3bef2505c522dfea16d800a7d476cdc2ae8eff022b441c0f003293088bb22d43c4d8bf0ee753604644f4e5d80ee809054aa

    Download Submit

  • C:\Windows\system32\consrv.DLL
    Filesize

    53KB

    MD5

    68689b2e7472e2cfb3f39da8a59505d9

    SHA1

    5be15784ab1193dc13ac24ec1efcabded5fe2df4

    SHA256

    f304eb2cf6479a4fb36fef81c6df4d0225e251002e8f06f26ee196210bf3d168

    SHA512

    269999061cd54b23b92d385689682e687ae9030bc5d26d79dd5e99f72fa4b4eef41f5a7b555325bd558771db92e2feb8a67fb40c87223be9e23ccb498b3bbc88

    Download Submit

  • \Users\Admin\awhost.exe
    Filesize

    147KB

    MD5

    c1f93ef271b9b62ba07e68c653e19a52

    SHA1

    92844479d30e93c8b3136d898322809c9e72df2b

    SHA256

    c109fe9a2bd01b52b0281b9ad5cc8b7a0e79beaee86fcbd86dab49649c8e249e

    SHA512

    196224afe15ab4782bfa805b0ea98c66065e935f4a17ba0b42f9db7bd6108454e58f2145ee75525b0e587f303ff9f0a46b28eb3c8414b68fb531085b305d1e30

    Download Submit

  • \Users\Admin\awhost.exe
    Filesize

    147KB

    MD5

    c1f93ef271b9b62ba07e68c653e19a52

    SHA1

    92844479d30e93c8b3136d898322809c9e72df2b

    SHA256

    c109fe9a2bd01b52b0281b9ad5cc8b7a0e79beaee86fcbd86dab49649c8e249e

    SHA512

    196224afe15ab4782bfa805b0ea98c66065e935f4a17ba0b42f9db7bd6108454e58f2145ee75525b0e587f303ff9f0a46b28eb3c8414b68fb531085b305d1e30

    Download Submit

  • \Users\Admin\awhost.exe
    Filesize

    147KB

    MD5

    c1f93ef271b9b62ba07e68c653e19a52

    SHA1

    92844479d30e93c8b3136d898322809c9e72df2b

    SHA256

    c109fe9a2bd01b52b0281b9ad5cc8b7a0e79beaee86fcbd86dab49649c8e249e

    SHA512

    196224afe15ab4782bfa805b0ea98c66065e935f4a17ba0b42f9db7bd6108454e58f2145ee75525b0e587f303ff9f0a46b28eb3c8414b68fb531085b305d1e30

    Download Submit

  • \Users\Admin\awhost.exe
    Filesize

    147KB

    MD5

    c1f93ef271b9b62ba07e68c653e19a52

    SHA1

    92844479d30e93c8b3136d898322809c9e72df2b

    SHA256

    c109fe9a2bd01b52b0281b9ad5cc8b7a0e79beaee86fcbd86dab49649c8e249e

    SHA512

    196224afe15ab4782bfa805b0ea98c66065e935f4a17ba0b42f9db7bd6108454e58f2145ee75525b0e587f303ff9f0a46b28eb3c8414b68fb531085b305d1e30

    Download Submit

  • \Users\Admin\awhost.exe
    Filesize

    147KB

    MD5

    c1f93ef271b9b62ba07e68c653e19a52

    SHA1

    92844479d30e93c8b3136d898322809c9e72df2b

    SHA256

    c109fe9a2bd01b52b0281b9ad5cc8b7a0e79beaee86fcbd86dab49649c8e249e

    SHA512

    196224afe15ab4782bfa805b0ea98c66065e935f4a17ba0b42f9db7bd6108454e58f2145ee75525b0e587f303ff9f0a46b28eb3c8414b68fb531085b305d1e30

    Download Submit

  • \Users\Admin\bwhost.exe
    Filesize

    124KB

    MD5

    345faacdb016f476ad5096acd0812b46

    SHA1

    e942cd79ef99684196ad2cef6899f2bee28142dd

    SHA256

    a4776d7fa21fcc77beacb95896cd749218185bba56e77e77f641795ed3285570

    SHA512

    2cedd0d8e2b20e76c5b643326b5598f9033458628bf1a795c9bca7b267225c14da241e7c585bbbfb0591ac696a4b3aa6434cfe851403efc3b4f3a8f2e26d1fe2

    Download Submit

  • \Users\Admin\bwhost.exe
    Filesize

    124KB

    MD5

    345faacdb016f476ad5096acd0812b46

    SHA1

    e942cd79ef99684196ad2cef6899f2bee28142dd

    SHA256

    a4776d7fa21fcc77beacb95896cd749218185bba56e77e77f641795ed3285570

    SHA512

    2cedd0d8e2b20e76c5b643326b5598f9033458628bf1a795c9bca7b267225c14da241e7c585bbbfb0591ac696a4b3aa6434cfe851403efc3b4f3a8f2e26d1fe2

    Download Submit

  • \Users\Admin\cwhost.exe
    Filesize

    24KB

    MD5

    eac84f965bc8ddbe04c1c35fc1ff6a16

    SHA1

    06d0a39476450e8657612d7df2905dffeb30d3c6

    SHA256

    d16fbdf475ae84c7831249c8f1188110a49066df22d4626cb262ea1b2a9a0af5

    SHA512

    cca2e4904d7bdcb483306413846f1683451dd75dbbbe29e0b2bfd22f7abc343045a94cdd67b355a8ea48331372baf18ca401d5cc15387154f05863693f986b51

    Download Submit

  • \Users\Admin\cwhost.exe
    Filesize

    24KB

    MD5

    eac84f965bc8ddbe04c1c35fc1ff6a16

    SHA1

    06d0a39476450e8657612d7df2905dffeb30d3c6

    SHA256

    d16fbdf475ae84c7831249c8f1188110a49066df22d4626cb262ea1b2a9a0af5

    SHA512

    cca2e4904d7bdcb483306413846f1683451dd75dbbbe29e0b2bfd22f7abc343045a94cdd67b355a8ea48331372baf18ca401d5cc15387154f05863693f986b51

    Download Submit

  • \Users\Admin\gaiipox.exe
    Filesize

    156KB

    MD5

    47c6e5e0a537d6389c8ce2545510fb67

    SHA1

    63ca21325139c763c0da62d07a10b161f48242e0

    SHA256

    dbe6a627f36f9b950c157b19e904db425c3723204f6e13e8c99d99c4fd399ef9

    SHA512

    888eb61b4fd4ecb554eafeae16514a25559be48c7d1111e4452870b25e88d01c9f241af6477de3cf17c93ffa82585517e13a6828cc31b4c720605b11a866baf7

    Download Submit

  • \Users\Admin\gaiipox.exe
    Filesize

    156KB

    MD5

    47c6e5e0a537d6389c8ce2545510fb67

    SHA1

    63ca21325139c763c0da62d07a10b161f48242e0

    SHA256

    dbe6a627f36f9b950c157b19e904db425c3723204f6e13e8c99d99c4fd399ef9

    SHA512

    888eb61b4fd4ecb554eafeae16514a25559be48c7d1111e4452870b25e88d01c9f241af6477de3cf17c93ffa82585517e13a6828cc31b4c720605b11a866baf7

    Download Submit

  • \Users\Admin\gsSL32G1g4.exe
    Filesize

    156KB

    MD5

    38222ccc41836dee63bf60b5511575dd

    SHA1

    a60e47ef0f8979ecc9ef11a2e446003b52e0e1a1

    SHA256

    6cc93c8c02fdb2f11a9290049aadf87f30521a14b715da3a9b78362be2eb5c96

    SHA512

    c8447f42b4c63f879b266fa068ced3bef2505c522dfea16d800a7d476cdc2ae8eff022b441c0f003293088bb22d43c4d8bf0ee753604644f4e5d80ee809054aa

    Download Submit

  • \Users\Admin\gsSL32G1g4.exe
    Filesize

    156KB

    MD5

    38222ccc41836dee63bf60b5511575dd

    SHA1

    a60e47ef0f8979ecc9ef11a2e446003b52e0e1a1

    SHA256

    6cc93c8c02fdb2f11a9290049aadf87f30521a14b715da3a9b78362be2eb5c96

    SHA512

    c8447f42b4c63f879b266fa068ced3bef2505c522dfea16d800a7d476cdc2ae8eff022b441c0f003293088bb22d43c4d8bf0ee753604644f4e5d80ee809054aa

    Download Submit

  • \Windows\System32\consrv.dll
    Filesize

    53KB

    MD5

    68689b2e7472e2cfb3f39da8a59505d9

    SHA1

    5be15784ab1193dc13ac24ec1efcabded5fe2df4

    SHA256

    f304eb2cf6479a4fb36fef81c6df4d0225e251002e8f06f26ee196210bf3d168

    SHA512

    269999061cd54b23b92d385689682e687ae9030bc5d26d79dd5e99f72fa4b4eef41f5a7b555325bd558771db92e2feb8a67fb40c87223be9e23ccb498b3bbc88

    Download Submit

  • memory/332-132-0x0000000002140000-0x0000000002152000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1380-62-0x0000000000400000-0x0000000000476000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1380-54-0x0000000000400000-0x0000000000476000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1380-57-0x0000000000400000-0x0000000000476000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1380-65-0x0000000000400000-0x0000000000476000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1380-55-0x0000000000400000-0x0000000000476000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1380-68-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1456-111-0x0000000000170000-0x0000000000189000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1456-116-0x0000000000170000-0x0000000000189000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1456-121-0x0000000000170000-0x0000000000189000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1456-125-0x0000000000060000-0x0000000000075000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1968-104-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1968-105-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1968-103-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1968-102-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1968-100-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1968-99-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1968-109-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download