Analysis
-
max time kernel
141s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21-10-2022 15:58
Static task
static1
Behavioral task
behavioral1
Sample
05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe
Resource
win10v2004-20220812-en
General
-
Target
05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe
-
Size
468KB
-
MD5
717e9dc766680d93384f6faed13181b0
-
SHA1
c3309e501fdb9115c39b588c7ba33c329b7c657d
-
SHA256
05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b
-
SHA512
1afe5d1bbc8e58b89efd3f7cf7d2cbc64bd99149e5528f1c1c69c7195a2966b79e7ced1dc380d57c8c381a7423570759856ec2a3ae13307a49ee13172c4ec340
-
SSDEEP
6144:u3lB8iygOCQwIf6wgkcm/SBrB7KTcF2mH0MS3u3p3MHj+/D7F/w:8BggOuG6I/wMHmH0Mkq3MHj+/9/w
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2020 05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe -
Loads dropped DLL 1 IoCs
pid Process 1368 05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows ntilizer = "C:\\Users\\Admin\\AppData\\Local\\Windows ntilizer.exe" WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1368 set thread context of 2020 1368 05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1368 05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1368 wrote to memory of 1240 1368 05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe 27 PID 1368 wrote to memory of 1240 1368 05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe 27 PID 1368 wrote to memory of 1240 1368 05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe 27 PID 1368 wrote to memory of 1240 1368 05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe 27 PID 1368 wrote to memory of 2020 1368 05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe 28 PID 1368 wrote to memory of 2020 1368 05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe 28 PID 1368 wrote to memory of 2020 1368 05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe 28 PID 1368 wrote to memory of 2020 1368 05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe 28 PID 1368 wrote to memory of 2020 1368 05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe 28 PID 1368 wrote to memory of 2020 1368 05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe 28 PID 1368 wrote to memory of 2020 1368 05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe 28 PID 1368 wrote to memory of 2020 1368 05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe 28 PID 1368 wrote to memory of 2020 1368 05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe 28 PID 1172 wrote to memory of 1568 1172 explorer.exe 30 PID 1172 wrote to memory of 1568 1172 explorer.exe 30 PID 1172 wrote to memory of 1568 1172 explorer.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe"C:\Users\Admin\AppData\Local\Temp\05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\HwirgYUe.vbs2⤵PID:1240
-
-
C:\Users\Admin\AppData\Local\Temp\05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe"C:\Users\Admin\AppData\Local\Temp\05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe"2⤵
- Executes dropped EXE
PID:2020
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\HwirgYUe.vbs"2⤵
- Adds Run key to start application
PID:1568
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe
Filesize468KB
MD5717e9dc766680d93384f6faed13181b0
SHA1c3309e501fdb9115c39b588c7ba33c329b7c657d
SHA25605d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b
SHA5121afe5d1bbc8e58b89efd3f7cf7d2cbc64bd99149e5528f1c1c69c7195a2966b79e7ced1dc380d57c8c381a7423570759856ec2a3ae13307a49ee13172c4ec340
-
Filesize
586B
MD541ca0197c02952db281839a687cf1378
SHA1d704ecb2e76ce2574d891f89a87a832d1f41d08b
SHA25604f2153435749e678550ddf21f25c6dd06811345245b029f4347af244512b14d
SHA51201bb0f4ce5970a798adbd698abf2434478e1334389218efecd19235122ac9c7611bf42b688ac896a7e7e453e033aeab0f80a46e5d2ba12610b1c2529adabb57b
-
\Users\Admin\AppData\Local\Temp\05d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b.exe
Filesize468KB
MD5717e9dc766680d93384f6faed13181b0
SHA1c3309e501fdb9115c39b588c7ba33c329b7c657d
SHA25605d17bbb3af3947e4aab748ca50eb028197dc9eedaf831129792981199f1b23b
SHA5121afe5d1bbc8e58b89efd3f7cf7d2cbc64bd99149e5528f1c1c69c7195a2966b79e7ced1dc380d57c8c381a7423570759856ec2a3ae13307a49ee13172c4ec340