ac77a1b2a864a90a510537b096cdd499b2fa4695fb8112e9e2f1d200ec4a8c12

Analysis

max time kernel
37s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/10/2022, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf8cd12acb64e52f34387ade85b0fb18.exe
Size

965KB
MD5

bf8cd12acb64e52f34387ade85b0fb18
SHA1

e538eba64d5134636fb14abf0bd4580b2d9b13ca
SHA256

ac77a1b2a864a90a510537b096cdd499b2fa4695fb8112e9e2f1d200ec4a8c12
SHA512

b05530161f35e6c462516ff0584210a63e34748987f1aba2566f54ac9b27e4985577e239d45eddce6286067a3436d0741f4fc88eb5f393668d9446a25ba561f4
SSDEEP

24576:G53uhFbHKXdz66otpMa0pVYMfDE849CNlJSk3Pnzu:G5+hFWtzRGpMdL9fDE849CN/Skfzu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1020	csrss.com
1080	csrss.com

Deletes itself 1 IoCs

pid	Process
1620	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
324	cmd.exe
1020	csrss.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
472	PING.EXE
1984	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1620	powershell.exe
1620	powershell.exe
1620	powershell.exe
1620	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1020	csrss.com
1020	csrss.com
1020	csrss.com
1080	csrss.com
1080	csrss.com
1080	csrss.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1020	csrss.com
1020	csrss.com
1020	csrss.com
1080	csrss.com
1080	csrss.com
1080	csrss.com

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1560	748	bf8cd12acb64e52f34387ade85b0fb18.exe	27
PID 748 wrote to memory of 1560	748	bf8cd12acb64e52f34387ade85b0fb18.exe	27
PID 748 wrote to memory of 1560	748	bf8cd12acb64e52f34387ade85b0fb18.exe	27
PID 748 wrote to memory of 1560	748	bf8cd12acb64e52f34387ade85b0fb18.exe	27
PID 1560 wrote to memory of 324	1560	cmd.exe	29
PID 1560 wrote to memory of 324	1560	cmd.exe	29
PID 1560 wrote to memory of 324	1560	cmd.exe	29
PID 1560 wrote to memory of 324	1560	cmd.exe	29
PID 324 wrote to memory of 1984	324	cmd.exe	30
PID 324 wrote to memory of 1984	324	cmd.exe	30
PID 324 wrote to memory of 1984	324	cmd.exe	30
PID 324 wrote to memory of 1984	324	cmd.exe	30
PID 324 wrote to memory of 884	324	cmd.exe	31
PID 324 wrote to memory of 884	324	cmd.exe	31
PID 324 wrote to memory of 884	324	cmd.exe	31
PID 324 wrote to memory of 884	324	cmd.exe	31
PID 324 wrote to memory of 1020	324	cmd.exe	32
PID 324 wrote to memory of 1020	324	cmd.exe	32
PID 324 wrote to memory of 1020	324	cmd.exe	32
PID 324 wrote to memory of 1020	324	cmd.exe	32
PID 324 wrote to memory of 472	324	cmd.exe	33
PID 324 wrote to memory of 472	324	cmd.exe	33
PID 324 wrote to memory of 472	324	cmd.exe	33
PID 324 wrote to memory of 472	324	cmd.exe	33
PID 1020 wrote to memory of 1080	1020	csrss.com	34
PID 1020 wrote to memory of 1080	1020	csrss.com	34
PID 1020 wrote to memory of 1080	1020	csrss.com	34
PID 1020 wrote to memory of 1080	1020	csrss.com	34
PID 748 wrote to memory of 1620	748	bf8cd12acb64e52f34387ade85b0fb18.exe	35
PID 748 wrote to memory of 1620	748	bf8cd12acb64e52f34387ade85b0fb18.exe	35
PID 748 wrote to memory of 1620	748	bf8cd12acb64e52f34387ade85b0fb18.exe	35
PID 748 wrote to memory of 1620	748	bf8cd12acb64e52f34387ade85b0fb18.exe	35

C:\Users\Admin\AppData\Local\Temp\bf8cd12acb64e52f34387ade85b0fb18.exe
"C:\Users\Admin\AppData\Local\Temp\bf8cd12acb64e52f34387ade85b0fb18.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < gsTWaUtfdIy.com
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:324
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 BChfuO.bIvPIb
      4⤵
      Runs ping.exe
      PID:1984
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -decode RMBMfDVJsYtfOtLClj.com w
      4⤵
      PID:884
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
      csrss.com w
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com w
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1080
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en JABnAHoAeQBiACAAPQAgACgARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAHQAZQByACAAIgBwAHIAbwBjAGUAcwBzAGkAZAA9ACQAcABpAGQAIgApAC4AcABhAHIAZQBuAHQAcAByAG8AYwBlAHMAcwBpAGQAOwAgACQAdwBlAHgAIAA9ACAAKABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAAdwBpAG4AMwAyAF8AcAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAdABlAHIAIAAiAHAAcgBvAGMAZQBzAHMAaQBkAD0AJABnAHoAeQBiACIAKQAuAGUAeABlAGMAdQB0AGEAYgBsAGUAcABhAHQAaAA7ACAAUwB0AG8AcAAtAFAAcgBvAGMAZQBzAHMAIAAtAEkARAAgACQAZwB6AHkAYgAgAC0ARgBvAHIAYwBlADsAIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAHMAIAAxADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAHAAYQB0AGgAIAAkAHcAZQB4AA==
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RMBMfDVJsYtfOtLClj.com

Filesize
1.0MB

MD5
933008580964d519a02f4b588108bdb4

SHA1
4856a2fa045b4370bee05542abaec4cc595ddeb0

SHA256
81d77697d8dc9caaada1594549fd50e0efafa38f91cf56b8e75259bba13fd0ac

SHA512
3e00a7b10c17fa1ea7260d62283eb5afc0318e60386fc80904817024c6b9793e2d27b0b07efbc694e1435944b530894103598f6e148277579f75f6935f7e596d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\UHgfmTHdwSmBZQWsnF.com

Filesize
154KB

MD5
94afefeee0f34c3fe9bce965736f91cd

SHA1
d3fd61d42a6d8df0886d0d827791a8af5c4fb318

SHA256
357e29849c872014ea9af003c6755a857808dcd678e464d0beb65a5ba9ace69d

SHA512
2b181eb28aa640f7ca7017edbee00792a83647b13f8380f2d2dab1763f9350364eb5421279a58c16ac51fba65232ba7d1a04b845a1732cb16ce0618440e6693c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com

Filesize
921KB

MD5
8ed172328f643375ac09b31ffba0eb63

SHA1
c6716e5e5a311f597e37c5660b0387ab8f77b2a0

SHA256
23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928

SHA512
79efbac3cbf2bbbf1b5572a3036845fd544210a01adf9850d22587df12fd84832e14e8f7e0476955a8d9bb42ff0be5ca4443cee8e83dc396e70d850e31c60938

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com

Filesize
921KB

MD5
8ed172328f643375ac09b31ffba0eb63

SHA1
c6716e5e5a311f597e37c5660b0387ab8f77b2a0

SHA256
23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928

SHA512
79efbac3cbf2bbbf1b5572a3036845fd544210a01adf9850d22587df12fd84832e14e8f7e0476955a8d9bb42ff0be5ca4443cee8e83dc396e70d850e31c60938

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com

Filesize
921KB

MD5
8ed172328f643375ac09b31ffba0eb63

SHA1
c6716e5e5a311f597e37c5660b0387ab8f77b2a0

SHA256
23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928

SHA512
79efbac3cbf2bbbf1b5572a3036845fd544210a01adf9850d22587df12fd84832e14e8f7e0476955a8d9bb42ff0be5ca4443cee8e83dc396e70d850e31c60938

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gsTWaUtfdIy.com

Filesize
410B

MD5
bc98680b05d09039d8f0ce53c92fce23

SHA1
2dc2da559d9cafeb9104a88fb6aec0af9e41efef

SHA256
89fa517cdaf5c467ee9b5babf559991e915fbb1e27400d81d40deb1834075dab

SHA512
414b86061b229d0468065c3b365846525e4f428725ead2a191f6eb9a76ad3a3aea7bf13f3d94274017f0794e2c86ae2ca39e214e03c42a411d7f02afd77fae08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lxUwnmQHLTelioanY.com

Filesize
921KB

MD5
c317736793ef5129f12a3568cd679422

SHA1
e68b55969c5f2159c847a629fac3731c0c315d53

SHA256
cbb5d906c63cbcb891b35e53156b643ac26c5dec922f43b2fd121ccca60beb62

SHA512
69cb5fd5f1a30c3c786ca945b8de6a460d03605fc3416a3c33e69691603e1a43ad0cfefe9cd5d6af1a154b701ecf34526cc05d9235a4e38acf994eb0edb1a82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\w

Filesize
776KB

MD5
f199cb4506da1c476ea6815ce34b0b78

SHA1
f12014971bc9d510962399d88cd8057a963e63a1

SHA256
fa6b8755da00b034511195fb9c65f33ec170daa34585e175b3f7e94ebcbb7d0a

SHA512
8dd42cf9ed168f07b120f60b99a815439a7510e6d4e165be6c689fdf6e13b1affc2647bf3f4a7f1a227d560e88d250158812f3072e71a374944942de9b1647d0

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com

Filesize
921KB

MD5
8ed172328f643375ac09b31ffba0eb63

SHA1
c6716e5e5a311f597e37c5660b0387ab8f77b2a0

SHA256
23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928

SHA512
79efbac3cbf2bbbf1b5572a3036845fd544210a01adf9850d22587df12fd84832e14e8f7e0476955a8d9bb42ff0be5ca4443cee8e83dc396e70d850e31c60938

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com

Filesize
921KB

MD5
8ed172328f643375ac09b31ffba0eb63

SHA1
c6716e5e5a311f597e37c5660b0387ab8f77b2a0

SHA256
23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928

SHA512
79efbac3cbf2bbbf1b5572a3036845fd544210a01adf9850d22587df12fd84832e14e8f7e0476955a8d9bb42ff0be5ca4443cee8e83dc396e70d850e31c60938

Download Submit
memory/748-54-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1620-77-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1620-78-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download