Analysis
-
max time kernel
424s -
max time network
427s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-10-2022 23:52
Static task
static1
Behavioral task
behavioral1
Sample
0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe
Resource
win10v2004-20220812-en
General
-
Target
0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe
-
Size
221KB
-
MD5
a26ff2a7664aaa03d41a591fc71d2221
-
SHA1
a7344edd33d4bcd538fdba240c2996417a0d63b8
-
SHA256
0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2
-
SHA512
dcf52e588fa84f3e32f76bd981d74756ef2899212a750d30c61eaec5480f32c4b11b42d35b4becb9db210f2974ace32ae9d4b5e46004164eaee1017124fb928e
-
SSDEEP
6144:VUB6frB+kTPBKVhkXgAcSifvJMOLvZTyGDZu:OBqrB+kTJO/OifnRD
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2024 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\newdller = "C:\\Windows\\system32\\compvert.exe" 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe -
Drops file in System32 directory 2 IoCs
Processes:
0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exedescription ioc process File created C:\Windows\SysWOW64\compvert.exe 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe File opened for modification C:\Windows\SysWOW64\compvert.exe 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exedescription pid process target process PID 1604 set thread context of 1668 1604 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1668 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exepid process 1604 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 1668 explorer.exe Token: SeShutdownPrivilege 1668 explorer.exe Token: SeShutdownPrivilege 1668 explorer.exe Token: SeShutdownPrivilege 1668 explorer.exe Token: SeShutdownPrivilege 1668 explorer.exe Token: SeShutdownPrivilege 1668 explorer.exe Token: SeShutdownPrivilege 1668 explorer.exe Token: SeShutdownPrivilege 1668 explorer.exe Token: SeShutdownPrivilege 1668 explorer.exe Token: SeShutdownPrivilege 1668 explorer.exe Token: 33 784 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 784 AUDIODG.EXE Token: 33 784 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 784 AUDIODG.EXE Token: SeShutdownPrivilege 1668 explorer.exe Token: SeShutdownPrivilege 1668 explorer.exe Token: SeShutdownPrivilege 1668 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
explorer.exepid process 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe -
Suspicious use of SendNotifyMessage 20 IoCs
Processes:
explorer.exepid process 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe 1668 explorer.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exepid process 1604 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.execmd.exedescription pid process target process PID 1604 wrote to memory of 1668 1604 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe explorer.exe PID 1604 wrote to memory of 1668 1604 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe explorer.exe PID 1604 wrote to memory of 1668 1604 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe explorer.exe PID 1604 wrote to memory of 1668 1604 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe explorer.exe PID 1604 wrote to memory of 1668 1604 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe explorer.exe PID 1604 wrote to memory of 1668 1604 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe explorer.exe PID 1604 wrote to memory of 1668 1604 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe explorer.exe PID 1604 wrote to memory of 2024 1604 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe cmd.exe PID 1604 wrote to memory of 2024 1604 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe cmd.exe PID 1604 wrote to memory of 2024 1604 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe cmd.exe PID 1604 wrote to memory of 2024 1604 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe cmd.exe PID 2024 wrote to memory of 952 2024 cmd.exe attrib.exe PID 2024 wrote to memory of 952 2024 cmd.exe attrib.exe PID 2024 wrote to memory of 952 2024 cmd.exe attrib.exe PID 2024 wrote to memory of 952 2024 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe"C:\Users\Admin\AppData\Local\Temp\0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7081914.bat" "C:\Users\Admin\AppData\Local\Temp\0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x53c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7081914.batFilesize
72B
MD5d63d8426b8417417d92dd8e2a203fffc
SHA1305e6f68bb018f5eac49c870317bebd35faf5935
SHA2560da0d9ad8c678e7731f97d0cc204d90369b7fa23b99112f3bf0d7f8fd5f51bef
SHA512f29d98be4e608bbac1f433e0b36d91dd742bafef87bfbd236d3f85b476d1fc91f69e86e5c466cca95a114a9757a895c2eae5157bf0e7b296becb57e365307065
-
memory/952-62-0x0000000000000000-mapping.dmp
-
memory/1604-54-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB
-
memory/1604-55-0x0000000000540000-0x0000000000577000-memory.dmpFilesize
220KB
-
memory/1604-56-0x0000000001000000-0x000000000113A000-memory.dmpFilesize
1.2MB
-
memory/1604-60-0x0000000001000000-0x000000000102C000-memory.dmpFilesize
176KB
-
memory/1668-57-0x0000000000000000-mapping.dmp
-
memory/1668-58-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmpFilesize
8KB
-
memory/1668-63-0x0000000000320000-0x0000000000373000-memory.dmpFilesize
332KB
-
memory/1668-64-0x0000000002B00000-0x0000000002B10000-memory.dmpFilesize
64KB
-
memory/2024-59-0x0000000000000000-mapping.dmp