5304522c3f48984337f18133639815cab62f24ef25407c3a097fcecfc4b4ed9f

Analysis

max time kernel
282s
max time network
261s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Contract_8556.iso
Size

990KB
MD5

f1404d05a5143952499cd764babcb895
SHA1

673491da8fdbff9708fb077259515c0d788578ae
SHA256

5304522c3f48984337f18133639815cab62f24ef25407c3a097fcecfc4b4ed9f
SHA512

329d21193d45866ab0b3bcdade34245a10645e3c4a0d29c61cd45512ce60b1331294a0e96c44dc20444f8716bdbcba371db8c8453be6fbc73476ead56035ac20
SSDEEP

24576:u6y8bRZAYhI/LoO9bBoY/6wgHzwt6AwQwrwJwJY:u+AYhIjoO9d/6wgHzwt6AwQwrwJwJ

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3344	4376	WerFault.exe	92

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4684	regsvr32.exe
4684	regsvr32.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe
4904	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4684	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	868	cmd.exe
Token: SeManageVolumePrivilege	868	cmd.exe
Token: SeRestorePrivilege	4708	7zG.exe
Token: 35	4708	7zG.exe
Token: SeSecurityPrivilege	4708	7zG.exe
Token: SeSecurityPrivilege	4708	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4708	7zG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2060	OpenWith.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 3276	2824	cmd.exe	101
PID 2824 wrote to memory of 3276	2824	cmd.exe	101
PID 2824 wrote to memory of 404	2824	cmd.exe	102
PID 2824 wrote to memory of 404	2824	cmd.exe	102
PID 404 wrote to memory of 4684	404	regsvr32.exe	103
PID 404 wrote to memory of 4684	404	regsvr32.exe	103
PID 404 wrote to memory of 4684	404	regsvr32.exe	103
PID 4684 wrote to memory of 4904	4684	regsvr32.exe	104
PID 4684 wrote to memory of 4904	4684	regsvr32.exe	104
PID 4684 wrote to memory of 4904	4684	regsvr32.exe	104
PID 4684 wrote to memory of 4904	4684	regsvr32.exe	104
PID 4684 wrote to memory of 4904	4684	regsvr32.exe	104
PID 3280 wrote to memory of 4912	3280	cmd.exe	112
PID 3280 wrote to memory of 4912	3280	cmd.exe	112

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Contract_8556.iso
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1056

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 4376 -ip 4376
1⤵
PID:936

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4376 -s 2064
1⤵
- Program crash
PID:3344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reviewer\ungroomed.cmd vr 32. exe
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\system32\replace.exe
  replace C:\Windows\\system32\\regsvr32.exe C:\Users\Admin\AppData\Local\Temp /A
  2⤵
  PID:3276
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe reviewer\beastly.dat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\SysWOW64\regsvr32.exe
    reviewer\beastly.dat
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Windows\SysWOW64\wermgr.exe
      C:\Windows\SysWOW64\wermgr.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4904

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Contract_8556\" -spe -an -ai#7zMap4460:106:7zEvent22734
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Contract_8556\reviewer\ungroomed.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Windows\system32\replace.exe
  replace C:\Windows\\system32\\regs C:\Users\Admin\AppData\Local\Temp /A
  2⤵
  PID:4912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Contract_8556\reviewer\ungroomed.cmd

Filesize
354B

MD5
6d1154c490214c6ca6a9186cc7a7a04e

SHA1
697909602a5f9a0f9bf6098806a9411d8d84de71

SHA256
67799a42b9d4dd9cbdab2bfb34b91aab636922f84b24b8a6374b8ad20fb10c19

SHA512
184966728fbaee9d8591f6fe8516af8b9fe99183442115a533ce6f5c1477cb3817da799c7da10bbb3212fd07fcc6ea75698fea0776fb5bf75043e212d87a8564

Download Submit
memory/4684-135-0x00000000030B0000-0x00000000030D9000-memory.dmp

Filesize
164KB

Download
memory/4684-136-0x0000000003050000-0x000000000307A000-memory.dmp

Filesize
168KB

Download
memory/4684-137-0x00000000030B0000-0x00000000030D9000-memory.dmp

Filesize
164KB

Download
memory/4684-139-0x00000000030B0000-0x00000000030D9000-memory.dmp

Filesize
164KB

Download
memory/4904-140-0x0000000000A40000-0x0000000000A69000-memory.dmp

Filesize
164KB

Download
memory/4904-141-0x0000000000A40000-0x0000000000A69000-memory.dmp

Filesize
164KB

Download