1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10

Analysis

max time kernel
36s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe
Size

28KB
MD5

4905988f339ad59b178a2416e131cee6
SHA1

fafcbc8209749286bad9695631f0626d34c0d9c6
SHA256

1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10
SHA512

84f3b0fa98238a7612d23fe5a1c1028cbcac319e83d679013fe78aa720975602a26d74717598edf345be58325d24055995ed3e2a2f1ec4e8027ca389f8c7f31c
SSDEEP

384:I9WjN+IpaapwZP56f4cD3+ZJ/O4YGY1xZ0iAcP7gf0Z2/U0PQsZ8yP5LR3Jpmj:iqke5faJm4WZv3Mf0Z2FZ8yP5LR3Y

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
820	cmd.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\1235267.tmp	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe
File opened for modification	C:\Windows\SysWOW64\1235267.tmp	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe
File created	C:\Windows\SysWOW64\sxload.tmp	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe
File created	C:\Windows\System32\123479D.tmp	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe
File opened for modification	C:\Windows\SysWOW64\123479D.tmp	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\sxlzg.tmp	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
240	taskkill.exe
1844	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	240	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1672	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe
1672	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 240	1672	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe	27
PID 1672 wrote to memory of 240	1672	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe	27
PID 1672 wrote to memory of 240	1672	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe	27
PID 1672 wrote to memory of 240	1672	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe	27
PID 1672 wrote to memory of 1844	1672	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe	29
PID 1672 wrote to memory of 1844	1672	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe	29
PID 1672 wrote to memory of 1844	1672	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe	29
PID 1672 wrote to memory of 1844	1672	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe	29
PID 1672 wrote to memory of 820	1672	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe	32
PID 1672 wrote to memory of 820	1672	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe	32
PID 1672 wrote to memory of 820	1672	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe	32
PID 1672 wrote to memory of 820	1672	1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe	32

C:\Users\Admin\AppData\Local\Temp\1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe
"C:\Users\Admin\AppData\Local\Temp\1c483429234f4f0b1cac735557e8ffd4c72fe3afa43c801bc44dadc417203d10.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im "DragonNest.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:240
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im "sdologin.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 1.bat
  2⤵
  - Deletes itself
  PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
251B

MD5
a59c991fd54350a0d2ae49d5ae93d871

SHA1
0b8a39848e8e1a2de3bffc59a010b97ebf479005

SHA256
20674bc0b078d510fae2da277997a8e68a689ff2af593f0cd988e659a16a5fdc

SHA512
1c81ea4015633cb3cf3567de7ea0959989e2d1c863b65fa97389837d2e5663f7b40d6eff59d22e1b031655270e73e781230cf178b88e6736cc55eee53d4c0583

Download Submit
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000074771000-0x0000000074773000-memory.dmp

Filesize
8KB

Download