7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231

Analysis

max time kernel
30s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 18:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe
Size

249KB
MD5

82f98a42fc2366083d8ded65dd32b990
SHA1

60d9276c2203a53b1ac4aba29b7ce90850f24239
SHA256

7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231
SHA512

ed2bacfb28277f6dde8702ed6f34090d4cd43ee106bf185c4274b0e33a42b4221184ad0418e3d97fd474944b172eefd1364e21bd95651fd220d31fbcd855fd1f
SSDEEP

6144:LlW1wiBpJvBFimkp4iy3bAPQujIpQ7Gw0rx0JfHYhwR:BQwInDq4bLAP8i7GvlDK

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\TCDL\Utilites	xcopy.exe
File created	C:\Program Files (x86)\TCDL\Utilites\AutoRuns.exe	xcopy.exe
File opened for modification	C:\Program Files (x86)\TCDL\Utilites\AutoRuns.exe	xcopy.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\AutoRuns.inf	cmd.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File created	C:\Windows\INF\AutoRuns.inf	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1888	rundll32.exe
Token: SeRestorePrivilege	1888	rundll32.exe
Token: SeRestorePrivilege	1888	rundll32.exe
Token: SeRestorePrivilege	1888	rundll32.exe
Token: SeRestorePrivilege	1888	rundll32.exe
Token: SeRestorePrivilege	1888	rundll32.exe
Token: SeRestorePrivilege	1888	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 1120	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	28
PID 668 wrote to memory of 1120	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	28
PID 668 wrote to memory of 1120	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	28
PID 668 wrote to memory of 1120	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	28
PID 668 wrote to memory of 2032	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	30
PID 668 wrote to memory of 2032	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	30
PID 668 wrote to memory of 2032	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	30
PID 668 wrote to memory of 2032	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	30
PID 668 wrote to memory of 1888	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	32
PID 668 wrote to memory of 1888	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	32
PID 668 wrote to memory of 1888	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	32
PID 668 wrote to memory of 1888	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	32
PID 668 wrote to memory of 1888	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	32
PID 668 wrote to memory of 1888	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	32
PID 668 wrote to memory of 1888	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	32
PID 668 wrote to memory of 1256	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	33
PID 668 wrote to memory of 1256	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	33
PID 668 wrote to memory of 1256	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	33
PID 668 wrote to memory of 1256	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	33
PID 668 wrote to memory of 556	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	35
PID 668 wrote to memory of 556	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	35
PID 668 wrote to memory of 556	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	35
PID 668 wrote to memory of 556	668	7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe	35
PID 556 wrote to memory of 1340	556	cmd.exe	37
PID 556 wrote to memory of 1340	556	cmd.exe	37
PID 556 wrote to memory of 1340	556	cmd.exe	37
PID 556 wrote to memory of 1340	556	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe
"C:\Users\Admin\AppData\Local\Temp\7ffe2048c417fc1c8e999cbbc45c2f38f3d235a70724cc360edfdc1868586231.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD "HKCU\Software\Sysinternals\AutoRuns" /V EulaAccepted /D 1 /f
  2⤵
  PID:1120
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy AutoRuns.inf C:\Windows\INF
  2⤵
  - Drops file in Windows directory
  PID:2032
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" advpack,LaunchINFSection AutoRuns.inf,DefaultInstall,0
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del AutoRuns.inf /q
  2⤵
  PID:1256
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c xcopy * "C:\Program Files (x86)\TCDL\Utilites\" /s /e /i /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy * "C:\Program Files (x86)\TCDL\Utilites\" /s /e /i /y
    3⤵
    - Drops file in Program Files directory
    - Enumerates system info in registry
    PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\AutoRuns.exe

Filesize
633KB

MD5
9f4f01518ec46d1b396c0b45b9eecc1b

SHA1
af28f46501b597978774f916de08d2a4b57988e2

SHA256
456da9e2d11f0a765bce03ec938c8bda514235034316ad1c5aa6a2a72cbaa5f2

SHA512
a1ea50a3ef8dc655453784da80ba2c9fe20d7cacce808b548f404d4858c976ac8227c9c7aa871ffbbc252419ed4edca6ea7f46bec04fb33636f70f8a40c6fd97

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\AutoRuns.inf

Filesize
2KB

MD5
128780e69cbfad74ce9301ed15120c74

SHA1
4a6b3b21f9bc2c937d61078379da947cc6ac5a03

SHA256
1479bd8db119a864dc3126389d77ca6f5ec95a76585b1abda0ecbb2c17d204af

SHA512
1f5951c2de41e8d3fc73a2d1e9990f9d372ff6773cf5ec22ac6ad2fea0e8c9000a9ca0d9ecb63802d2b4bb61d228896f909380758dedc1ab7b79459c9f164bb5

Download Submit
memory/668-54-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download