Analysis
-
max time kernel
106s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-11-2022 09:09
Static task
static1
Behavioral task
behavioral1
Sample
3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe
Resource
win10v2004-20220901-en
General
-
Target
3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe
-
Size
9.7MB
-
MD5
370face2217f895e49ddb4e35e8e3e82
-
SHA1
6b832f9e68bba84793999fe046ef78dca0b2b368
-
SHA256
3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1
-
SHA512
d578118640d5f994c9ab9062b80e97c933c677c6005ee8ce4aab251d7e974f6949ae1c6cff7569d6473f62e62108845205bb401783b2c094e14a69f5e59b185d
-
SSDEEP
196608:Dr4xPwOOnujoYRP1y9WbrdHO6b0NnpM9dO7Grk6sKA763IT:ePLOujobirkVnMdUh6dA7a4
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe File created C:\Windows\system32\drivers\etc\hоsts cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 844 lykelkyhxntxufha.exe 944 msoffice_2013_activation.exe -
Loads dropped DLL 4 IoCs
pid Process 1408 3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe 1408 3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe 1408 3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe 844 lykelkyhxntxufha.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1592 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 944 msoffice_2013_activation.exe 944 msoffice_2013_activation.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1592 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 944 msoffice_2013_activation.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1408 wrote to memory of 844 1408 3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe 26 PID 1408 wrote to memory of 844 1408 3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe 26 PID 1408 wrote to memory of 844 1408 3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe 26 PID 1408 wrote to memory of 844 1408 3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe 26 PID 1408 wrote to memory of 844 1408 3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe 26 PID 1408 wrote to memory of 844 1408 3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe 26 PID 1408 wrote to memory of 844 1408 3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe 26 PID 844 wrote to memory of 952 844 lykelkyhxntxufha.exe 27 PID 844 wrote to memory of 952 844 lykelkyhxntxufha.exe 27 PID 844 wrote to memory of 952 844 lykelkyhxntxufha.exe 27 PID 844 wrote to memory of 952 844 lykelkyhxntxufha.exe 27 PID 844 wrote to memory of 952 844 lykelkyhxntxufha.exe 27 PID 844 wrote to memory of 952 844 lykelkyhxntxufha.exe 27 PID 844 wrote to memory of 952 844 lykelkyhxntxufha.exe 27 PID 844 wrote to memory of 944 844 lykelkyhxntxufha.exe 29 PID 844 wrote to memory of 944 844 lykelkyhxntxufha.exe 29 PID 844 wrote to memory of 944 844 lykelkyhxntxufha.exe 29 PID 844 wrote to memory of 944 844 lykelkyhxntxufha.exe 29 PID 844 wrote to memory of 944 844 lykelkyhxntxufha.exe 29 PID 844 wrote to memory of 944 844 lykelkyhxntxufha.exe 29 PID 844 wrote to memory of 944 844 lykelkyhxntxufha.exe 29 PID 952 wrote to memory of 1632 952 cmd.exe 30 PID 952 wrote to memory of 1632 952 cmd.exe 30 PID 952 wrote to memory of 1632 952 cmd.exe 30 PID 952 wrote to memory of 1632 952 cmd.exe 30 PID 952 wrote to memory of 1632 952 cmd.exe 30 PID 952 wrote to memory of 1632 952 cmd.exe 30 PID 952 wrote to memory of 1632 952 cmd.exe 30 PID 952 wrote to memory of 1592 952 cmd.exe 31 PID 952 wrote to memory of 1592 952 cmd.exe 31 PID 952 wrote to memory of 1592 952 cmd.exe 31 PID 952 wrote to memory of 1592 952 cmd.exe 31 PID 952 wrote to memory of 1592 952 cmd.exe 31 PID 952 wrote to memory of 1592 952 cmd.exe 31 PID 952 wrote to memory of 1592 952 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe"C:\Users\Admin\AppData\Local\Temp\3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\lykelkyhxntxufha.exe"C:\Users\Admin\AppData\Local\Temp\lykelkyhxntxufha.exe" pjindv.bat++msoffice_2013_activation.exe++++++++++++2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\pjindv.bat" "3⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\chcp.comchcp 8664⤵PID:1632
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "praetorian.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
-
C:\Users\Admin\AppData\Local\Temp\msoffice_2013_activation.exe"C:\Users\Admin\AppData\Local\Temp\msoffice_2013_activation.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:944
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5ddb7111169df883196164ff9a54ba67d
SHA1ba918e63fd8e0a2b05965ec2057d92935124d7af
SHA256ead12b5339f6850e6d95381c243bf04c1bdea3138531996d634bff88af15cb06
SHA5122ede94ba107b8430ee376fbf12e98c1cb80b0c25686dd09760bd268d71bb33ce41ffb7bde7a8d6820d52a2c6b4668c1a687bf1679a2bd046fe16d67ccf126b1f
-
Filesize
9.8MB
MD57545fe9c09892fb95924e18665514dd3
SHA1a3d8c56c16a3f1ef1b8e38d0fd99e567e152cbf0
SHA256ac95e33296dc6e76692285f768a82e802c6f5f53a02330a759166ee0df7b6506
SHA512acc168da266314f45e6e03d54793884cd84010b3fb8d1d71d29d63c54367ccc4b85672272613c5b59755ca76fd77a2e2449a627bae836fc5d7bf4478ad6e8b81
-
Filesize
9.8MB
MD57545fe9c09892fb95924e18665514dd3
SHA1a3d8c56c16a3f1ef1b8e38d0fd99e567e152cbf0
SHA256ac95e33296dc6e76692285f768a82e802c6f5f53a02330a759166ee0df7b6506
SHA512acc168da266314f45e6e03d54793884cd84010b3fb8d1d71d29d63c54367ccc4b85672272613c5b59755ca76fd77a2e2449a627bae836fc5d7bf4478ad6e8b81
-
Filesize
6KB
MD5810a5002284d818215391ca22db9768e
SHA1fb1957d41c845fa888be71aefe143ffdd15c68e9
SHA256691322279fd6be9c1d19dd21de6766791b0d3f50e7cfdf51df048347f1e661d1
SHA512c69aaad0b7858ca5572e64a0271e7b8600352f969d36f7510cfb1ed7777957ec211b20197c074853003e9a1c3aa23779c91418a1ee09dc8518fa16770fcd788e
-
Filesize
128KB
MD5ddb7111169df883196164ff9a54ba67d
SHA1ba918e63fd8e0a2b05965ec2057d92935124d7af
SHA256ead12b5339f6850e6d95381c243bf04c1bdea3138531996d634bff88af15cb06
SHA5122ede94ba107b8430ee376fbf12e98c1cb80b0c25686dd09760bd268d71bb33ce41ffb7bde7a8d6820d52a2c6b4668c1a687bf1679a2bd046fe16d67ccf126b1f
-
Filesize
128KB
MD5ddb7111169df883196164ff9a54ba67d
SHA1ba918e63fd8e0a2b05965ec2057d92935124d7af
SHA256ead12b5339f6850e6d95381c243bf04c1bdea3138531996d634bff88af15cb06
SHA5122ede94ba107b8430ee376fbf12e98c1cb80b0c25686dd09760bd268d71bb33ce41ffb7bde7a8d6820d52a2c6b4668c1a687bf1679a2bd046fe16d67ccf126b1f
-
Filesize
128KB
MD5ddb7111169df883196164ff9a54ba67d
SHA1ba918e63fd8e0a2b05965ec2057d92935124d7af
SHA256ead12b5339f6850e6d95381c243bf04c1bdea3138531996d634bff88af15cb06
SHA5122ede94ba107b8430ee376fbf12e98c1cb80b0c25686dd09760bd268d71bb33ce41ffb7bde7a8d6820d52a2c6b4668c1a687bf1679a2bd046fe16d67ccf126b1f
-
Filesize
9.8MB
MD57545fe9c09892fb95924e18665514dd3
SHA1a3d8c56c16a3f1ef1b8e38d0fd99e567e152cbf0
SHA256ac95e33296dc6e76692285f768a82e802c6f5f53a02330a759166ee0df7b6506
SHA512acc168da266314f45e6e03d54793884cd84010b3fb8d1d71d29d63c54367ccc4b85672272613c5b59755ca76fd77a2e2449a627bae836fc5d7bf4478ad6e8b81