b9814a1412b8e75a3ad2cc20ceb8fb29481083abdc68eed89cc0f16c16d30edb

Analysis

max time kernel
109s
max time network
54s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware100.exe
Size

310KB
MD5

2413479832b9b9321256acf0fce95d57
SHA1

461e4d216541030229f5dfa682abd484b99a1c6c
SHA256

b9814a1412b8e75a3ad2cc20ceb8fb29481083abdc68eed89cc0f16c16d30edb
SHA512

5ad47558a002536295cb910109c12171312db0f9e24cb17ac9aab7a3c0715ae3ae095f9c4a77a66a5dc2e16ce4479a4f21174b0001608422cdaa22506922f91c
SSDEEP

6144:8cqoSgQc51P9A50S+F6uDbF9ayNfwNlPoaJUGUgNMEM9Ms5lfp4a:8FoS+1HS+F6ULP6SaJBDNMEeMxa

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XeonRegStart = "C:\\Xeon.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1360	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
900	ipconfig.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1648	taskkill.exe
1116	taskkill.exe
1568	taskkill.exe
1408	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	1824	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1824	AUDIODG.EXE
Token: 33	1824	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1824	AUDIODG.EXE
Token: SeDebugPrivilege	1408	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1712	1836	malware100.exe	27
PID 1836 wrote to memory of 1712	1836	malware100.exe	27
PID 1836 wrote to memory of 1712	1836	malware100.exe	27
PID 1836 wrote to memory of 1712	1836	malware100.exe	27
PID 1712 wrote to memory of 956	1712	cmd.exe	29
PID 1712 wrote to memory of 956	1712	cmd.exe	29
PID 1712 wrote to memory of 956	1712	cmd.exe	29
PID 1712 wrote to memory of 1356	1712	cmd.exe	30
PID 1712 wrote to memory of 1356	1712	cmd.exe	30
PID 1712 wrote to memory of 1356	1712	cmd.exe	30
PID 1356 wrote to memory of 2036	1356	net.exe	31
PID 1356 wrote to memory of 2036	1356	net.exe	31
PID 1356 wrote to memory of 2036	1356	net.exe	31
PID 1712 wrote to memory of 900	1712	cmd.exe	32
PID 1712 wrote to memory of 900	1712	cmd.exe	32
PID 1712 wrote to memory of 900	1712	cmd.exe	32
PID 1712 wrote to memory of 584	1712	cmd.exe	33
PID 1712 wrote to memory of 584	1712	cmd.exe	33
PID 1712 wrote to memory of 584	1712	cmd.exe	33
PID 1712 wrote to memory of 1560	1712	cmd.exe	34
PID 1712 wrote to memory of 1560	1712	cmd.exe	34
PID 1712 wrote to memory of 1560	1712	cmd.exe	34
PID 1712 wrote to memory of 1360	1712	cmd.exe	35
PID 1712 wrote to memory of 1360	1712	cmd.exe	35
PID 1712 wrote to memory of 1360	1712	cmd.exe	35
PID 1712 wrote to memory of 1408	1712	cmd.exe	39
PID 1712 wrote to memory of 1408	1712	cmd.exe	39
PID 1712 wrote to memory of 1408	1712	cmd.exe	39
PID 1712 wrote to memory of 1648	1712	cmd.exe	41
PID 1712 wrote to memory of 1648	1712	cmd.exe	41
PID 1712 wrote to memory of 1648	1712	cmd.exe	41
PID 1712 wrote to memory of 1116	1712	cmd.exe	42
PID 1712 wrote to memory of 1116	1712	cmd.exe	42
PID 1712 wrote to memory of 1116	1712	cmd.exe	42
PID 1712 wrote to memory of 1568	1712	cmd.exe	43
PID 1712 wrote to memory of 1568	1712	cmd.exe	43
PID 1712 wrote to memory of 1568	1712	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\malware100.exe
"C:\Users\Admin\AppData\Local\Temp\malware100.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\149.tmp\15A.bat C:\Users\Admin\AppData\Local\Temp\malware100.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "XeonRegStart" /t REG_SZ /d "C:\Xeon.exe" /f
    3⤵
    - Adds Run key to start application
    PID:956
- - C:\Windows\system32\net.exe
    net user Admin 9LP64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin 9LP64
      4⤵
      PID:2036
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:900
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Info.vbs"
    3⤵
    PID:584
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Message.vbs"
    3⤵
    PID:1560
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:1360
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM csrss.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1408
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM svchost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM wininit.exe
    3⤵
    - Kills process with taskkill
    PID:1116
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM winlogon.exe
    3⤵
    - Kills process with taskkill
    PID:1568

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1188

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Info.vbs

Filesize
96B

MD5
3f0a3021c9183570a7a2350fbe8a50ca

SHA1
85da405fbcba7ebd2151c894aee13412fa90de41

SHA256
f5f4bd6043ce4ef52e59dc3d78eb3c25d26ba8b65fbbd4bcb2a06626013eb2d0

SHA512
d2848b9ec901ec61d89721db5534b976bebc8188971b49f5f81b09d626ea42d843bfbdafe1dc212b537d7ab6ca15211c0b5d4ea24a61b62a55af44070d36cd96

Download Submit
C:\Message.vbs

Filesize
47B

MD5
0f2ce130f4100f889ff2cbbb737fec89

SHA1
3b155f267564fc199d1d05d05fa3aa7995e4f74f

SHA256
e17579150850cbd086110308e873fe2320a67f8100a96175865af0eaeadbc986

SHA512
913ad1f676fe64bc17b362c2672ab8f2ec9e2e06e4db514c7301bed642f455b4d6919c4cbcbb80ab484fac2fe716f6a6d10caa7c54b1ac5709afe02bd7ca7351

Download Submit
C:\Users\Admin\AppData\Local\Temp\149.tmp\15A.bat

Filesize
1KB

MD5
34ca341944b9467a396bbb8b8cfa2447

SHA1
bcf8439873eb5c1939e69ad9552373b55f6e6af4

SHA256
d695618bc6795f1802bc0fff25a171beb96ea348c7dde9394c67fb88b2b29b02

SHA512
503f4b0f8a2b66e0a50b588d290ab79fafe9c86e5bee2b9b58ddb98ed6424ccc364d3527cc494bb5621a1bb02b62fb63557b9dca95035e0c495d41c2bd25ae44

Download Submit
memory/584-74-0x0000000000000000-mapping.dmp

Download
memory/900-61-0x0000000000000000-mapping.dmp

Download
memory/956-57-0x0000000000000000-mapping.dmp

Download
memory/1116-92-0x0000000000000000-mapping.dmp

Download
memory/1356-59-0x0000000000000000-mapping.dmp

Download
memory/1360-89-0x0000000000000000-mapping.dmp

Download
memory/1408-90-0x0000000000000000-mapping.dmp

Download
memory/1560-83-0x0000000000000000-mapping.dmp

Download
memory/1568-93-0x0000000000000000-mapping.dmp

Download
memory/1648-91-0x0000000000000000-mapping.dmp

Download
memory/1712-62-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download
memory/1712-55-0x0000000000000000-mapping.dmp

Download
memory/1836-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1836-58-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1836-94-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2036-60-0x0000000000000000-mapping.dmp

Download