26819f9bb856b8c436b55968719daccae2009d4585dd4497a04cdc95cec9161d

Analysis

max time kernel
153s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26819f9bb856b8c436b55968719daccae2009d4585dd4497a04cdc95cec9161d.exe
Size

1.3MB
MD5

aa565f2b01389e5c4d885dfeffde711a
SHA1

b29fc7ec174403f8ae24030be75aefc4e5ae2261
SHA256

26819f9bb856b8c436b55968719daccae2009d4585dd4497a04cdc95cec9161d
SHA512

63cca4bf6bbf3060a27aa8dd9362cc1485b42df1ff65f5b9793ceea68b24a7ec68048f9651e99fbbd026072d7eff898f021d035848f9f5e4b2113a9c2f50bac5
SSDEEP

24576:bow4tqllwDrC518o0jsCKABZ+0A8H3pWFEvr0nfun:bo1tHC56RZKkEIH3QEvr

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	YZZG4ZC73V8UAV52866JKHAUYHM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\T7VJ56T35XVD6WW1X948W9607369 = "C:\\ProgramData\\1DTCWS3176P6VQ2DK0Y3OUZ955J08S\\T7VJ56T35XVD6WW1X948W9607369.exe"	YZZG4ZC73V8UAV52866JKHAUYHM.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4180	T7VJ56T35XVD6WW1X948W9607369.exe
4720	YZZG4ZC73V8UAV52866JKHAUYHM.exe
3948	DC99UJ140U3K13HE8L78.exe

Loads dropped DLL 3 IoCs

pid	Process
4180	T7VJ56T35XVD6WW1X948W9607369.exe
4720	YZZG4ZC73V8UAV52866JKHAUYHM.exe
3948	DC99UJ140U3K13HE8L78.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4180	T7VJ56T35XVD6WW1X948W9607369.exe
4180	T7VJ56T35XVD6WW1X948W9607369.exe
4720	YZZG4ZC73V8UAV52866JKHAUYHM.exe
4720	YZZG4ZC73V8UAV52866JKHAUYHM.exe
4720	YZZG4ZC73V8UAV52866JKHAUYHM.exe
4720	YZZG4ZC73V8UAV52866JKHAUYHM.exe
3948	DC99UJ140U3K13HE8L78.exe
3948	DC99UJ140U3K13HE8L78.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4180	T7VJ56T35XVD6WW1X948W9607369.exe
Token: SeDebugPrivilege	4720	YZZG4ZC73V8UAV52866JKHAUYHM.exe
Token: SeDebugPrivilege	3948	DC99UJ140U3K13HE8L78.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1912	26819f9bb856b8c436b55968719daccae2009d4585dd4497a04cdc95cec9161d.exe
1912	26819f9bb856b8c436b55968719daccae2009d4585dd4497a04cdc95cec9161d.exe
4180	T7VJ56T35XVD6WW1X948W9607369.exe
4180	T7VJ56T35XVD6WW1X948W9607369.exe
4180	T7VJ56T35XVD6WW1X948W9607369.exe
4180	T7VJ56T35XVD6WW1X948W9607369.exe
4720	YZZG4ZC73V8UAV52866JKHAUYHM.exe
4720	YZZG4ZC73V8UAV52866JKHAUYHM.exe
4720	YZZG4ZC73V8UAV52866JKHAUYHM.exe
4720	YZZG4ZC73V8UAV52866JKHAUYHM.exe
3948	DC99UJ140U3K13HE8L78.exe
3948	DC99UJ140U3K13HE8L78.exe
3948	DC99UJ140U3K13HE8L78.exe
3948	DC99UJ140U3K13HE8L78.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 4180	1912	26819f9bb856b8c436b55968719daccae2009d4585dd4497a04cdc95cec9161d.exe	80
PID 1912 wrote to memory of 4180	1912	26819f9bb856b8c436b55968719daccae2009d4585dd4497a04cdc95cec9161d.exe	80
PID 1912 wrote to memory of 4180	1912	26819f9bb856b8c436b55968719daccae2009d4585dd4497a04cdc95cec9161d.exe	80
PID 4180 wrote to memory of 4720	4180	T7VJ56T35XVD6WW1X948W9607369.exe	81
PID 4180 wrote to memory of 4720	4180	T7VJ56T35XVD6WW1X948W9607369.exe	81
PID 4180 wrote to memory of 4720	4180	T7VJ56T35XVD6WW1X948W9607369.exe	81
PID 4720 wrote to memory of 3948	4720	YZZG4ZC73V8UAV52866JKHAUYHM.exe	82
PID 4720 wrote to memory of 3948	4720	YZZG4ZC73V8UAV52866JKHAUYHM.exe	82
PID 4720 wrote to memory of 3948	4720	YZZG4ZC73V8UAV52866JKHAUYHM.exe	82

C:\Users\Admin\AppData\Local\Temp\26819f9bb856b8c436b55968719daccae2009d4585dd4497a04cdc95cec9161d.exe
"C:\Users\Admin\AppData\Local\Temp\26819f9bb856b8c436b55968719daccae2009d4585dd4497a04cdc95cec9161d.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912
- C:\ProgramData\1DTCWS3176P6VQ2DK0Y3OUZ955J08S\T7VJ56T35XVD6WW1X948W9607369.exe
  "C:\ProgramData\1DTCWS3176P6VQ2DK0Y3OUZ955J08S\T7VJ56T35XVD6WW1X948W9607369.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Users\Admin\AppData\Local\Temp\E3S42G\YZZG4ZC73V8UAV52866JKHAUYHM.exe
    433A5C50726F6772616D446174615C314454435753333137365036565132444B3059334F555A3935354A3038535C5437564A3536543335585644365757315839343857393630373336392E657865
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\E3S42G\DC99UJ140U3K13HE8L78.exe
      433A5C50726F6772616D446174615C314454435753333137365036565132444B3059334F555A3935354A3038535C5437564A3536543335585644365757315839343857393630373336392E657865
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1DTCWS3176P6VQ2DK0Y3OUZ955J08S\T7VJ56T35XVD6WW1X948W9607369.data

Filesize
158B

MD5
1ae2151ef56e383ca2800a0d05fc2c72

SHA1
d6b284d32b8d3a7051472d4ed807dd258f4893bf

SHA256
dbf690f30689770bddfa4f383a79d82e08d55a080ace8590ab2ef4b970055d37

SHA512
3d279e12c8738d1716cdaf18c9bd8980e8cb4982279a209966aeedba593582ad523305c6d14f464c7ef8283fa4e905884dea1b385bda6cafcb2efd7b9ef5bf3a

Download Submit
C:\ProgramData\1DTCWS3176P6VQ2DK0Y3OUZ955J08S\T7VJ56T35XVD6WW1X948W9607369.data

Filesize
246B

MD5
a477a40d09a619768efa71d0cae66e86

SHA1
9bbb7f4579fdb9e643e80a8ac1004d4eaeae50e8

SHA256
74b2560cdda59b416fe75cd2aa9f98bb723f08d0d2cc502a77c030862939204b

SHA512
f67c1d2fa674cc9e9d91673738ca3a903adb0c5b74313bbf3abfd80103f79e382755a77d520dac51a75c690b5575fb2d87b164ee4eef9918f715ad1a47a861fb

Download Submit
C:\ProgramData\1DTCWS3176P6VQ2DK0Y3OUZ955J08S\T7VJ56T35XVD6WW1X948W9607369.exe

Filesize
167KB

MD5
54a010c60be10b65eee5506720fccabb

SHA1
18cfa274db7d6567441db036eb2b25b720d58884

SHA256
9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89

SHA512
afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

Download Submit
C:\ProgramData\1DTCWS3176P6VQ2DK0Y3OUZ955J08S\T7VJ56T35XVD6WW1X948W9607369.exe

Filesize
167KB

MD5
54a010c60be10b65eee5506720fccabb

SHA1
18cfa274db7d6567441db036eb2b25b720d58884

SHA256
9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89

SHA512
afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

Download Submit
C:\ProgramData\1DTCWS3176P6VQ2DK0Y3OUZ955J08S\goopdate.dll

Filesize
400KB

MD5
7f05f4d964cb2dd542d181ed5cfe17ca

SHA1
0c42c53f2af0425454b92aa06eb60107cdfe2bc5

SHA256
8b3ed5818437f7ff5e1b18341849853ef345432ea3c8f9ce3d7587ad1674c1bc

SHA512
b110e75abe457848a513cc09f7ea0a00ee8f41c3584ec042e12b74421c8aa0aefba3d8b69dbf0bb2d80272f444183902ab66af2abbdade287a3f0ecde86ecac3

Download Submit
C:\ProgramData\1DTCWS3176P6VQ2DK0Y3OUZ955J08S\goopdate.dll

Filesize
400KB

MD5
7f05f4d964cb2dd542d181ed5cfe17ca

SHA1
0c42c53f2af0425454b92aa06eb60107cdfe2bc5

SHA256
8b3ed5818437f7ff5e1b18341849853ef345432ea3c8f9ce3d7587ad1674c1bc

SHA512
b110e75abe457848a513cc09f7ea0a00ee8f41c3584ec042e12b74421c8aa0aefba3d8b69dbf0bb2d80272f444183902ab66af2abbdade287a3f0ecde86ecac3

Download Submit
C:\Users\Admin\AppData\Local\078BFBFF000306D2

Filesize
116B

MD5
9c5508f694ea2fb15a0921b416c27850

SHA1
f1bd796eb988e7ca660247d06481afc6d1a3e577

SHA256
df9bbaf67bda2fdce60398a0228a32c05342cb0048a1b7d2312ace29c136ae45

SHA512
a9304c2bba4c81e6cb40d766445823dcfbfc0a2816a3b099da348e45fbbe74363e8b5146de329c5a1b3c2ef08f978b493d0ae17db104c49e9cc1644752bfc9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3S42G\DC99UJ140U3K13HE8L78.data

Filesize
246B

MD5
a477a40d09a619768efa71d0cae66e86

SHA1
9bbb7f4579fdb9e643e80a8ac1004d4eaeae50e8

SHA256
74b2560cdda59b416fe75cd2aa9f98bb723f08d0d2cc502a77c030862939204b

SHA512
f67c1d2fa674cc9e9d91673738ca3a903adb0c5b74313bbf3abfd80103f79e382755a77d520dac51a75c690b5575fb2d87b164ee4eef9918f715ad1a47a861fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3S42G\DC99UJ140U3K13HE8L78.exe

Filesize
167KB

MD5
54a010c60be10b65eee5506720fccabb

SHA1
18cfa274db7d6567441db036eb2b25b720d58884

SHA256
9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89

SHA512
afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3S42G\DC99UJ140U3K13HE8L78.exe

Filesize
167KB

MD5
54a010c60be10b65eee5506720fccabb

SHA1
18cfa274db7d6567441db036eb2b25b720d58884

SHA256
9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89

SHA512
afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3S42G\YZZG4ZC73V8UAV52866JKHAUYHM.data

Filesize
158B

MD5
1ae2151ef56e383ca2800a0d05fc2c72

SHA1
d6b284d32b8d3a7051472d4ed807dd258f4893bf

SHA256
dbf690f30689770bddfa4f383a79d82e08d55a080ace8590ab2ef4b970055d37

SHA512
3d279e12c8738d1716cdaf18c9bd8980e8cb4982279a209966aeedba593582ad523305c6d14f464c7ef8283fa4e905884dea1b385bda6cafcb2efd7b9ef5bf3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3S42G\YZZG4ZC73V8UAV52866JKHAUYHM.exe

Filesize
167KB

MD5
54a010c60be10b65eee5506720fccabb

SHA1
18cfa274db7d6567441db036eb2b25b720d58884

SHA256
9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89

SHA512
afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3S42G\YZZG4ZC73V8UAV52866JKHAUYHM.exe

Filesize
167KB

MD5
54a010c60be10b65eee5506720fccabb

SHA1
18cfa274db7d6567441db036eb2b25b720d58884

SHA256
9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89

SHA512
afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3S42G\goopdate.dll

Filesize
400KB

MD5
7f05f4d964cb2dd542d181ed5cfe17ca

SHA1
0c42c53f2af0425454b92aa06eb60107cdfe2bc5

SHA256
8b3ed5818437f7ff5e1b18341849853ef345432ea3c8f9ce3d7587ad1674c1bc

SHA512
b110e75abe457848a513cc09f7ea0a00ee8f41c3584ec042e12b74421c8aa0aefba3d8b69dbf0bb2d80272f444183902ab66af2abbdade287a3f0ecde86ecac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3S42G\goopdate.dll

Filesize
400KB

MD5
7f05f4d964cb2dd542d181ed5cfe17ca

SHA1
0c42c53f2af0425454b92aa06eb60107cdfe2bc5

SHA256
8b3ed5818437f7ff5e1b18341849853ef345432ea3c8f9ce3d7587ad1674c1bc

SHA512
b110e75abe457848a513cc09f7ea0a00ee8f41c3584ec042e12b74421c8aa0aefba3d8b69dbf0bb2d80272f444183902ab66af2abbdade287a3f0ecde86ecac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3S42G\goopdate.dll

Filesize
400KB

MD5
7f05f4d964cb2dd542d181ed5cfe17ca

SHA1
0c42c53f2af0425454b92aa06eb60107cdfe2bc5

SHA256
8b3ed5818437f7ff5e1b18341849853ef345432ea3c8f9ce3d7587ad1674c1bc

SHA512
b110e75abe457848a513cc09f7ea0a00ee8f41c3584ec042e12b74421c8aa0aefba3d8b69dbf0bb2d80272f444183902ab66af2abbdade287a3f0ecde86ecac3

Download Submit
memory/3948-192-0x00000000044B0000-0x00000000045CB000-memory.dmp

Filesize
1.1MB

Download
memory/3948-197-0x0000000004170000-0x00000000041D3000-memory.dmp

Filesize
396KB

Download
memory/3948-185-0x00000000039F0000-0x0000000003CCC000-memory.dmp

Filesize
2.9MB

Download
memory/3948-186-0x00000000039F0000-0x0000000003CCC000-memory.dmp

Filesize
2.9MB

Download
memory/3948-174-0x0000000002890000-0x000000000297C000-memory.dmp

Filesize
944KB

Download
memory/3948-171-0x0000000000000000-mapping.dmp

Download
memory/3948-198-0x00000000041E0000-0x00000000042D1000-memory.dmp

Filesize
964KB

Download
memory/3948-178-0x0000000002890000-0x000000000297C000-memory.dmp

Filesize
944KB

Download
memory/3948-187-0x0000000004170000-0x00000000041D3000-memory.dmp

Filesize
396KB

Download
memory/3948-196-0x00000000039F0000-0x0000000003CCC000-memory.dmp

Filesize
2.9MB

Download
memory/3948-195-0x0000000004310000-0x0000000004362000-memory.dmp

Filesize
328KB

Download
memory/3948-194-0x0000000004800000-0x000000000496B000-memory.dmp

Filesize
1.4MB

Download
memory/3948-188-0x00000000041E0000-0x00000000042D1000-memory.dmp

Filesize
964KB

Download
memory/3948-189-0x00000000041E0000-0x00000000042D1000-memory.dmp

Filesize
964KB

Download
memory/3948-193-0x00000000045D0000-0x00000000046BA000-memory.dmp

Filesize
936KB

Download
memory/3948-191-0x0000000004800000-0x000000000496B000-memory.dmp

Filesize
1.4MB

Download
memory/4180-145-0x00000000047A0000-0x0000000004891000-memory.dmp

Filesize
964KB

Download
memory/4180-139-0x0000000003FC0000-0x000000000429C000-memory.dmp

Filesize
2.9MB

Download
memory/4180-142-0x00000000047A0000-0x0000000004891000-memory.dmp

Filesize
964KB

Download
memory/4180-140-0x0000000003FC0000-0x000000000429C000-memory.dmp

Filesize
2.9MB

Download
memory/4180-143-0x0000000004D20000-0x0000000004E8B000-memory.dmp

Filesize
1.4MB

Download
memory/4180-144-0x0000000004720000-0x0000000004783000-memory.dmp

Filesize
396KB

Download
memory/4180-149-0x0000000004E90000-0x0000000004EE2000-memory.dmp

Filesize
328KB

Download
memory/4180-138-0x0000000002DC0000-0x0000000002EAC000-memory.dmp

Filesize
944KB

Download
memory/4180-154-0x0000000003FC0000-0x000000000429C000-memory.dmp

Filesize
2.9MB

Download
memory/4180-136-0x0000000002DC0000-0x0000000002EAC000-memory.dmp

Filesize
944KB

Download
memory/4180-147-0x0000000004B00000-0x0000000004BEA000-memory.dmp

Filesize
936KB

Download
memory/4180-132-0x0000000000000000-mapping.dmp

Download
memory/4180-146-0x00000000049D0000-0x0000000004AEB000-memory.dmp

Filesize
1.1MB

Download
memory/4180-148-0x0000000004D20000-0x0000000004E8B000-memory.dmp

Filesize
1.4MB

Download
memory/4720-164-0x0000000004510000-0x0000000004573000-memory.dmp

Filesize
396KB

Download
memory/4720-179-0x0000000003C90000-0x0000000003F6C000-memory.dmp

Filesize
2.9MB

Download
memory/4720-180-0x0000000004580000-0x0000000004671000-memory.dmp

Filesize
964KB

Download
memory/4720-181-0x0000000004840000-0x000000000495B000-memory.dmp

Filesize
1.1MB

Download
memory/4720-182-0x0000000004960000-0x0000000004A4A000-memory.dmp

Filesize
936KB

Download
memory/4720-183-0x0000000004B90000-0x0000000004CFB000-memory.dmp

Filesize
1.4MB

Download
memory/4720-184-0x00000000046B0000-0x0000000004702000-memory.dmp

Filesize
328KB

Download
memory/4720-177-0x0000000004FA1000-0x0000000004FBE000-memory.dmp

Filesize
116KB

Download
memory/4720-176-0x0000000004FA0000-0x0000000004FC7000-memory.dmp

Filesize
156KB

Download
memory/4720-170-0x00000000046B0000-0x0000000004702000-memory.dmp

Filesize
328KB

Download
memory/4720-169-0x0000000004B90000-0x0000000004CFB000-memory.dmp

Filesize
1.4MB

Download
memory/4720-168-0x0000000004960000-0x0000000004A4A000-memory.dmp

Filesize
936KB

Download
memory/4720-167-0x0000000004840000-0x000000000495B000-memory.dmp

Filesize
1.1MB

Download
memory/4720-166-0x0000000004B90000-0x0000000004CFB000-memory.dmp

Filesize
1.4MB

Download
memory/4720-165-0x0000000004580000-0x0000000004671000-memory.dmp

Filesize
964KB

Download
memory/4720-162-0x0000000004580000-0x0000000004671000-memory.dmp

Filesize
964KB

Download
memory/4720-159-0x0000000003C90000-0x0000000003F6C000-memory.dmp

Filesize
2.9MB

Download
memory/4720-158-0x0000000003C90000-0x0000000003F6C000-memory.dmp

Filesize
2.9MB

Download
memory/4720-157-0x0000000002AE0000-0x0000000002BCC000-memory.dmp

Filesize
944KB

Download
memory/4720-155-0x0000000002AE0000-0x0000000002BCC000-memory.dmp

Filesize
944KB

Download
memory/4720-150-0x0000000000000000-mapping.dmp

Download