4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 04:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe
Size

250KB
MD5

0840bb99276fddc94a08a7beef9e0729
SHA1

8332ab4c073e37a5c835e91933c8188d57956118
SHA256

4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2
SHA512

600dbd792ec1fd251b425463be6bfa8900fc938ddaaefa2633e20d6c4d1fa44264c5dd62a73e4adc7db85f286bd4dd419d7f2f48fd84365af8a443144a044b49
SSDEEP

6144:AfizLw9ZmdoFD+sZktrOEz2jCNdgt9LhRKS+OI3apFQi2aP/dhaki:sIwfPYtrJ6jCro9LXP+d3iFQi5P/dhaZ

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	sgcxcxxaspf080610.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\nyuserinit = "C:\\Windows\\system32\\inf\\svchostc.exe C:\\Windows\\twftadfia16_080610.dll tanlt88"	sgcxcxxaspf080610.exe

Executes dropped EXE 2 IoCs

pid	Process
1396	svchostc.exe
1996	sgcxcxxaspf080610.exe

Deletes itself 1 IoCs

pid	Process
1396	svchostc.exe

Loads dropped DLL 3 IoCs

pid	Process
1620	4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe
2044	cmd.exe
2044	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\scsys16_080610.dll	4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe
File created	C:\Windows\SysWOW64\inf\svchostc.exe	4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe
File opened for modification	C:\Windows\SysWOW64\inf\svchostc.exe	4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe
File created	C:\Windows\SysWOW64\inf\sppdcrs080610.scr	4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\twisys.ini	4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe
File created	C:\Windows\system\sgcxcxxaspf080610.exe	4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe
File created	C:\Windows\tdcbdcasys32_080610.dll	4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe
File created	C:\Windows\twftadfia16_080610.dll	4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe
File opened for modification	C:\Windows\twisys.ini	svchostc.exe
File opened for modification	C:\Windows\twisys.ini	sgcxcxxaspf080610.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	sgcxcxxaspf080610.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1620	4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe
1620	4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe
1996	sgcxcxxaspf080610.exe
1996	sgcxcxxaspf080610.exe
1996	sgcxcxxaspf080610.exe
1996	sgcxcxxaspf080610.exe
1996	sgcxcxxaspf080610.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe
Token: SeDebugPrivilege	1620	4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe
Token: SeDebugPrivilege	1996	sgcxcxxaspf080610.exe
Token: SeDebugPrivilege	1996	sgcxcxxaspf080610.exe
Token: SeDebugPrivilege	1996	sgcxcxxaspf080610.exe
Token: SeDebugPrivilege	1996	sgcxcxxaspf080610.exe
Token: SeDebugPrivilege	1996	sgcxcxxaspf080610.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1396	1620	4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe	27
PID 1620 wrote to memory of 1396	1620	4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe	27
PID 1620 wrote to memory of 1396	1620	4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe	27
PID 1620 wrote to memory of 1396	1620	4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe	27
PID 1396 wrote to memory of 2044	1396	svchostc.exe	28
PID 1396 wrote to memory of 2044	1396	svchostc.exe	28
PID 1396 wrote to memory of 2044	1396	svchostc.exe	28
PID 1396 wrote to memory of 2044	1396	svchostc.exe	28
PID 2044 wrote to memory of 1996	2044	cmd.exe	30
PID 2044 wrote to memory of 1996	2044	cmd.exe	30
PID 2044 wrote to memory of 1996	2044	cmd.exe	30
PID 2044 wrote to memory of 1996	2044	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe
"C:\Users\Admin\AppData\Local\Temp\4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\inf\svchostc.exe
  "C:\Windows\system32\inf\svchostc.exe" C:\Windows\twftadfia16_080610.dll tanlt88
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\system\sgcxcxxaspf080610.exe
      "C:\Windows\system\sgcxcxxaspf080610.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\inf\svchostc.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\inf\svchostc.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\system\sgcxcxxaspf080610.exe

Filesize
250KB

MD5
0840bb99276fddc94a08a7beef9e0729

SHA1
8332ab4c073e37a5c835e91933c8188d57956118

SHA256
4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2

SHA512
600dbd792ec1fd251b425463be6bfa8900fc938ddaaefa2633e20d6c4d1fa44264c5dd62a73e4adc7db85f286bd4dd419d7f2f48fd84365af8a443144a044b49

Download Submit
C:\Windows\system\sgcxcxxaspf080610.exe

Filesize
250KB

MD5
0840bb99276fddc94a08a7beef9e0729

SHA1
8332ab4c073e37a5c835e91933c8188d57956118

SHA256
4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2

SHA512
600dbd792ec1fd251b425463be6bfa8900fc938ddaaefa2633e20d6c4d1fa44264c5dd62a73e4adc7db85f286bd4dd419d7f2f48fd84365af8a443144a044b49

Download Submit
C:\Windows\twftadfia16_080610.dll

Filesize
31KB

MD5
3b09102543d463258b97d6caa2e64d70

SHA1
7f1e3319826637c4c44a1fe6828d8ca5216020ef

SHA256
26dd0a8916905fe4fe8d19ac3e8fed8caf4e31bd60cccee08daa8ebc27ca507d

SHA512
e70e9ff32c62e087145ddc259cddc7b10258788083ea588987ace603acc6aa63a6ba29a58e7fe3e5318dc7c1d1a6ca373a5b21af8835b0e839b2e674767e1aa7

Download Submit
C:\Windows\twisys.ini

Filesize
466B

MD5
39be2b81198625db9c00497d21956814

SHA1
f631538305f05e8444636ec301a99b4179d53277

SHA256
47c69b5085a9c6138422cdcc0fdc8f370aae8f65c18739e74c2363d6f89a0278

SHA512
464912ee34fa21fc620183b3ede734fbd1a4dad775b5ba16b9a856967a2e85774b9ea03cdc8b010536abb12b567eb805df6781e5f876a0cb441a75c11b2fdd46

Download Submit
C:\Windows\twisys.ini

Filesize
364B

MD5
10c8828c21be51438da9c18168b88008

SHA1
8dfba7918d985fb3605026813f8a6783dd2d0fcf

SHA256
e27b04f7ce08f8fc6d104791184464eb6fac5d36b426f0ca1ed4b24603d34bc2

SHA512
5f3a2185964a44f467cd5d1d14975e6acbadccc6b741244e5c900886025ff8dbfbb07af03fcf12a15fa4ab7fbc8173f8357b7c99b5061adc3be0d648e51aa844

Download Submit
C:\Windows\twisys.ini

Filesize
392B

MD5
19bf4d53eecef81f7284b583ffb042d0

SHA1
5d1c2d59517e0a51fb6f3be7cdffec9a8668e401

SHA256
9d6478e61451b450dd013717ced566f1f1468968b43b8ea9b577397c3000000c

SHA512
4cd90341424e4c969b455dc552c0430460307ab7c5716ceeceb3ddd23359578b82d0b7e909c976dd7e36e71edce2d62d11dbc5cea8ca01be680672adb5098569

Download Submit
C:\Windows\twisys.ini

Filesize
398B

MD5
9c27838005e8985f51743748e8761468

SHA1
6ece4e45fb6ef5e4a3e41bf1a41945c2e196d41b

SHA256
66db3188a41401cf3265d267dec6c726797f84aabaa79bfd4aac15f4dd0db8db

SHA512
9a2519e1f03ed6c0393fd263965423bbb27b7661be1fd62032b92fe2e44e785ae0850f9e3ae87164fe2000654eaa1e86a2a82fafa33e016bcee6e0742371857c

Download Submit
\??\c:\mylstecj.bat

Filesize
53B

MD5
3791c5f4f0caa3b133429be03b677897

SHA1
dfae2514672d2599023c320abe37852f72364544

SHA256
25b746fb3baca566f2c076e02499165e9764b6d9a5294844c0ac68d695a78674

SHA512
623c9ddad90545e5dfcce77912908eceeec1f4869eba48e30316fcaa70fcdcbba02e3f078c1bef0f548ab6d73f77c63c1fc34038277531ef8a43bc03f78974dd

Download Submit
\Windows\SysWOW64\inf\svchostc.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\system\sgcxcxxaspf080610.exe

Filesize
250KB

MD5
0840bb99276fddc94a08a7beef9e0729

SHA1
8332ab4c073e37a5c835e91933c8188d57956118

SHA256
4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2

SHA512
600dbd792ec1fd251b425463be6bfa8900fc938ddaaefa2633e20d6c4d1fa44264c5dd62a73e4adc7db85f286bd4dd419d7f2f48fd84365af8a443144a044b49

Download Submit
\Windows\system\sgcxcxxaspf080610.exe

Filesize
250KB

MD5
0840bb99276fddc94a08a7beef9e0729

SHA1
8332ab4c073e37a5c835e91933c8188d57956118

SHA256
4597f7460bb5a8bb2b90191c6d08a35cbc0ceb77bd1fb5193083848d43cc88f2

SHA512
600dbd792ec1fd251b425463be6bfa8900fc938ddaaefa2633e20d6c4d1fa44264c5dd62a73e4adc7db85f286bd4dd419d7f2f48fd84365af8a443144a044b49

Download Submit
memory/1620-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download