f8f7aaa0c52efd8ea923150e79e6eede00e51095f508a8d00f40b28181d8342b

Analysis

max time kernel
44s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8f7aaa0c52efd8ea923150e79e6eede00e51095f508a8d00f40b28181d8342b.exe
Size

2.1MB
MD5

011e239e4dc9b58f3ce1ca06e79487c2
SHA1

2be90c1e8dc1719e6fb66bdd13d3c96048e70d71
SHA256

f8f7aaa0c52efd8ea923150e79e6eede00e51095f508a8d00f40b28181d8342b
SHA512

9c9e5baf42d98815e5a96a3493853e1fd1c79b2a0b0aaf499e91e6a4ff3082f8a882cdca9bad447901d2225a464ed830e03b6376de8410191071885e64a78d69
SSDEEP

24576:h1OYdaOmqU2Uzf55ilCfBJyvWSzbDBXEZc78KU88S7hrQzcl:h1OsIqBI55ilCf0jvThr4U

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1696	CBlzvpwQkCz2SNs.exe
2024	CBlzvpwQkCz2SNs.exe

Loads dropped DLL 4 IoCs

pid	Process
1352	f8f7aaa0c52efd8ea923150e79e6eede00e51095f508a8d00f40b28181d8342b.exe
1696	CBlzvpwQkCz2SNs.exe
1696	CBlzvpwQkCz2SNs.exe
2024	CBlzvpwQkCz2SNs.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\__aHTML\shell\Edit	CBlzvpwQkCz2SNs.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\__aHTML\shell\Edit\command	CBlzvpwQkCz2SNs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\STUZKG.tmp\\CBlzvpwQkCz2SNs.exe\" target \".\\\" bits downExt"	CBlzvpwQkCz2SNs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\__aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\STUZKG.tmp\\CBlzvpwQkCz2SNs.exe\" target \".\\\" bits downExt"	CBlzvpwQkCz2SNs.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SystemFileAssociations	CBlzvpwQkCz2SNs.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit	CBlzvpwQkCz2SNs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command\ = "Notepad.exe"	CBlzvpwQkCz2SNs.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\ddeexec	CBlzvpwQkCz2SNs.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\__aHTML	CBlzvpwQkCz2SNs.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\__aHTML\shell	CBlzvpwQkCz2SNs.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SystemFileAssociations\.aHTML\shell	CBlzvpwQkCz2SNs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\__aHTML\shell\Edit\command\ = "Notepad.exe"	CBlzvpwQkCz2SNs.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.aHTML	CBlzvpwQkCz2SNs.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.aHTML\OpenWithProgids	CBlzvpwQkCz2SNs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.aHTML\OpenWithProgids\__aHTML	CBlzvpwQkCz2SNs.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\__aHTML\shell\Edit\ddeexec	CBlzvpwQkCz2SNs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.aHTML\ = "__aHTML"	CBlzvpwQkCz2SNs.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SystemFileAssociations\.aHTML	CBlzvpwQkCz2SNs.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command	CBlzvpwQkCz2SNs.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2024	CBlzvpwQkCz2SNs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	CBlzvpwQkCz2SNs.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1696	1352	f8f7aaa0c52efd8ea923150e79e6eede00e51095f508a8d00f40b28181d8342b.exe	26
PID 1352 wrote to memory of 1696	1352	f8f7aaa0c52efd8ea923150e79e6eede00e51095f508a8d00f40b28181d8342b.exe	26
PID 1352 wrote to memory of 1696	1352	f8f7aaa0c52efd8ea923150e79e6eede00e51095f508a8d00f40b28181d8342b.exe	26
PID 1352 wrote to memory of 1696	1352	f8f7aaa0c52efd8ea923150e79e6eede00e51095f508a8d00f40b28181d8342b.exe	26
PID 1696 wrote to memory of 2024	1696	CBlzvpwQkCz2SNs.exe	27
PID 1696 wrote to memory of 2024	1696	CBlzvpwQkCz2SNs.exe	27
PID 1696 wrote to memory of 2024	1696	CBlzvpwQkCz2SNs.exe	27
PID 1696 wrote to memory of 2024	1696	CBlzvpwQkCz2SNs.exe	27
PID 2024 wrote to memory of 1272	2024	CBlzvpwQkCz2SNs.exe	28
PID 2024 wrote to memory of 1272	2024	CBlzvpwQkCz2SNs.exe	28
PID 2024 wrote to memory of 1272	2024	CBlzvpwQkCz2SNs.exe	28
PID 2024 wrote to memory of 1272	2024	CBlzvpwQkCz2SNs.exe	28
PID 2024 wrote to memory of 1272	2024	CBlzvpwQkCz2SNs.exe	28
PID 2024 wrote to memory of 1272	2024	CBlzvpwQkCz2SNs.exe	28
PID 2024 wrote to memory of 1272	2024	CBlzvpwQkCz2SNs.exe	28

C:\Users\Admin\AppData\Local\Temp\f8f7aaa0c52efd8ea923150e79e6eede00e51095f508a8d00f40b28181d8342b.exe
"C:\Users\Admin\AppData\Local\Temp\f8f7aaa0c52efd8ea923150e79e6eede00e51095f508a8d00f40b28181d8342b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\7zS3BD9.tmp\CBlzvpwQkCz2SNs.exe
  .\CBlzvpwQkCz2SNs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\STUZKG.tmp\CBlzvpwQkCz2SNs.exe
    "C:\Users\Admin\AppData\Local\Temp\STUZKG.tmp\CBlzvpwQkCz2SNs.exe" target ".\" bits downExt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /u /s ".\\OSUhfOuBsC42O8.x64.dll"
      4⤵
      PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS3BD9.tmp\CBlzvpwQkCz2SNs.dat

Filesize
15KB

MD5
f80ef8f1c58bbc198b217acc585dac7d

SHA1
118bdebc4a0a93e06dbe3f0ce904d20eedb80350

SHA256
50f4ce00306d27c5ad35b5d0d4680d56e6c0ba78e8221929cee536788cf250ea

SHA512
ef8e87be8f73147f63620b15d5d9d0cde4f0761afff518631fed321261a4063a03ffea2fb113d72a1cf3e9cb3f3a637cb52f3f57ba51de8b9e2bf5a8e5c3e706

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3BD9.tmp\CBlzvpwQkCz2SNs.exe

Filesize
218KB

MD5
9f6c52eec607111136cd222b02bf0530

SHA1
57f3815d0942e3b0a9bef621a7b4971f55fc74d7

SHA256
7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

SHA512
6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3BD9.tmp\CBlzvpwQkCz2SNs.exe

Filesize
218KB

MD5
9f6c52eec607111136cd222b02bf0530

SHA1
57f3815d0942e3b0a9bef621a7b4971f55fc74d7

SHA256
7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

SHA512
6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3BD9.tmp\OSUhfOuBsC42O8.dll

Filesize
863KB

MD5
61d272222a2bd7801d81f84432ec3947

SHA1
d5aa29570591c3ec8ab3525f450796e0549c309b

SHA256
ad857b00bbd5c29ccca5fe9f628dc44515d0bcaaa5bb0cc48215bbbac4bbd12d

SHA512
48ce5ae10038f74e8eb6c0703a84abb018dd9301acd163012466cb37f76f0b01a0c89d0a6bf9d99335928302a9b8ef5946ccb4ec49d0fff31f6d50f9311ec239

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3BD9.tmp\OSUhfOuBsC42O8.tlb

Filesize
5KB

MD5
1ca45b386c7b01e1bd45ef4e291d3f70

SHA1
dcabb955bc45b182231459d7e64cba59592c907e

SHA256
495c35bf29cd1c6e4a736db79e87203b6fd0c1345343dab958e5d9a4b087754c

SHA512
87dc04954e21af239f1cd8a300d7ea34c0de9580598080df8e2e75d347ad0232770b37d648db772f5d854a553f395a1fe9c010071ee76024f64ed819371fe752

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3BD9.tmp\OSUhfOuBsC42O8.x64.dll

Filesize
945KB

MD5
966909532c893112bc268ab3062f83e5

SHA1
8b04dd2ae5c36cba93d2171ea09a26d12175235e

SHA256
cdfbb548f02dc87d39d399c8b219a5a0c820d49b760da011812e0a8c38ab70fa

SHA512
38ea4a65dbbe4b6f697e5ff5464741ab073e85fd55bd04c4e362672048451b860fd5f8fea07be211b54e60327c16a22b847997e9ef5b9de84a86fb62334839a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUZKG.tmp\CBlzvpwQkCz2SNs.dat

Filesize
15KB

MD5
f80ef8f1c58bbc198b217acc585dac7d

SHA1
118bdebc4a0a93e06dbe3f0ce904d20eedb80350

SHA256
50f4ce00306d27c5ad35b5d0d4680d56e6c0ba78e8221929cee536788cf250ea

SHA512
ef8e87be8f73147f63620b15d5d9d0cde4f0761afff518631fed321261a4063a03ffea2fb113d72a1cf3e9cb3f3a637cb52f3f57ba51de8b9e2bf5a8e5c3e706

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUZKG.tmp\CBlzvpwQkCz2SNs.exe

Filesize
218KB

MD5
9f6c52eec607111136cd222b02bf0530

SHA1
57f3815d0942e3b0a9bef621a7b4971f55fc74d7

SHA256
7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

SHA512
6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUZKG.tmp\CBlzvpwQkCz2SNs.exe

Filesize
218KB

MD5
9f6c52eec607111136cd222b02bf0530

SHA1
57f3815d0942e3b0a9bef621a7b4971f55fc74d7

SHA256
7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

SHA512
6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUZKG.tmp\OSUhfOuBsC42O8.dll

Filesize
863KB

MD5
61d272222a2bd7801d81f84432ec3947

SHA1
d5aa29570591c3ec8ab3525f450796e0549c309b

SHA256
ad857b00bbd5c29ccca5fe9f628dc44515d0bcaaa5bb0cc48215bbbac4bbd12d

SHA512
48ce5ae10038f74e8eb6c0703a84abb018dd9301acd163012466cb37f76f0b01a0c89d0a6bf9d99335928302a9b8ef5946ccb4ec49d0fff31f6d50f9311ec239

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUZKG.tmp\OSUhfOuBsC42O8.tlb

Filesize
5KB

MD5
1ca45b386c7b01e1bd45ef4e291d3f70

SHA1
dcabb955bc45b182231459d7e64cba59592c907e

SHA256
495c35bf29cd1c6e4a736db79e87203b6fd0c1345343dab958e5d9a4b087754c

SHA512
87dc04954e21af239f1cd8a300d7ea34c0de9580598080df8e2e75d347ad0232770b37d648db772f5d854a553f395a1fe9c010071ee76024f64ed819371fe752

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUZKG.tmp\OSUhfOuBsC42O8.x64.dll

Filesize
945KB

MD5
966909532c893112bc268ab3062f83e5

SHA1
8b04dd2ae5c36cba93d2171ea09a26d12175235e

SHA256
cdfbb548f02dc87d39d399c8b219a5a0c820d49b760da011812e0a8c38ab70fa

SHA512
38ea4a65dbbe4b6f697e5ff5464741ab073e85fd55bd04c4e362672048451b860fd5f8fea07be211b54e60327c16a22b847997e9ef5b9de84a86fb62334839a3

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3BD9.tmp\CBlzvpwQkCz2SNs.exe

Filesize
218KB

MD5
9f6c52eec607111136cd222b02bf0530

SHA1
57f3815d0942e3b0a9bef621a7b4971f55fc74d7

SHA256
7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

SHA512
6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

Download Submit
\Users\Admin\AppData\Local\Temp\STUZKG.tmp\CBlzvpwQkCz2SNs.exe

Filesize
218KB

MD5
9f6c52eec607111136cd222b02bf0530

SHA1
57f3815d0942e3b0a9bef621a7b4971f55fc74d7

SHA256
7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

SHA512
6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

Download Submit
\Users\Admin\AppData\Local\Temp\STUZKG.tmp\CBlzvpwQkCz2SNs.exe

Filesize
218KB

MD5
9f6c52eec607111136cd222b02bf0530

SHA1
57f3815d0942e3b0a9bef621a7b4971f55fc74d7

SHA256
7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

SHA512
6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

Download Submit
\Users\Admin\AppData\Local\Temp\STUZKG.tmp\OSUhfOuBsC42O8.dll

Filesize
863KB

MD5
61d272222a2bd7801d81f84432ec3947

SHA1
d5aa29570591c3ec8ab3525f450796e0549c309b

SHA256
ad857b00bbd5c29ccca5fe9f628dc44515d0bcaaa5bb0cc48215bbbac4bbd12d

SHA512
48ce5ae10038f74e8eb6c0703a84abb018dd9301acd163012466cb37f76f0b01a0c89d0a6bf9d99335928302a9b8ef5946ccb4ec49d0fff31f6d50f9311ec239

Download Submit
memory/1352-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download