b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe
Size

316KB
MD5

0de1dbe48bb503e14ae9ee01c0a5b426
SHA1

95d6254524ac7f4e76cc7c95c0ac8fee30303357
SHA256

b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8
SHA512

b12df8eddb86a91857610a8b385829ae797d5d27b45a8bfeb1d2ca12d41011f005b6cd1e90b281bc0ab7b2dfca9bd16733a60b25772075a740b66b4c61e0195c
SSDEEP

3072:LKqtlhcWqLPJR9i0tPaChd/XMRPEsgt2LZLn:LKUlWWqLPJR9i0tPaChd/XMRPEsgtQZ

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\21164 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msyiybiz.scr"	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
2000	FileName.exe
524	FileName.exe
980	FileName.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/536-59-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/536-61-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/536-62-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/536-65-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/536-66-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/536-69-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/536-102-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
536	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe
536	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe
536	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe
536	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe
536	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key Name = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\FileName.exe"	reg.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	FileName.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	FileName.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1520 set thread context of 536	1520	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe	28
PID 2000 set thread context of 524	2000	FileName.exe	33
PID 2000 set thread context of 980	2000	FileName.exe	34

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\msyiybiz.scr	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
980	FileName.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
980	FileName.exe
980	FileName.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe
Token: SeDebugPrivilege	524	FileName.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1520	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe
536	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe
2000	FileName.exe
524	FileName.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 536	1520	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe	28
PID 1520 wrote to memory of 536	1520	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe	28
PID 1520 wrote to memory of 536	1520	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe	28
PID 1520 wrote to memory of 536	1520	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe	28
PID 1520 wrote to memory of 536	1520	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe	28
PID 1520 wrote to memory of 536	1520	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe	28
PID 1520 wrote to memory of 536	1520	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe	28
PID 1520 wrote to memory of 536	1520	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe	28
PID 536 wrote to memory of 1996	536	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe	29
PID 536 wrote to memory of 1996	536	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe	29
PID 536 wrote to memory of 1996	536	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe	29
PID 536 wrote to memory of 1996	536	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe	29
PID 1996 wrote to memory of 2012	1996	cmd.exe	31
PID 1996 wrote to memory of 2012	1996	cmd.exe	31
PID 1996 wrote to memory of 2012	1996	cmd.exe	31
PID 1996 wrote to memory of 2012	1996	cmd.exe	31
PID 536 wrote to memory of 2000	536	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe	32
PID 536 wrote to memory of 2000	536	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe	32
PID 536 wrote to memory of 2000	536	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe	32
PID 536 wrote to memory of 2000	536	b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe	32
PID 2000 wrote to memory of 524	2000	FileName.exe	33
PID 2000 wrote to memory of 524	2000	FileName.exe	33
PID 2000 wrote to memory of 524	2000	FileName.exe	33
PID 2000 wrote to memory of 524	2000	FileName.exe	33
PID 2000 wrote to memory of 524	2000	FileName.exe	33
PID 2000 wrote to memory of 524	2000	FileName.exe	33
PID 2000 wrote to memory of 524	2000	FileName.exe	33
PID 2000 wrote to memory of 524	2000	FileName.exe	33
PID 2000 wrote to memory of 980	2000	FileName.exe	34
PID 2000 wrote to memory of 980	2000	FileName.exe	34
PID 2000 wrote to memory of 980	2000	FileName.exe	34
PID 2000 wrote to memory of 980	2000	FileName.exe	34
PID 2000 wrote to memory of 980	2000	FileName.exe	34
PID 2000 wrote to memory of 980	2000	FileName.exe	34
PID 2000 wrote to memory of 980	2000	FileName.exe	34
PID 980 wrote to memory of 1364	980	FileName.exe	35
PID 980 wrote to memory of 1364	980	FileName.exe	35
PID 980 wrote to memory of 1364	980	FileName.exe	35
PID 980 wrote to memory of 1364	980	FileName.exe	35

C:\Users\Admin\AppData\Local\Temp\b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe
"C:\Users\Admin\AppData\Local\Temp\b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe
  "C:\Users\Admin\AppData\Local\Temp\b7d4dcf0fdcfd2b36b9f3f49be10f0fc68a42d587cac4a9394771acb0e6e51a8.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\QVGHE.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Key Name" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe" /f
      4⤵
      Adds Run key to start application
      PID:2012
- - C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe
    "C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe
      "C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:524
  - - C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe
      "C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe"
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:980
    - - C:\Windows\syswow64\svchost.exe
        
        C:\Windows\syswow64\svchost.exe
        5⤵
        Adds policy Run key to start application
        Drops file in Program Files directory
        
        PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QVGHE.bat

Filesize
149B

MD5
a7721cdbbbba65653ea208cb8193d12b

SHA1
ddf61419fa642e1176c559790138e3a0ee898c65

SHA256
d2336e875fe13cec23a748d16db82a25ba2dff3ec8f7477e84c4121f4d2a6847

SHA512
12fbec3ddb7eb7da28a12889a32f4f2aeb20bab9564d876760f82f7615c017b592381ab6ba3d945ffdeba86a150f54ccbdfa961580b74fa6692fbcbb24b11bb6

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe

Filesize
316KB

MD5
6106a70404e47eaf57c128ed448b5878

SHA1
34576ce22f63d95e7c6c17dd48a85647a031b380

SHA256
b6a7e70b3b79f14cdbac5142125d15a4a778fea55e62ea04486e4fa8bec170f8

SHA512
9a3150a016e745d23dbec7764f4f3733fb4940f31908cc1f4307eea2fea3bea3cbc05d648756bef279719de9473e81d8e2f8a5543bdd0a2750c56e8f55aed07f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe

Filesize
316KB

MD5
6106a70404e47eaf57c128ed448b5878

SHA1
34576ce22f63d95e7c6c17dd48a85647a031b380

SHA256
b6a7e70b3b79f14cdbac5142125d15a4a778fea55e62ea04486e4fa8bec170f8

SHA512
9a3150a016e745d23dbec7764f4f3733fb4940f31908cc1f4307eea2fea3bea3cbc05d648756bef279719de9473e81d8e2f8a5543bdd0a2750c56e8f55aed07f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe

Filesize
316KB

MD5
6106a70404e47eaf57c128ed448b5878

SHA1
34576ce22f63d95e7c6c17dd48a85647a031b380

SHA256
b6a7e70b3b79f14cdbac5142125d15a4a778fea55e62ea04486e4fa8bec170f8

SHA512
9a3150a016e745d23dbec7764f4f3733fb4940f31908cc1f4307eea2fea3bea3cbc05d648756bef279719de9473e81d8e2f8a5543bdd0a2750c56e8f55aed07f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe

Filesize
316KB

MD5
6106a70404e47eaf57c128ed448b5878

SHA1
34576ce22f63d95e7c6c17dd48a85647a031b380

SHA256
b6a7e70b3b79f14cdbac5142125d15a4a778fea55e62ea04486e4fa8bec170f8

SHA512
9a3150a016e745d23dbec7764f4f3733fb4940f31908cc1f4307eea2fea3bea3cbc05d648756bef279719de9473e81d8e2f8a5543bdd0a2750c56e8f55aed07f

Download Submit
\Users\Admin\AppData\Roaming\FolderName\FileName.exe

Filesize
316KB

MD5
6106a70404e47eaf57c128ed448b5878

SHA1
34576ce22f63d95e7c6c17dd48a85647a031b380

SHA256
b6a7e70b3b79f14cdbac5142125d15a4a778fea55e62ea04486e4fa8bec170f8

SHA512
9a3150a016e745d23dbec7764f4f3733fb4940f31908cc1f4307eea2fea3bea3cbc05d648756bef279719de9473e81d8e2f8a5543bdd0a2750c56e8f55aed07f

Download Submit
\Users\Admin\AppData\Roaming\FolderName\FileName.exe

Filesize
316KB

MD5
6106a70404e47eaf57c128ed448b5878

SHA1
34576ce22f63d95e7c6c17dd48a85647a031b380

SHA256
b6a7e70b3b79f14cdbac5142125d15a4a778fea55e62ea04486e4fa8bec170f8

SHA512
9a3150a016e745d23dbec7764f4f3733fb4940f31908cc1f4307eea2fea3bea3cbc05d648756bef279719de9473e81d8e2f8a5543bdd0a2750c56e8f55aed07f

Download Submit
\Users\Admin\AppData\Roaming\FolderName\FileName.exe

Filesize
316KB

MD5
6106a70404e47eaf57c128ed448b5878

SHA1
34576ce22f63d95e7c6c17dd48a85647a031b380

SHA256
b6a7e70b3b79f14cdbac5142125d15a4a778fea55e62ea04486e4fa8bec170f8

SHA512
9a3150a016e745d23dbec7764f4f3733fb4940f31908cc1f4307eea2fea3bea3cbc05d648756bef279719de9473e81d8e2f8a5543bdd0a2750c56e8f55aed07f

Download Submit
\Users\Admin\AppData\Roaming\FolderName\FileName.exe

Filesize
316KB

MD5
6106a70404e47eaf57c128ed448b5878

SHA1
34576ce22f63d95e7c6c17dd48a85647a031b380

SHA256
b6a7e70b3b79f14cdbac5142125d15a4a778fea55e62ea04486e4fa8bec170f8

SHA512
9a3150a016e745d23dbec7764f4f3733fb4940f31908cc1f4307eea2fea3bea3cbc05d648756bef279719de9473e81d8e2f8a5543bdd0a2750c56e8f55aed07f

Download Submit
\Users\Admin\AppData\Roaming\FolderName\FileName.exe

Filesize
316KB

MD5
6106a70404e47eaf57c128ed448b5878

SHA1
34576ce22f63d95e7c6c17dd48a85647a031b380

SHA256
b6a7e70b3b79f14cdbac5142125d15a4a778fea55e62ea04486e4fa8bec170f8

SHA512
9a3150a016e745d23dbec7764f4f3733fb4940f31908cc1f4307eea2fea3bea3cbc05d648756bef279719de9473e81d8e2f8a5543bdd0a2750c56e8f55aed07f

Download Submit
memory/536-70-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/536-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/536-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/536-102-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/536-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/536-66-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/536-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/536-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/536-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/980-99-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/980-105-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/980-95-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/980-93-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1364-106-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/1364-107-0x00000000000C0000-0x00000000000C5000-memory.dmp

Filesize
20KB

Download
memory/1364-108-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/1364-109-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/1520-56-0x0000000000313000-0x000000000032D000-memory.dmp

Filesize
104KB

Download
memory/2000-83-0x0000000000613000-0x000000000062D000-memory.dmp

Filesize
104KB

Download