528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758

Analysis

max time kernel
152s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 13:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe
Size

261KB
MD5

06ab7ad50e3130d30399b01fac4e35b0
SHA1

59dba12cf943fb4f8026335b09d90f067ea5d3ad
SHA256

528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758
SHA512

bb737d79f9a55edc18a59c44017f6a3843f8fb2aa5f39f59e1ca2b7a6366323f8e5a2010fa17647401f3431057765e1c68a8685a6b84f19eec0b749affa216d4
SSDEEP

6144:KhRKv5LKnNthKb1UJBDcDwhp4bmW5iFjgMYHtmxwDwoz0YlTL:+0LKNo1qaAp4bhoFZYH5wy08

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
604	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe

Deletes itself 1 IoCs

pid	Process
2040	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
1812	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe
1812	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe
676	taskmgr.exe
676	taskmgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\root = "C:\\Users\\Admin\\AppData\\Roaming\\admin\\windowsfile.exe"	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\root = "\\admin\\windowsfile.exe"	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1536	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
604	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe
604	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
604	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	604	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe
Token: SeDebugPrivilege	676	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1812	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe
604	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 604	1812	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe	28
PID 1812 wrote to memory of 604	1812	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe	28
PID 1812 wrote to memory of 604	1812	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe	28
PID 1812 wrote to memory of 604	1812	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe	28
PID 1812 wrote to memory of 2040	1812	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe	29
PID 1812 wrote to memory of 2040	1812	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe	29
PID 1812 wrote to memory of 2040	1812	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe	29
PID 1812 wrote to memory of 2040	1812	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe	29
PID 604 wrote to memory of 676	604	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe	31
PID 604 wrote to memory of 676	604	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe	31
PID 604 wrote to memory of 676	604	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe	31
PID 604 wrote to memory of 676	604	528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe	31
PID 2040 wrote to memory of 1536	2040	cmd.exe	32
PID 2040 wrote to memory of 1536	2040	cmd.exe	32
PID 2040 wrote to memory of 1536	2040	cmd.exe	32
PID 2040 wrote to memory of 1536	2040	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe
"C:\Users\Admin\AppData\Local\Temp\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe
  "C:\Users\Admin\AppData\Local\Temp\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Windows\SysWOW64\taskmgr.exe
    "C:\Windows\System32\taskmgr.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe

Filesize
261KB

MD5
06ab7ad50e3130d30399b01fac4e35b0

SHA1
59dba12cf943fb4f8026335b09d90f067ea5d3ad

SHA256
528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758

SHA512
bb737d79f9a55edc18a59c44017f6a3843f8fb2aa5f39f59e1ca2b7a6366323f8e5a2010fa17647401f3431057765e1c68a8685a6b84f19eec0b749affa216d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe

Filesize
261KB

MD5
06ab7ad50e3130d30399b01fac4e35b0

SHA1
59dba12cf943fb4f8026335b09d90f067ea5d3ad

SHA256
528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758

SHA512
bb737d79f9a55edc18a59c44017f6a3843f8fb2aa5f39f59e1ca2b7a6366323f8e5a2010fa17647401f3431057765e1c68a8685a6b84f19eec0b749affa216d4

Download Submit
C:\Users\Admin\AppData\Roaming\imlgs\08-11-2022

Filesize
49B

MD5
57a8e46db0e3adf12aa5c7c097dd2e35

SHA1
e7fd5721b7bd02f83dbb929f1b494031b4c563d4

SHA256
899a52d6f980459ee5f902b4af6f3f919cd97d6ab2cc5daf100fd0aa9c47c806

SHA512
5c7af3676f70902f87b09fa25367863e3460f2291d12e731726b2dec89b7133175663c23e83eeff0f4a17410a4014ddc314b79e7bd323a7c72f00e7518b8b8aa

Download Submit
\Users\Admin\AppData\Local\Temp\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe

Filesize
261KB

MD5
06ab7ad50e3130d30399b01fac4e35b0

SHA1
59dba12cf943fb4f8026335b09d90f067ea5d3ad

SHA256
528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758

SHA512
bb737d79f9a55edc18a59c44017f6a3843f8fb2aa5f39f59e1ca2b7a6366323f8e5a2010fa17647401f3431057765e1c68a8685a6b84f19eec0b749affa216d4

Download Submit
\Users\Admin\AppData\Local\Temp\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe

Filesize
261KB

MD5
06ab7ad50e3130d30399b01fac4e35b0

SHA1
59dba12cf943fb4f8026335b09d90f067ea5d3ad

SHA256
528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758

SHA512
bb737d79f9a55edc18a59c44017f6a3843f8fb2aa5f39f59e1ca2b7a6366323f8e5a2010fa17647401f3431057765e1c68a8685a6b84f19eec0b749affa216d4

Download Submit
\Users\Admin\AppData\Local\Temp\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe

Filesize
261KB

MD5
06ab7ad50e3130d30399b01fac4e35b0

SHA1
59dba12cf943fb4f8026335b09d90f067ea5d3ad

SHA256
528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758

SHA512
bb737d79f9a55edc18a59c44017f6a3843f8fb2aa5f39f59e1ca2b7a6366323f8e5a2010fa17647401f3431057765e1c68a8685a6b84f19eec0b749affa216d4

Download Submit
\Users\Admin\AppData\Local\Temp\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758\528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758.exe

Filesize
261KB

MD5
06ab7ad50e3130d30399b01fac4e35b0

SHA1
59dba12cf943fb4f8026335b09d90f067ea5d3ad

SHA256
528e78c97c1eb86221dd90f194904bbac0150f70fedbddceceead29035146758

SHA512
bb737d79f9a55edc18a59c44017f6a3843f8fb2aa5f39f59e1ca2b7a6366323f8e5a2010fa17647401f3431057765e1c68a8685a6b84f19eec0b749affa216d4

Download Submit
memory/604-67-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/604-71-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1812-63-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1812-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1812-55-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download