b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe
Size

200KB
MD5

0a61b7b1f70d609f70161f4dce53d290
SHA1

a4b6610df7e4c92ea8777df610d85b593dafc7f8
SHA256

b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7
SHA512

ae9bc96b9c61fe7c9ea8fbc703e2227cc76599ec0cb5753b4be9d7915f6d553f21eea9abc14e55a2266f0df58db4ac6fdccc2bced659c4eb0ddeb3afbad3d17c
SSDEEP

3072:9BI5ArKGCnhgU1XA+ArXjeaMoh6lgUaVwQ+/76bSSN+PS7VyoCeJ6ikanHul3vfS:9K5ArKjbAxXSaegUqGeGpBohMmH

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
904	msrakmgr.exe
1952	~7CE.tmp
2044	regsdctr.exe

Loads dropped DLL 3 IoCs

pid	Process
736	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe
736	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe
904	msrakmgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ipcoSVCS = "C:\\Users\\Admin\\AppData\\Roaming\\reloings\\msrakmgr.exe"	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsdctr.exe	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
904	msrakmgr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE
2044	regsdctr.exe
1416	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1416	Explorer.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1968	AcroRd32.exe
1968	AcroRd32.exe
1968	AcroRd32.exe
1968	AcroRd32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 904	736	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe	27
PID 736 wrote to memory of 904	736	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe	27
PID 736 wrote to memory of 904	736	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe	27
PID 736 wrote to memory of 904	736	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe	27
PID 904 wrote to memory of 1952	904	msrakmgr.exe	28
PID 904 wrote to memory of 1952	904	msrakmgr.exe	28
PID 904 wrote to memory of 1952	904	msrakmgr.exe	28
PID 904 wrote to memory of 1952	904	msrakmgr.exe	28
PID 1952 wrote to memory of 1416	1952	~7CE.tmp	16
PID 736 wrote to memory of 1968	736	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe	30
PID 736 wrote to memory of 1968	736	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe	30
PID 736 wrote to memory of 1968	736	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe	30
PID 736 wrote to memory of 1968	736	b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
- C:\Users\Admin\AppData\Local\Temp\b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe
  "C:\Users\Admin\AppData\Local\Temp\b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Users\Admin\AppData\Roaming\reloings\msrakmgr.exe
    "C:\Users\Admin\AppData\Roaming\reloings\msrakmgr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Users\Admin\AppData\Local\Temp\~7CE.tmp
      "C:\Users\Admin\AppData\Local\Temp\~7CE.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1952
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\~899.tmp.pdf"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1968

C:\Windows\SysWOW64\regsdctr.exe
C:\Windows\SysWOW64\regsdctr.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~7CE.tmp

Filesize
6KB

MD5
70b6cb107a4af4a59af756be6661020e

SHA1
b4a7ccb4e0371f2d7afe88637ab1d3046fb17ee7

SHA256
2c962098c383f3b8b99a91fc0f6d10b8694f8284eead758f6861cdeb48dc62eb

SHA512
20f682ccfef76b6fd2347aee39db18d6a6f07fe557324e07c974b0bf79d869844819d2883892cb99844760f2ed19e477e7912ddfbb0a703ec0b60db6ea45203b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~899.tmp.pdf

Filesize
8KB

MD5
53b6aedf7552363ef189badd823b5153

SHA1
59107eb0c5d94f4ec19c2e89114513ed2490640c

SHA256
e7d085103f208cfa2198a0c111c4fe2ad7ced06dd2f9c4628bca169e2f4d0eb3

SHA512
38d3411d0c17d2ce9bd6409c18db341c278c14d48a05610ff8547a71a42cf858fa78f83ec150cd028e355f990aabecea96d0de21c60b68e77e99b3f100e46583

Download Submit
C:\Users\Admin\AppData\Roaming\reloings\msrakmgr.exe

Filesize
172KB

MD5
d827b583af8225118a85bd5094f1a9a9

SHA1
48d3e12d1c107318a409c81d165bf03afbac01be

SHA256
5352cdf314fc8f54d7edaa751546c5bd9beafa246c867993bc208afaaa63c315

SHA512
df4712060fd28caa66cf9a4757c81d8364b5712b7f5de4d6fb657473b1c9634c924856e80b24634e65fb2ad5e9befe541f2ef1a455a518b187e0e592c82fb677

Download Submit
C:\Users\Admin\AppData\Roaming\reloings\msrakmgr.exe

Filesize
172KB

MD5
d827b583af8225118a85bd5094f1a9a9

SHA1
48d3e12d1c107318a409c81d165bf03afbac01be

SHA256
5352cdf314fc8f54d7edaa751546c5bd9beafa246c867993bc208afaaa63c315

SHA512
df4712060fd28caa66cf9a4757c81d8364b5712b7f5de4d6fb657473b1c9634c924856e80b24634e65fb2ad5e9befe541f2ef1a455a518b187e0e592c82fb677

Download Submit
C:\Windows\SysWOW64\regsdctr.exe

Filesize
200KB

MD5
0a61b7b1f70d609f70161f4dce53d290

SHA1
a4b6610df7e4c92ea8777df610d85b593dafc7f8

SHA256
b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7

SHA512
ae9bc96b9c61fe7c9ea8fbc703e2227cc76599ec0cb5753b4be9d7915f6d553f21eea9abc14e55a2266f0df58db4ac6fdccc2bced659c4eb0ddeb3afbad3d17c

Download Submit
C:\Windows\SysWOW64\regsdctr.exe

Filesize
200KB

MD5
0a61b7b1f70d609f70161f4dce53d290

SHA1
a4b6610df7e4c92ea8777df610d85b593dafc7f8

SHA256
b2cd7adad16447a9887db379a499bd32d0fc39d18b90c213ca3e2798ed3b7cd7

SHA512
ae9bc96b9c61fe7c9ea8fbc703e2227cc76599ec0cb5753b4be9d7915f6d553f21eea9abc14e55a2266f0df58db4ac6fdccc2bced659c4eb0ddeb3afbad3d17c

Download Submit
\Users\Admin\AppData\Local\Temp\~7CE.tmp

Filesize
6KB

MD5
70b6cb107a4af4a59af756be6661020e

SHA1
b4a7ccb4e0371f2d7afe88637ab1d3046fb17ee7

SHA256
2c962098c383f3b8b99a91fc0f6d10b8694f8284eead758f6861cdeb48dc62eb

SHA512
20f682ccfef76b6fd2347aee39db18d6a6f07fe557324e07c974b0bf79d869844819d2883892cb99844760f2ed19e477e7912ddfbb0a703ec0b60db6ea45203b

Download Submit
\Users\Admin\AppData\Roaming\reloings\msrakmgr.exe

Filesize
172KB

MD5
d827b583af8225118a85bd5094f1a9a9

SHA1
48d3e12d1c107318a409c81d165bf03afbac01be

SHA256
5352cdf314fc8f54d7edaa751546c5bd9beafa246c867993bc208afaaa63c315

SHA512
df4712060fd28caa66cf9a4757c81d8364b5712b7f5de4d6fb657473b1c9634c924856e80b24634e65fb2ad5e9befe541f2ef1a455a518b187e0e592c82fb677

Download Submit
\Users\Admin\AppData\Roaming\reloings\msrakmgr.exe

Filesize
172KB

MD5
d827b583af8225118a85bd5094f1a9a9

SHA1
48d3e12d1c107318a409c81d165bf03afbac01be

SHA256
5352cdf314fc8f54d7edaa751546c5bd9beafa246c867993bc208afaaa63c315

SHA512
df4712060fd28caa66cf9a4757c81d8364b5712b7f5de4d6fb657473b1c9634c924856e80b24634e65fb2ad5e9befe541f2ef1a455a518b187e0e592c82fb677

Download Submit
memory/736-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/736-55-0x0000000000240000-0x0000000000285000-memory.dmp

Filesize
276KB

Download
memory/1416-65-0x00000000021E0000-0x0000000002221000-memory.dmp

Filesize
260KB

Download
memory/1416-73-0x00000000021E0000-0x0000000002221000-memory.dmp

Filesize
260KB

Download
memory/2044-72-0x00000000000E0000-0x0000000000125000-memory.dmp

Filesize
276KB

Download