Analysis
-
max time kernel
184s -
max time network
191s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 22:41
Behavioral task
behavioral1
Sample
54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe
Resource
win10v2004-20221111-en
General
-
Target
54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe
-
Size
1000KB
-
MD5
5243304fabf5c86ad841ae481c2facc0
-
SHA1
19c2acb84a34e075f9979f24c665c70f31a7e071
-
SHA256
54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2
-
SHA512
fa28ce838a7e0995452b35b6e17ebc1128aa17020268f445afa6251186545b00633f25815e932f1c12aabfb7f3124e918d1c8d20b6cfcf73fbb9c662349e0623
-
SSDEEP
24576:8ALZLnX+C/UPvnCEiEPAVoM5Xly3zGfvrtdP:jLtuCmvw8Gj5V/ztd
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe File created C:\Windows\System32\drivers\etc\hosts.ics 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe -
Processes:
resource yara_rule behavioral1/memory/1324-54-0x0000000000400000-0x0000000000610000-memory.dmp vmprotect behavioral1/memory/1324-59-0x0000000000400000-0x0000000000610000-memory.dmp vmprotect behavioral1/memory/1324-66-0x0000000000400000-0x0000000000610000-memory.dmp vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 968 taskkill.exe 1692 taskkill.exe -
Processes:
RunDll32.exe54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" RunDll32.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch RunDll32.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exepid process 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
taskkill.exetaskkill.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 968 taskkill.exe Token: SeDebugPrivilege 1692 taskkill.exe Token: 33 512 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 512 AUDIODG.EXE Token: 33 512 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 512 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exeRunDll32.exepid process 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe 980 RunDll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exepid process 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exedescription pid process target process PID 1324 wrote to memory of 968 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe taskkill.exe PID 1324 wrote to memory of 968 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe taskkill.exe PID 1324 wrote to memory of 968 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe taskkill.exe PID 1324 wrote to memory of 968 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe taskkill.exe PID 1324 wrote to memory of 980 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe RunDll32.exe PID 1324 wrote to memory of 980 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe RunDll32.exe PID 1324 wrote to memory of 980 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe RunDll32.exe PID 1324 wrote to memory of 980 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe RunDll32.exe PID 1324 wrote to memory of 980 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe RunDll32.exe PID 1324 wrote to memory of 980 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe RunDll32.exe PID 1324 wrote to memory of 980 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe RunDll32.exe PID 1324 wrote to memory of 1692 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe taskkill.exe PID 1324 wrote to memory of 1692 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe taskkill.exe PID 1324 wrote to memory of 1692 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe taskkill.exe PID 1324 wrote to memory of 1692 1324 54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe"C:\Users\Admin\AppData\Local\Temp\54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe"1⤵
- Drops file in Drivers directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im lsas.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:968 -
C:\Windows\SysWOW64\RunDll32.exeRunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 82⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:980 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im lsas.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5701⤵
- Suspicious use of AdjustPrivilegeToken
PID:512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/968-57-0x0000000000000000-mapping.dmp
-
memory/980-61-0x0000000000000000-mapping.dmp
-
memory/980-64-0x0000000072701000-0x0000000072703000-memory.dmpFilesize
8KB
-
memory/1324-54-0x0000000000400000-0x0000000000610000-memory.dmpFilesize
2.1MB
-
memory/1324-58-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB
-
memory/1324-59-0x0000000000400000-0x0000000000610000-memory.dmpFilesize
2.1MB
-
memory/1324-60-0x0000000002050000-0x0000000002060000-memory.dmpFilesize
64KB
-
memory/1324-66-0x0000000000400000-0x0000000000610000-memory.dmpFilesize
2.1MB
-
memory/1324-67-0x0000000002050000-0x0000000002060000-memory.dmpFilesize
64KB
-
memory/1324-70-0x0000000007830000-0x0000000007844000-memory.dmpFilesize
80KB
-
memory/1692-65-0x0000000000000000-mapping.dmp