Analysis
-
max time kernel
155s -
max time network
171s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 06:52
Static task
static1
Behavioral task
behavioral1
Sample
3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe
Resource
win10v2004-20220812-en
General
-
Target
3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe
-
Size
635KB
-
MD5
fe61dffc07a3a637ccf775ac015ae4c0
-
SHA1
90db237ec18e4a8b6f848343cc251f4ff7bfca00
-
SHA256
3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97
-
SHA512
72972fd65f6619022c431bf3358a2908006f654a698efaa7d9e47c8aecccc8a4f32ab496736a0130af8a634e003ad152ee3619c10b674adc518d339127951505
-
SSDEEP
12288:2K2mhAMJ/cPlxipuOeyTaN2uiEqOHYRVPVT04rQWlHkAinpXdZ5FasY:32O/GlxGQUED4RVPVI8Qyqd7FaX
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
tqxcwyvf.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tqxcwyvf.exe -
Executes dropped EXE 1 IoCs
Processes:
tqxcwyvf.exepid process 2028 tqxcwyvf.exe -
Loads dropped DLL 4 IoCs
Processes:
3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exepid process 1280 3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe 1280 3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe 1280 3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe 1280 3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
tqxcwyvf.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce tqxcwyvf.exe Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\63zb9r132a8x = "\\Users\\Admin\\63zb9r132a8x\\nuycagcfli.vbs" tqxcwyvf.exe Key deleted \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RUN tqxcwyvf.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tqxcwyvf.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN tqxcwyvf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tqxcwyvf.exe -
Processes:
tqxcwyvf.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tqxcwyvf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tqxcwyvf.exedescription pid process target process PID 2028 set thread context of 524 2028 tqxcwyvf.exe RegSvcs.exe -
Drops file in Windows directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tqxcwyvf.exepid process 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe 2028 tqxcwyvf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
tqxcwyvf.exedescription pid process Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe Token: SeDebugPrivilege 2028 tqxcwyvf.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exetqxcwyvf.exedescription pid process target process PID 1280 wrote to memory of 2028 1280 3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe tqxcwyvf.exe PID 1280 wrote to memory of 2028 1280 3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe tqxcwyvf.exe PID 1280 wrote to memory of 2028 1280 3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe tqxcwyvf.exe PID 1280 wrote to memory of 2028 1280 3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe tqxcwyvf.exe PID 1280 wrote to memory of 2028 1280 3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe tqxcwyvf.exe PID 1280 wrote to memory of 2028 1280 3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe tqxcwyvf.exe PID 1280 wrote to memory of 2028 1280 3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe tqxcwyvf.exe PID 2028 wrote to memory of 524 2028 tqxcwyvf.exe RegSvcs.exe PID 2028 wrote to memory of 524 2028 tqxcwyvf.exe RegSvcs.exe PID 2028 wrote to memory of 524 2028 tqxcwyvf.exe RegSvcs.exe PID 2028 wrote to memory of 524 2028 tqxcwyvf.exe RegSvcs.exe PID 2028 wrote to memory of 524 2028 tqxcwyvf.exe RegSvcs.exe PID 2028 wrote to memory of 524 2028 tqxcwyvf.exe RegSvcs.exe PID 2028 wrote to memory of 524 2028 tqxcwyvf.exe RegSvcs.exe PID 2028 wrote to memory of 524 2028 tqxcwyvf.exe RegSvcs.exe PID 2028 wrote to memory of 524 2028 tqxcwyvf.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe"C:\Users\Admin\AppData\Local\Temp\3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\63zb9r132a8x\tqxcwyvf.exe"C:\Users\Admin\63zb9r132a8x\tqxcwyvf.exe" jikzqahddu.YQV2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\63ZB9R~1\fyxnecymda.VJIFilesize
229B
MD5f8a18696cc245c90e3fda95a8a9327c8
SHA1196ebdf852b1356d8828507e01eb486667aa6910
SHA256114df2b748d1081c32acc4e154864a447e89b3beb4eb6142ad603f37fc0cd4ce
SHA5121f9423bd55ecdf0a68d3a5c34abe2ae2ecb1cfc7932d729c7ca874172858282f9290df08257df09119fb538a683a8ac17dc2e9fa03a37055ea47d12ee7cbadcb
-
C:\Users\Admin\63ZB9R~1\gztw.BRHFilesize
68KB
MD54fd9798aa6dbddfe4a3aa736670921af
SHA16f1f55856e26b85bd213a000688b38b14b619442
SHA2561afb7acbc151fe99daa57a29e12f75b2c72de0bdd05c82dc5830600715ecd085
SHA5124066f2288406dc1438bd43c00cb210a3ec544cd8b2ecb2e27a48f51a19f4d9a5e0215124fd27766bdd05cba64c0b846c71ec3daa9e9cc9c7098f82553c396b83
-
C:\Users\Admin\63zb9r132a8x\jikzqahddu.YQVFilesize
35.6MB
MD513d7d38239430e4e555ed416dc6366c4
SHA1f72f82f912a4cafc2dd1d2646c5e89ad0450c521
SHA2569fb98509ac38f0e2ede552e816a349fffc6a47ccf7512b16d94d60aadb2bbfbc
SHA51200b1b6d99aaea208c37ebdb86ae91514cee0769faca0a49c031c3118913a0daee4ceeda1fae62be58e528ec777e6db80a895506986ed8eb6e75a74a91384263d
-
C:\Users\Admin\63zb9r132a8x\tqxcwyvf.exeFilesize
912KB
MD56a93a4071cc7c22628af40a4d872f49b
SHA1ba916e686aa0cae19ab907bdab94924ada92b5f4
SHA2568465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01
SHA5125a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd
-
\Users\Admin\63zb9r132a8x\tqxcwyvf.exeFilesize
912KB
MD56a93a4071cc7c22628af40a4d872f49b
SHA1ba916e686aa0cae19ab907bdab94924ada92b5f4
SHA2568465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01
SHA5125a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd
-
\Users\Admin\63zb9r132a8x\tqxcwyvf.exeFilesize
912KB
MD56a93a4071cc7c22628af40a4d872f49b
SHA1ba916e686aa0cae19ab907bdab94924ada92b5f4
SHA2568465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01
SHA5125a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd
-
\Users\Admin\63zb9r132a8x\tqxcwyvf.exeFilesize
912KB
MD56a93a4071cc7c22628af40a4d872f49b
SHA1ba916e686aa0cae19ab907bdab94924ada92b5f4
SHA2568465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01
SHA5125a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd
-
\Users\Admin\63zb9r132a8x\tqxcwyvf.exeFilesize
912KB
MD56a93a4071cc7c22628af40a4d872f49b
SHA1ba916e686aa0cae19ab907bdab94924ada92b5f4
SHA2568465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01
SHA5125a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd
-
memory/524-65-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/524-67-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/524-68-0x0000000000401F8F-mapping.dmp
-
memory/524-71-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/524-73-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1280-54-0x0000000074C41000-0x0000000074C43000-memory.dmpFilesize
8KB
-
memory/2028-59-0x0000000000000000-mapping.dmp