fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374

Analysis

max time kernel
151s
max time network
163s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe
Size

14.4MB
MD5

1e689754e627e3b7cf3f7e40eec7d75c
SHA1

c54b121f0b85e91003d78607bf1fa6718c256029
SHA256

fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374
SHA512

515444eec9c8d7ed0e9d0dff4c930fc5e60678fc3a32546213593bdbd69b621e31863d45bd0d30afc1d8b70f7832c0d2e95fa7d208a4e53cb4e7aaef3767c4c2
SSDEEP

393216:QJmhtTMVQl4CpDTzx7pKNy/wmFAHlcnZzRok/c74vCCcRVLBCy:QJst6OhpDFAGn7/RCCWVBCy

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

wmkyfoj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\DownloadSave\\wmkyfoj.exe"	wmkyfoj.exe

Drops file in Drivers directory 2 IoCs

Processes:

fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\Beep.sys	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Beep.sys	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe

Executes dropped EXE 4 IoCs

Processes:

bbGame.exeDownloader.exebbGame.tmpwmkyfoj.exe

pid process

2024 bbGame.exe
1044 Downloader.exe
584 bbGame.tmp
1976 wmkyfoj.exe

pid	process
2024	bbGame.exe
1044	Downloader.exe
584	bbGame.tmp
1976	wmkyfoj.exe

Loads dropped DLL 7 IoCs

Processes:

fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exebbGame.exebbGame.tmpDownloader.exe

pid	process
1428	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe
1428	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe
2024	bbGame.exe
584	bbGame.tmp
584	bbGame.tmp
584	bbGame.tmp
1044	Downloader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Downloader.exe

pid process

1044 Downloader.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

460
460
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Downloader.exewmkyfoj.exe

pid process

1044 Downloader.exe
1976 wmkyfoj.exe
1976 wmkyfoj.exe
1976 wmkyfoj.exe
1976 wmkyfoj.exe
1976 wmkyfoj.exe
1976 wmkyfoj.exe
1976 wmkyfoj.exe

pid	process
1044	Downloader.exe

pid	process
460
460

pid	process
1044	Downloader.exe
1976	wmkyfoj.exe
1976	wmkyfoj.exe
1976	wmkyfoj.exe
1976	wmkyfoj.exe
1976	wmkyfoj.exe
1976	wmkyfoj.exe
1976	wmkyfoj.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exebbGame.exeDownloader.exe

description	pid	process	target process
PID 1428 wrote to memory of 2024	1428	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe	bbGame.exe
PID 1428 wrote to memory of 2024	1428	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe	bbGame.exe
PID 1428 wrote to memory of 2024	1428	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe	bbGame.exe
PID 1428 wrote to memory of 2024	1428	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe	bbGame.exe
PID 1428 wrote to memory of 2024	1428	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe	bbGame.exe
PID 1428 wrote to memory of 2024	1428	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe	bbGame.exe
PID 1428 wrote to memory of 2024	1428	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe	bbGame.exe
PID 1428 wrote to memory of 1044	1428	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe	Downloader.exe
PID 1428 wrote to memory of 1044	1428	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe	Downloader.exe
PID 1428 wrote to memory of 1044	1428	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe	Downloader.exe
PID 1428 wrote to memory of 1044	1428	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe	Downloader.exe
PID 2024 wrote to memory of 584	2024	bbGame.exe	bbGame.tmp
PID 2024 wrote to memory of 584	2024	bbGame.exe	bbGame.tmp
PID 2024 wrote to memory of 584	2024	bbGame.exe	bbGame.tmp
PID 2024 wrote to memory of 584	2024	bbGame.exe	bbGame.tmp
PID 1044 wrote to memory of 1976	1044	Downloader.exe	wmkyfoj.exe
PID 1044 wrote to memory of 1976	1044	Downloader.exe	wmkyfoj.exe
PID 1044 wrote to memory of 1976	1044	Downloader.exe	wmkyfoj.exe
PID 1044 wrote to memory of 1976	1044	Downloader.exe	wmkyfoj.exe

C:\Users\Admin\AppData\Local\Temp\fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe
"C:\Users\Admin\AppData\Local\Temp\fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\bbGame.exe
"C:\Users\Admin\AppData\Local\Temp\bbGame.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\is-RLA3S.tmp\bbGame.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RLA3S.tmp\bbGame.tmp" /SL5="$90122,14702138,56832,C:\Users\Admin\AppData\Local\Temp\bbGame.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584

C:\Users\Admin\AppData\Local\Temp\Downloader.exe
"C:\Users\Admin\AppData\Local\Temp\Downloader.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044

C:\ProgramData\DownloadSave\wmkyfoj.exe
"C:\ProgramData\DownloadSave\wmkyfoj.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DownloadSave\RecordPath

Filesize
260B

MD5
24f2c38eabe958728f6da180d1764ce7

SHA1
34eb0609a1a826c7b0b6226fb21756888a2bb997

SHA256
28b1fcda7be31a1a3d2a8f82d2062ac2c67623304410bb5d742ab82a0ad27ea5

SHA512
f1a4d0d789f7a83c3fb2561e9b5b48626cbbdc24c60010cd0b18b4b05399895aeb5cba39fd5cdd3d94035c61faf26a2d5fd7d36f365bd4108860e59888c711fa

Download Submit
C:\ProgramData\DownloadSave\wmkyfoj.exe

Filesize
5.1MB

MD5
40522e67aa9010b2814465ade89dfe72

SHA1
15af983576fb991e264ce0fbfaba7ef7cea0ec4d

SHA256
1dc354dc9e8a9f630368a5b4e8c63aef912f7a325373da37fb1f80145a16eac4

SHA512
441dfa86910a1b233ca15f875de8133d5f57ba197ca14760f1bef9a537e70fd0e4e0d6232c205f0d94befffe9f13bc345e5bd14ae39a1f9c4243296f426fd8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Downloader.exe

Filesize
129KB

MD5
e19fe4b77007fea0cf4bd8a1eb30a25f

SHA1
4e48f007d80134c38914018d40bc134b7a8c3db7

SHA256
c09bd43cea169c85875922337cfbdbe574903491b5e811422674179a64311632

SHA512
93cf3036b4db8ead7e4fbbc659bd581e8d1b2a5cc361dc6ab9a8aa19e6c2b2b0b31a09cc3a18a8b871562ea8cfd44f9b9ef01d5da2673b2bdedcdf80a3cbed3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Downloader.exe

Filesize
129KB

MD5
e19fe4b77007fea0cf4bd8a1eb30a25f

SHA1
4e48f007d80134c38914018d40bc134b7a8c3db7

SHA256
c09bd43cea169c85875922337cfbdbe574903491b5e811422674179a64311632

SHA512
93cf3036b4db8ead7e4fbbc659bd581e8d1b2a5cc361dc6ab9a8aa19e6c2b2b0b31a09cc3a18a8b871562ea8cfd44f9b9ef01d5da2673b2bdedcdf80a3cbed3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbGame.exe

Filesize
14.3MB

MD5
226a3433949fb2c1b50b1a15e1e82505

SHA1
d04e449e74b74dc59e6f948179165b35ad8bd4b1

SHA256
77b1edc6af0b482f47f1de3523c8e83d80d4e823e67cfe85598f410ecca60014

SHA512
4f52622a3922d5b8148aa5ed51052c950e3b74df9a4f27ee81df8b912c51f5b20b2085c1dec4e583f23655e36f580c73796b761301f998eac5a804a8eea9664d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbGame.exe

Filesize
14.3MB

MD5
226a3433949fb2c1b50b1a15e1e82505

SHA1
d04e449e74b74dc59e6f948179165b35ad8bd4b1

SHA256
77b1edc6af0b482f47f1de3523c8e83d80d4e823e67cfe85598f410ecca60014

SHA512
4f52622a3922d5b8148aa5ed51052c950e3b74df9a4f27ee81df8b912c51f5b20b2085c1dec4e583f23655e36f580c73796b761301f998eac5a804a8eea9664d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RLA3S.tmp\bbGame.tmp

Filesize
701KB

MD5
1ff30f1553f38ebe433432cfbbcadc67

SHA1
8d64a95509fe49ef252c8906687c58e84f6bc519

SHA256
35cd85d5ef97558dea22a5f9d9dfb23cc465b8f113f6825d82c2a2b1870dd831

SHA512
0c17dbd75ed839acaa18b34c023d7017a0acf18bf6c48f6cd21438dad61a94e254c401036f713837ddbf795d43975776e3e04f2fbf131ff74fa129803df2ce41

Download Submit
\ProgramData\DownloadSave\wmkyfoj.exe

Filesize
5.1MB

MD5
40522e67aa9010b2814465ade89dfe72

SHA1
15af983576fb991e264ce0fbfaba7ef7cea0ec4d

SHA256
1dc354dc9e8a9f630368a5b4e8c63aef912f7a325373da37fb1f80145a16eac4

SHA512
441dfa86910a1b233ca15f875de8133d5f57ba197ca14760f1bef9a537e70fd0e4e0d6232c205f0d94befffe9f13bc345e5bd14ae39a1f9c4243296f426fd8b7

Download Submit
\Users\Admin\AppData\Local\Temp\Downloader.exe

Filesize
129KB

MD5
e19fe4b77007fea0cf4bd8a1eb30a25f

SHA1
4e48f007d80134c38914018d40bc134b7a8c3db7

SHA256
c09bd43cea169c85875922337cfbdbe574903491b5e811422674179a64311632

SHA512
93cf3036b4db8ead7e4fbbc659bd581e8d1b2a5cc361dc6ab9a8aa19e6c2b2b0b31a09cc3a18a8b871562ea8cfd44f9b9ef01d5da2673b2bdedcdf80a3cbed3c

Download Submit
\Users\Admin\AppData\Local\Temp\bbGame.exe

Filesize
14.3MB

MD5
226a3433949fb2c1b50b1a15e1e82505

SHA1
d04e449e74b74dc59e6f948179165b35ad8bd4b1

SHA256
77b1edc6af0b482f47f1de3523c8e83d80d4e823e67cfe85598f410ecca60014

SHA512
4f52622a3922d5b8148aa5ed51052c950e3b74df9a4f27ee81df8b912c51f5b20b2085c1dec4e583f23655e36f580c73796b761301f998eac5a804a8eea9664d

Download Submit
\Users\Admin\AppData\Local\Temp\is-2DV1M.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-2DV1M.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-2DV1M.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RLA3S.tmp\bbGame.tmp

Filesize
701KB

MD5
1ff30f1553f38ebe433432cfbbcadc67

SHA1
8d64a95509fe49ef252c8906687c58e84f6bc519

SHA256
35cd85d5ef97558dea22a5f9d9dfb23cc465b8f113f6825d82c2a2b1870dd831

SHA512
0c17dbd75ed839acaa18b34c023d7017a0acf18bf6c48f6cd21438dad61a94e254c401036f713837ddbf795d43975776e3e04f2fbf131ff74fa129803df2ce41

Download Submit
memory/584-68-0x0000000000000000-mapping.dmp

Download
memory/1044-61-0x0000000000000000-mapping.dmp

Download
memory/1428-54-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1976-76-0x0000000000000000-mapping.dmp

Download
memory/2024-65-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2024-60-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2024-56-0x0000000000000000-mapping.dmp

Download