Analysis
-
max time kernel
7s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 13:25
Static task
static1
Behavioral task
behavioral1
Sample
abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe
Resource
win10v2004-20221111-en
General
-
Target
abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe
-
Size
1.3MB
-
MD5
a4425b89e3cc570a5777cc56e264a883
-
SHA1
1e269c18c2e96dda052714bf1f0cc12370082ac1
-
SHA256
abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e
-
SHA512
5126722754936a5830b4a11271920d4308cc24246abeb684a492cfc39290748d598aec0335a74478cfa401e2756eaa0c661d756773ea87469ed78752e73f79f1
-
SSDEEP
24576:wq5QPIvi0/QWqYID/aAIcDUebJvQiIE3kr:pSq7IUL2I
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
drvhost.exesyshost.exepid process 556 drvhost.exe 1508 syshost.exe -
Loads dropped DLL 3 IoCs
Processes:
abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exedrvhost.exepid process 1188 abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe 556 drvhost.exe 556 drvhost.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Driver Component = "\"C:\\Windows\\system32\\drvhost.exe\"" abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe -
Drops file in System32 directory 2 IoCs
Processes:
abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exedescription ioc process File created C:\Windows\SysWOW64\drvhost.exe abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe File opened for modification C:\Windows\SysWOW64\drvhost.exe abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
drvhost.exedescription pid process target process PID 556 set thread context of 1508 556 drvhost.exe syshost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exedrvhost.exepid process 1188 abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe 1188 abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe 1188 abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe 1188 abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe 1188 abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe 1188 abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe 1188 abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe 1188 abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe 556 drvhost.exe 556 drvhost.exe 556 drvhost.exe 556 drvhost.exe 556 drvhost.exe 556 drvhost.exe 556 drvhost.exe 556 drvhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exedrvhost.exedescription pid process Token: SeDebugPrivilege 1188 abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe Token: SeDebugPrivilege 556 drvhost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exedrvhost.exedescription pid process target process PID 1188 wrote to memory of 556 1188 abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe drvhost.exe PID 1188 wrote to memory of 556 1188 abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe drvhost.exe PID 1188 wrote to memory of 556 1188 abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe drvhost.exe PID 1188 wrote to memory of 556 1188 abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe drvhost.exe PID 556 wrote to memory of 1508 556 drvhost.exe syshost.exe PID 556 wrote to memory of 1508 556 drvhost.exe syshost.exe PID 556 wrote to memory of 1508 556 drvhost.exe syshost.exe PID 556 wrote to memory of 1508 556 drvhost.exe syshost.exe PID 556 wrote to memory of 1508 556 drvhost.exe syshost.exe PID 556 wrote to memory of 1508 556 drvhost.exe syshost.exe PID 556 wrote to memory of 1508 556 drvhost.exe syshost.exe PID 556 wrote to memory of 1508 556 drvhost.exe syshost.exe PID 556 wrote to memory of 1508 556 drvhost.exe syshost.exe PID 556 wrote to memory of 1508 556 drvhost.exe syshost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe"C:\Users\Admin\AppData\Local\Temp\abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\drvhost.exe"C:\Windows\system32\drvhost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556 -
C:\ProgramData\syshost.exeC:\ProgramData\syshost.exe3⤵
- Executes dropped EXE
PID:1508
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\syshost.exeFilesize
6KB
MD536c689700adbb227867e409938607270
SHA16123e236f73faa37600a60107a5b167980b83a61
SHA256a2158014ecd471868954d0e97397f9df43e310c48d56fa0b5a6ef908dc654adf
SHA512c75728ed30135032a6755e33b9034b98c871554c33a4b8ba1586e0b3282dbc65e3b61571d407365b24289dae2de56b514ef0db744f85e6648dc6432a33b85fef
-
C:\ProgramData\syshost.exeFilesize
6KB
MD536c689700adbb227867e409938607270
SHA16123e236f73faa37600a60107a5b167980b83a61
SHA256a2158014ecd471868954d0e97397f9df43e310c48d56fa0b5a6ef908dc654adf
SHA512c75728ed30135032a6755e33b9034b98c871554c33a4b8ba1586e0b3282dbc65e3b61571d407365b24289dae2de56b514ef0db744f85e6648dc6432a33b85fef
-
C:\Windows\SysWOW64\drvhost.exeFilesize
1.3MB
MD5a4425b89e3cc570a5777cc56e264a883
SHA11e269c18c2e96dda052714bf1f0cc12370082ac1
SHA256abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e
SHA5125126722754936a5830b4a11271920d4308cc24246abeb684a492cfc39290748d598aec0335a74478cfa401e2756eaa0c661d756773ea87469ed78752e73f79f1
-
C:\Windows\SysWOW64\drvhost.exeFilesize
1.3MB
MD5a4425b89e3cc570a5777cc56e264a883
SHA11e269c18c2e96dda052714bf1f0cc12370082ac1
SHA256abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e
SHA5125126722754936a5830b4a11271920d4308cc24246abeb684a492cfc39290748d598aec0335a74478cfa401e2756eaa0c661d756773ea87469ed78752e73f79f1
-
\ProgramData\syshost.exeFilesize
6KB
MD536c689700adbb227867e409938607270
SHA16123e236f73faa37600a60107a5b167980b83a61
SHA256a2158014ecd471868954d0e97397f9df43e310c48d56fa0b5a6ef908dc654adf
SHA512c75728ed30135032a6755e33b9034b98c871554c33a4b8ba1586e0b3282dbc65e3b61571d407365b24289dae2de56b514ef0db744f85e6648dc6432a33b85fef
-
\ProgramData\syshost.exeFilesize
6KB
MD536c689700adbb227867e409938607270
SHA16123e236f73faa37600a60107a5b167980b83a61
SHA256a2158014ecd471868954d0e97397f9df43e310c48d56fa0b5a6ef908dc654adf
SHA512c75728ed30135032a6755e33b9034b98c871554c33a4b8ba1586e0b3282dbc65e3b61571d407365b24289dae2de56b514ef0db744f85e6648dc6432a33b85fef
-
\Windows\SysWOW64\drvhost.exeFilesize
1.3MB
MD5a4425b89e3cc570a5777cc56e264a883
SHA11e269c18c2e96dda052714bf1f0cc12370082ac1
SHA256abae79fffca34894a454c82c074fd56718c6954f7c44c1a8faac3405b50b009e
SHA5125126722754936a5830b4a11271920d4308cc24246abeb684a492cfc39290748d598aec0335a74478cfa401e2756eaa0c661d756773ea87469ed78752e73f79f1
-
memory/556-77-0x0000000074CB0000-0x000000007525B000-memory.dmpFilesize
5.7MB
-
memory/556-57-0x0000000000000000-mapping.dmp
-
memory/1188-61-0x0000000074CB0000-0x000000007525B000-memory.dmpFilesize
5.7MB
-
memory/1188-55-0x0000000074CB0000-0x000000007525B000-memory.dmpFilesize
5.7MB
-
memory/1188-54-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/1508-72-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1508-70-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1508-68-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1508-66-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1508-65-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1508-74-0x0000000000441175-mapping.dmp
-
memory/1508-73-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1508-79-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1508-80-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB