Analysis

  • max time kernel
    143s
  • max time network
    58s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 17:07

General

  • Target

    1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe

  • Size

    181KB

  • MD5

    068ed81b7b7a3426f0f6292e4f41acd2

  • SHA1

    031cca397819188b38482717d254dcd09dbcc9e6

  • SHA256

    1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065

  • SHA512

    a14e0036ee722b72ad4db3c84e0d06328ced0fecb3c883a735df8ab1bcc68ee2ec825351a46815b5ddcf12aa7439d8a892dabb7a5d7c637718fb6c03c263bcde

  • SSDEEP

    3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQKhsaR2:gDCwfG1bnxLERR9saR2

Score
10/10

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe
    "C:\Users\Admin\AppData\Local\Temp\1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Modifies registry key
      PID:2032
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1736
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:916
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:964
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          PID:1468
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1524
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:2036
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:860
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1620
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:796
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:768
        • C:\Users\Admin\AppData\Local\Temp\avscan.exe
          C:\Users\Admin\AppData\Local\Temp\avscan.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1660
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c c:\windows\W_X_C.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1324
          • C:\windows\hosts.exe
            C:\windows\hosts.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1968
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
            5⤵
            • Adds policy Run key to start application
            PID:1836
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • Modifies registry key
          PID:1612
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • Modifies registry key
          PID:1092
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • Modifies registry key
          PID:660
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • Modifies registry key
          PID:1648
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        PID:1556

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    412KB

    MD5

    18c6a052bc89d43c0a511a15aa21fb35

    SHA1

    b3018c82b972ec96e8b6e79b2187e4bbdedcfc82

    SHA256

    b37a38b8adc8e56c5db083401bc6c73de8a9e01ad9e1b76ea0e83128061bc2db

    SHA512

    40df672c9b4888b26f24fe98f517286a5c2a223cfdf74d3b2ea85d9c79fcd6c32e5fd29947c8ed990dcfaa1f0e4c692bc2780c731a3feb81ae37f0978c7add2b

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    594KB

    MD5

    8078ae2fd68b53796221145e3574e6cf

    SHA1

    72be27a2c73586dd7edf74e52e35428e5b69d720

    SHA256

    f3eabe09d150a376b4572cb2aa22df329deb82c123a7fdc68013f5ffb3f4ce09

    SHA512

    f433400fb67edd1e7a6a65f9f30421dbf8c423836c74d7a7c9f9395698b9a31b0e5cd344070591b8f136752dddb994c0c27fd6eec195f57bb11d4729980fcc77

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    776KB

    MD5

    182ed6bc229bf986e85ef2d3a1835f65

    SHA1

    32630e6395d4789466bed9e925752bd0fb43df6e

    SHA256

    3ed3c2104add4b618f9dbc9a0c58b2fc24653ef5a7e355d1772ed219697b06cc

    SHA512

    e5fef486880d18bd7302fd484428b12c993dd5fe26b9e6e9f59ebaa9d2068925531bdeb3c22a279caf1514d5a15bb9ce8e37a6782e3288a126f4b1f7be25b9f7

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    958KB

    MD5

    910a62d829d06a9f07ca16742677123a

    SHA1

    1010e850150589a93ac16e3e7b02cd4da62a41ea

    SHA256

    7fef7ebcd78d7538732ba00e64ce92a484cdaf7a729666c5c481c52d4a3d91b2

    SHA512

    6b3f6d14d0fc3883c71c40790b7d56a869ab0067ab35e15dbbe26f952c59d68687ba8d742988582fd818024f056f01146206d965c9b8f2175973e011b12dc955

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    1.1MB

    MD5

    310d69212e366d1fb21bc985ef153436

    SHA1

    49f47a67b5183afbf27ad5d311bf3283c35a1a08

    SHA256

    fcf4061d609b2f63beb3c0f5cec18e50b515a963d34e9386866a10e1bdc24d14

    SHA512

    dac21f8940a2e74f2573b89136d24d7dc876b08dbe638dea6b7e5dd0a63a6766d03da5a6beaa4f7921cbb2eed7beb16d663ba51793bad4a894e4f9e97d761754

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    1.3MB

    MD5

    9e0dc559bf5cd0bc1c8b6ae04a4bbb6e

    SHA1

    77bbb6c1af40b2df749d7ef6edab1a400b09798f

    SHA256

    a5632d74bc17ae305460ee22159c776f1bde375904b68524315fb211393d7dd8

    SHA512

    6bc11dac35e746e2309bbd3a7d8d24e503f5672ebcda7c786a62cd40b426fa3669ff27c7284054582bedcf4b6d5c6a21399e179daf39e8f90f0dd324c72019da

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    1.5MB

    MD5

    c95690b4c7eea8bb91bb570a968d3aea

    SHA1

    b801be8e761f481b8b0df154ae1b4c243343207f

    SHA256

    96f791ebf8cabd778695647a750ef27895efbe39bdcd3b205d03d02ce6052007

    SHA512

    81a0260ee478d5bdca2127426f22445652f9aa498a7a27ffabcb3e59e34eda6e8cabef6e7cf54f000697f4ab2d82aae672671a8a97a1d292506e5435bb9ec8c4

  • C:\Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    182KB

    MD5

    dead2ffac3b4658408e794edf03b25ed

    SHA1

    e3db322b1a8f7f511dc3883b311247fc93be8835

    SHA256

    cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

    SHA512

    1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

  • C:\Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    182KB

    MD5

    dead2ffac3b4658408e794edf03b25ed

    SHA1

    e3db322b1a8f7f511dc3883b311247fc93be8835

    SHA256

    cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

    SHA512

    1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

  • C:\Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    182KB

    MD5

    dead2ffac3b4658408e794edf03b25ed

    SHA1

    e3db322b1a8f7f511dc3883b311247fc93be8835

    SHA256

    cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

    SHA512

    1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

  • C:\Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    182KB

    MD5

    dead2ffac3b4658408e794edf03b25ed

    SHA1

    e3db322b1a8f7f511dc3883b311247fc93be8835

    SHA256

    cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

    SHA512

    1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

  • C:\Windows\W_X_C.vbs

    Filesize

    195B

    MD5

    6d7a78ec09068987a6bec39d91fa2997

    SHA1

    e74ad929b10ad126cab230e0ea5ec239cbeaf12b

    SHA256

    d87abc4daf79735e1afda9ba17e27ca3e8c8775af50c18e67579da6384da53c6

    SHA512

    e912df74b128cb69c204fe6395f2237f7b2f240642312a66ff4e89004ac7736125155078e47591b26e686ec4f09d25bc4cf1575cc590bffe587962c02fa8e395

  • C:\Windows\hosts.exe

    Filesize

    182KB

    MD5

    d0f7934f1df02d097d2a7ca9413dec89

    SHA1

    277b61f912cbec6b8cb110567b9cf01b7aef8810

    SHA256

    47d8cf5ebd983d5978991871a411cab0e11676059aee2362708b389843ffa8d6

    SHA512

    7869fc0bd2c31f0058e7c3519c7dc8a0938470a475280bd6d874a388075599f5e5439e363a3c4893278dadd3218adfed18f03abff98ea52cf19cd015e6140fa7

  • C:\Windows\hosts.exe

    Filesize

    182KB

    MD5

    d0f7934f1df02d097d2a7ca9413dec89

    SHA1

    277b61f912cbec6b8cb110567b9cf01b7aef8810

    SHA256

    47d8cf5ebd983d5978991871a411cab0e11676059aee2362708b389843ffa8d6

    SHA512

    7869fc0bd2c31f0058e7c3519c7dc8a0938470a475280bd6d874a388075599f5e5439e363a3c4893278dadd3218adfed18f03abff98ea52cf19cd015e6140fa7

  • C:\Windows\hosts.exe

    Filesize

    182KB

    MD5

    d0f7934f1df02d097d2a7ca9413dec89

    SHA1

    277b61f912cbec6b8cb110567b9cf01b7aef8810

    SHA256

    47d8cf5ebd983d5978991871a411cab0e11676059aee2362708b389843ffa8d6

    SHA512

    7869fc0bd2c31f0058e7c3519c7dc8a0938470a475280bd6d874a388075599f5e5439e363a3c4893278dadd3218adfed18f03abff98ea52cf19cd015e6140fa7

  • C:\Windows\hosts.exe

    Filesize

    182KB

    MD5

    d0f7934f1df02d097d2a7ca9413dec89

    SHA1

    277b61f912cbec6b8cb110567b9cf01b7aef8810

    SHA256

    47d8cf5ebd983d5978991871a411cab0e11676059aee2362708b389843ffa8d6

    SHA512

    7869fc0bd2c31f0058e7c3519c7dc8a0938470a475280bd6d874a388075599f5e5439e363a3c4893278dadd3218adfed18f03abff98ea52cf19cd015e6140fa7

  • C:\windows\hosts.exe

    Filesize

    182KB

    MD5

    d0f7934f1df02d097d2a7ca9413dec89

    SHA1

    277b61f912cbec6b8cb110567b9cf01b7aef8810

    SHA256

    47d8cf5ebd983d5978991871a411cab0e11676059aee2362708b389843ffa8d6

    SHA512

    7869fc0bd2c31f0058e7c3519c7dc8a0938470a475280bd6d874a388075599f5e5439e363a3c4893278dadd3218adfed18f03abff98ea52cf19cd015e6140fa7

  • \??\c:\windows\W_X_C.bat

    Filesize

    336B

    MD5

    4db9f8b6175722b62ececeeeba1ce307

    SHA1

    3b3ba8414706e72a6fa19e884a97b87609e11e47

    SHA256

    d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

    SHA512

    1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    182KB

    MD5

    dead2ffac3b4658408e794edf03b25ed

    SHA1

    e3db322b1a8f7f511dc3883b311247fc93be8835

    SHA256

    cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

    SHA512

    1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    182KB

    MD5

    dead2ffac3b4658408e794edf03b25ed

    SHA1

    e3db322b1a8f7f511dc3883b311247fc93be8835

    SHA256

    cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

    SHA512

    1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    182KB

    MD5

    dead2ffac3b4658408e794edf03b25ed

    SHA1

    e3db322b1a8f7f511dc3883b311247fc93be8835

    SHA256

    cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

    SHA512

    1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    182KB

    MD5

    dead2ffac3b4658408e794edf03b25ed

    SHA1

    e3db322b1a8f7f511dc3883b311247fc93be8835

    SHA256

    cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

    SHA512

    1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    182KB

    MD5

    dead2ffac3b4658408e794edf03b25ed

    SHA1

    e3db322b1a8f7f511dc3883b311247fc93be8835

    SHA256

    cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

    SHA512

    1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

  • memory/660-116-0x0000000000000000-mapping.dmp

  • memory/768-76-0x0000000000000000-mapping.dmp

  • memory/796-74-0x0000000000000000-mapping.dmp

  • memory/832-58-0x00000000742A1000-0x00000000742A3000-memory.dmp

    Filesize

    8KB

  • memory/832-56-0x0000000075291000-0x0000000075293000-memory.dmp

    Filesize

    8KB

  • memory/860-114-0x0000000000000000-mapping.dmp

  • memory/916-73-0x0000000000000000-mapping.dmp

  • memory/964-78-0x0000000000000000-mapping.dmp

  • memory/1092-112-0x0000000000000000-mapping.dmp

  • memory/1324-95-0x0000000000000000-mapping.dmp

  • memory/1468-87-0x0000000000000000-mapping.dmp

  • memory/1524-106-0x0000000000000000-mapping.dmp

  • memory/1556-101-0x0000000000000000-mapping.dmp

  • memory/1612-108-0x0000000000000000-mapping.dmp

  • memory/1620-118-0x0000000000000000-mapping.dmp

  • memory/1648-121-0x0000000000000000-mapping.dmp

  • memory/1660-90-0x0000000000000000-mapping.dmp

  • memory/1736-68-0x0000000000000000-mapping.dmp

  • memory/1744-61-0x0000000000000000-mapping.dmp

  • memory/1836-102-0x0000000000000000-mapping.dmp

  • memory/1968-96-0x0000000000000000-mapping.dmp

  • memory/2032-57-0x0000000000000000-mapping.dmp

  • memory/2036-110-0x0000000000000000-mapping.dmp