430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f

Analysis

max time kernel
252s
max time network
335s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 19:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe
Size

460KB
MD5

35e852ab44b493b60325d07ce56621af
SHA1

9722e3207bd17fbc39cb05a73a871b8430d7b050
SHA256

430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f
SHA512

e58d3d4cabe52a9350d651ce1d069666bf00709b792afc3adfc56b57e188811c3c0d1cf2c9a56e51ebb4a66665755f6d565a8b6861b29102bacce7c86c62d3da
SSDEEP

12288:8xaVAh64U5l82gfJv1OKN7Dl7+5ss4XtL1YB3:8xaVxr5q26Jv1Ow7Dd+5ESV

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1328	service.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1532	netsh.exe
340	netsh.exe

Loads dropped DLL 4 IoCs

pid	Process
1112	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe
1112	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe
1112	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe
1112	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\iexplorer = "C:\\Windows\\SYSTEM32\\slmgr32.vbs"	reg.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_7292329	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe
File created	C:\Windows\SysWOW64\system.exe	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe
File opened for modification	C:\Windows\SysWOW64\Pic.jpg	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe
File created	C:\Windows\SysWOW64\service.exe	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe
File created	C:\Windows\SysWOW64\Pic.jpg	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe
File created	C:\Windows\SysWOW64\slmgr32.vbs	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe
File opened for modification	C:\Windows\SysWOW64\slmgr32.vbs	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1936	reg.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1328	1112	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe	28
PID 1112 wrote to memory of 1328	1112	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe	28
PID 1112 wrote to memory of 1328	1112	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe	28
PID 1112 wrote to memory of 1328	1112	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe	28
PID 1112 wrote to memory of 1328	1112	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe	28
PID 1112 wrote to memory of 1328	1112	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe	28
PID 1112 wrote to memory of 1328	1112	430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe	28
PID 1328 wrote to memory of 892	1328	service.exe	29
PID 1328 wrote to memory of 892	1328	service.exe	29
PID 1328 wrote to memory of 892	1328	service.exe	29
PID 1328 wrote to memory of 892	1328	service.exe	29
PID 1328 wrote to memory of 892	1328	service.exe	29
PID 1328 wrote to memory of 892	1328	service.exe	29
PID 1328 wrote to memory of 892	1328	service.exe	29
PID 892 wrote to memory of 1532	892	cmd.exe	31
PID 892 wrote to memory of 1532	892	cmd.exe	31
PID 892 wrote to memory of 1532	892	cmd.exe	31
PID 892 wrote to memory of 1532	892	cmd.exe	31
PID 892 wrote to memory of 1532	892	cmd.exe	31
PID 892 wrote to memory of 1532	892	cmd.exe	31
PID 892 wrote to memory of 1532	892	cmd.exe	31
PID 892 wrote to memory of 340	892	cmd.exe	32
PID 892 wrote to memory of 340	892	cmd.exe	32
PID 892 wrote to memory of 340	892	cmd.exe	32
PID 892 wrote to memory of 340	892	cmd.exe	32
PID 892 wrote to memory of 340	892	cmd.exe	32
PID 892 wrote to memory of 340	892	cmd.exe	32
PID 892 wrote to memory of 340	892	cmd.exe	32
PID 892 wrote to memory of 1788	892	cmd.exe	33
PID 892 wrote to memory of 1788	892	cmd.exe	33
PID 892 wrote to memory of 1788	892	cmd.exe	33
PID 892 wrote to memory of 1788	892	cmd.exe	33
PID 892 wrote to memory of 1788	892	cmd.exe	33
PID 892 wrote to memory of 1788	892	cmd.exe	33
PID 892 wrote to memory of 1788	892	cmd.exe	33
PID 1788 wrote to memory of 1936	1788	cmd.exe	34
PID 1788 wrote to memory of 1936	1788	cmd.exe	34
PID 1788 wrote to memory of 1936	1788	cmd.exe	34
PID 1788 wrote to memory of 1936	1788	cmd.exe	34
PID 1788 wrote to memory of 1936	1788	cmd.exe	34
PID 1788 wrote to memory of 1936	1788	cmd.exe	34
PID 1788 wrote to memory of 1936	1788	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe
"C:\Users\Admin\AppData\Local\Temp\430f5ceed6c2e907951bc50da7050e14922e6e2a392ad1f713c93d70db89172f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\service.exe
  "C:\Windows\system32\service.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\6817.tmp\Winsys32.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="svchost service" dir=in protocol=TCP action=allow localport=8080
      4⤵
      Modifies Windows Firewall
      PID:1532
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\system.exe "Windows Media Player" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd /c reg add HKcU\Software\Microsoft\Windows\CurrentVersion\Run /v "iexplorer" /t REG_SZ /d "C:\Windows\SYSTEM32\slmgr32.vbs" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKcU\Software\Microsoft\Windows\CurrentVersion\Run /v "iexplorer" /t REG_SZ /d "C:\Windows\SYSTEM32\slmgr32.vbs" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6817.tmp\Winsys32.bat

Filesize
359B

MD5
84010ef4453bc28cdd268204882bb446

SHA1
dd42e47d5699c6212a930790377296ba02faf713

SHA256
199267b6e29eb92581b225447b523fa14b0d05e2052421393508142d6249e0c0

SHA512
b26ff1297eb4f6755ac1562f85e30a45f3b4741a6adcd08dfd9c481b4bda4aa178e1b6c0f612979923ffdabe7289cb74d6794e573354804c54b8f16e9216c650

Download Submit
C:\Windows\SysWOW64\service.exe

Filesize
25KB

MD5
4ce7f1852d9b776e222b465ef2058a5a

SHA1
267556b5ab065972a71d4243541882ec12900d76

SHA256
8274f064dcd53b6c63b07d13771a03f1e4e36bb63231d0e90bc6c0f386ce6dcc

SHA512
29aa543f65cbe167863fcdd8f133138e836d2c86f404ceb472da0044eac5808aa2a27f75d06e545d36f4cc1d689082d6e4752ba162d0a2160f47ad9a85bab4a7

Download Submit
\Windows\SysWOW64\service.exe

Filesize
25KB

MD5
4ce7f1852d9b776e222b465ef2058a5a

SHA1
267556b5ab065972a71d4243541882ec12900d76

SHA256
8274f064dcd53b6c63b07d13771a03f1e4e36bb63231d0e90bc6c0f386ce6dcc

SHA512
29aa543f65cbe167863fcdd8f133138e836d2c86f404ceb472da0044eac5808aa2a27f75d06e545d36f4cc1d689082d6e4752ba162d0a2160f47ad9a85bab4a7

Download Submit
\Windows\SysWOW64\service.exe

Filesize
25KB

MD5
4ce7f1852d9b776e222b465ef2058a5a

SHA1
267556b5ab065972a71d4243541882ec12900d76

SHA256
8274f064dcd53b6c63b07d13771a03f1e4e36bb63231d0e90bc6c0f386ce6dcc

SHA512
29aa543f65cbe167863fcdd8f133138e836d2c86f404ceb472da0044eac5808aa2a27f75d06e545d36f4cc1d689082d6e4752ba162d0a2160f47ad9a85bab4a7

Download Submit
\Windows\SysWOW64\service.exe

Filesize
25KB

MD5
4ce7f1852d9b776e222b465ef2058a5a

SHA1
267556b5ab065972a71d4243541882ec12900d76

SHA256
8274f064dcd53b6c63b07d13771a03f1e4e36bb63231d0e90bc6c0f386ce6dcc

SHA512
29aa543f65cbe167863fcdd8f133138e836d2c86f404ceb472da0044eac5808aa2a27f75d06e545d36f4cc1d689082d6e4752ba162d0a2160f47ad9a85bab4a7

Download Submit
\Windows\SysWOW64\service.exe

Filesize
25KB

MD5
4ce7f1852d9b776e222b465ef2058a5a

SHA1
267556b5ab065972a71d4243541882ec12900d76

SHA256
8274f064dcd53b6c63b07d13771a03f1e4e36bb63231d0e90bc6c0f386ce6dcc

SHA512
29aa543f65cbe167863fcdd8f133138e836d2c86f404ceb472da0044eac5808aa2a27f75d06e545d36f4cc1d689082d6e4752ba162d0a2160f47ad9a85bab4a7

Download Submit
memory/1112-56-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/1112-54-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download
memory/1328-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1328-75-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads