Analysis
-
max time kernel
25s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 02:24
Static task
static1
Behavioral task
behavioral1
Sample
ac14f610abeb2f02625aaa9e2e3610ca71e47c70d21433aa8b716c637ce58b4f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ac14f610abeb2f02625aaa9e2e3610ca71e47c70d21433aa8b716c637ce58b4f.exe
Resource
win10v2004-20220901-en
General
-
Target
ac14f610abeb2f02625aaa9e2e3610ca71e47c70d21433aa8b716c637ce58b4f.exe
-
Size
3.6MB
-
MD5
8331cad47a4b916f1681d634c96b822d
-
SHA1
f060f6bc67725fefaea7138b14312637100489db
-
SHA256
ac14f610abeb2f02625aaa9e2e3610ca71e47c70d21433aa8b716c637ce58b4f
-
SHA512
2f31631db0e92d1ddbcb29f88e53e356036ae5e3ef407bf5115386c8537b2b6b23f029ad1852fb29d0916ee1deb63a45bf440ca26feea8ce3b6901ecf9677ef4
-
SSDEEP
24576:f+qGZSp1/gD/9rfRgRK2Y2miP3lIv2RuvOyQTnXzZ4eqCOiya4/fWiiT/D9SAiZq:OMIDhRgZP36v2RtzZYa+ewJT5wRjEu
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
set.exepid process 1936 set.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 1964 sc.exe 1952 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 42 IoCs
Processes:
set.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates set.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs set.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust set.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates set.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs set.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs set.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs set.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs set.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs set.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA set.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs set.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs set.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates set.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople set.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
set.exedescription pid process Token: SeDebugPrivilege 1936 set.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ac14f610abeb2f02625aaa9e2e3610ca71e47c70d21433aa8b716c637ce58b4f.execmd.exedescription pid process target process PID 780 wrote to memory of 1996 780 ac14f610abeb2f02625aaa9e2e3610ca71e47c70d21433aa8b716c637ce58b4f.exe cmd.exe PID 780 wrote to memory of 1996 780 ac14f610abeb2f02625aaa9e2e3610ca71e47c70d21433aa8b716c637ce58b4f.exe cmd.exe PID 780 wrote to memory of 1996 780 ac14f610abeb2f02625aaa9e2e3610ca71e47c70d21433aa8b716c637ce58b4f.exe cmd.exe PID 780 wrote to memory of 1996 780 ac14f610abeb2f02625aaa9e2e3610ca71e47c70d21433aa8b716c637ce58b4f.exe cmd.exe PID 1996 wrote to memory of 1952 1996 cmd.exe sc.exe PID 1996 wrote to memory of 1952 1996 cmd.exe sc.exe PID 1996 wrote to memory of 1952 1996 cmd.exe sc.exe PID 1996 wrote to memory of 1952 1996 cmd.exe sc.exe PID 780 wrote to memory of 1964 780 ac14f610abeb2f02625aaa9e2e3610ca71e47c70d21433aa8b716c637ce58b4f.exe sc.exe PID 780 wrote to memory of 1964 780 ac14f610abeb2f02625aaa9e2e3610ca71e47c70d21433aa8b716c637ce58b4f.exe sc.exe PID 780 wrote to memory of 1964 780 ac14f610abeb2f02625aaa9e2e3610ca71e47c70d21433aa8b716c637ce58b4f.exe sc.exe PID 780 wrote to memory of 1964 780 ac14f610abeb2f02625aaa9e2e3610ca71e47c70d21433aa8b716c637ce58b4f.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac14f610abeb2f02625aaa9e2e3610ca71e47c70d21433aa8b716c637ce58b4f.exe"C:\Users\Admin\AppData\Local\Temp\ac14f610abeb2f02625aaa9e2e3610ca71e47c70d21433aa8b716c637ce58b4f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c sc create "backlh" binPath= "C:\ProgramData\Logic Cramble\set.exe" DisplayName= "Background Logic Handler" start= "auto"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc create "backlh" binPath= "C:\ProgramData\Logic Cramble\set.exe" DisplayName= "Background Logic Handler" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description "backlh" "Background Logic Handler"2⤵
- Launches sc.exe
-
C:\ProgramData\Logic Cramble\set.exe"C:\ProgramData\Logic Cramble\set.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Logic Cramble\set.exeFilesize
3.6MB
MD58331cad47a4b916f1681d634c96b822d
SHA1f060f6bc67725fefaea7138b14312637100489db
SHA256ac14f610abeb2f02625aaa9e2e3610ca71e47c70d21433aa8b716c637ce58b4f
SHA5122f31631db0e92d1ddbcb29f88e53e356036ae5e3ef407bf5115386c8537b2b6b23f029ad1852fb29d0916ee1deb63a45bf440ca26feea8ce3b6901ecf9677ef4
-
C:\ProgramData\Logic Cramble\set.exeFilesize
3.6MB
MD58331cad47a4b916f1681d634c96b822d
SHA1f060f6bc67725fefaea7138b14312637100489db
SHA256ac14f610abeb2f02625aaa9e2e3610ca71e47c70d21433aa8b716c637ce58b4f
SHA5122f31631db0e92d1ddbcb29f88e53e356036ae5e3ef407bf5115386c8537b2b6b23f029ad1852fb29d0916ee1deb63a45bf440ca26feea8ce3b6901ecf9677ef4
-
memory/780-54-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB
-
memory/780-61-0x00000000748B0000-0x0000000074E5B000-memory.dmpFilesize
5.7MB
-
memory/780-62-0x00000000748B0000-0x0000000074E5B000-memory.dmpFilesize
5.7MB
-
memory/1936-63-0x00000000748B0000-0x0000000074E5B000-memory.dmpFilesize
5.7MB
-
memory/1936-64-0x00000000748B0000-0x0000000074E5B000-memory.dmpFilesize
5.7MB
-
memory/1952-56-0x0000000000000000-mapping.dmp
-
memory/1964-57-0x0000000000000000-mapping.dmp
-
memory/1996-55-0x0000000000000000-mapping.dmp