Analysis
-
max time kernel
100s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 09:52
Static task
static1
Behavioral task
behavioral1
Sample
f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe
Resource
win10v2004-20221111-en
General
-
Target
f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe
-
Size
2.8MB
-
MD5
31ea801722a01123197b6715411d0ec7
-
SHA1
677c6df7d4ab64bba5471a64de1613661ae71fa1
-
SHA256
f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09
-
SHA512
06de197d739a6f344bd30e595f2521017b6098d7163d91ba280c5d208d02c1fe48d02d3f3c8ff3315ede29338f137582582f7555670ce1157cdee0d0afdf6e3d
-
SSDEEP
49152:GkthCJW+30AeduWfFhEl200Ql8z8qQrgsm0nCxVi1eXh+t2Sd1FDIA0L1:GaoJh0XuWfFelt0QlUBQsBViURQ2anDI
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 whatismyipaddress.com 10 whatismyipaddress.com 20 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exedescription pid process PID 1756 set thread context of 0 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe PID 1756 set thread context of 0 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 11 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\dem_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\.dem rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\.dem\ = "dem_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\dem_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\dem_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\dem_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\dem_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\dem_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exepid process 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exedescription pid process Token: SeDebugPrivilege 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exeAcroRd32.exepid process 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe 1984 AcroRd32.exe 1984 AcroRd32.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exerundll32.exerundll32.exedescription pid process target process PID 1756 wrote to memory of 1544 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe rundll32.exe PID 1756 wrote to memory of 1544 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe rundll32.exe PID 1756 wrote to memory of 1544 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe rundll32.exe PID 1756 wrote to memory of 820 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe rundll32.exe PID 1756 wrote to memory of 820 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe rundll32.exe PID 1756 wrote to memory of 820 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe rundll32.exe PID 1544 wrote to memory of 1984 1544 rundll32.exe AcroRd32.exe PID 1544 wrote to memory of 1984 1544 rundll32.exe AcroRd32.exe PID 1544 wrote to memory of 1984 1544 rundll32.exe AcroRd32.exe PID 1544 wrote to memory of 1984 1544 rundll32.exe AcroRd32.exe PID 1756 wrote to memory of 1620 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1620 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1620 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1620 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1620 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1620 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1620 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1620 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1620 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1620 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 820 wrote to memory of 972 820 rundll32.exe AcroRd32.exe PID 820 wrote to memory of 972 820 rundll32.exe AcroRd32.exe PID 820 wrote to memory of 972 820 rundll32.exe AcroRd32.exe PID 820 wrote to memory of 972 820 rundll32.exe AcroRd32.exe PID 1756 wrote to memory of 1572 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1572 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1572 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1572 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1572 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1572 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1572 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1572 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1572 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe PID 1756 wrote to memory of 1572 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe"C:\Users\Admin\AppData\Local\Temp\f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\BFile_1.dem2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BFile_1.dem"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\BFile_2.dem2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BFile_2.dem"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BFile_1.demFilesize
185KB
MD556e5cb2ff918129380a87ed472ba3a8f
SHA14ec79985325fc6d3868820eef4a7f9ee895354ea
SHA2565790258bc4123b2ecf535bea377d1f39dbf1bb890d575ac9fac8daded24e9da7
SHA512798ea294c548e6773a04c5a0a4938bf27330ae9ae83dbf5b85687067f2af3d4a5babec323310015f2d5c8610ae27e0860b41fe44548628e9e65545e1404cb1e3
-
C:\Users\Admin\AppData\Local\Temp\BFile_2.demFilesize
163KB
MD52b05237c8f53bcdd1c7918020d04f51e
SHA1220541db503745d2d112d7ba595577ec68970993
SHA256f93b208197ded5deacbc4bf8c903c134b716c8e8ea6b983007cccfa46ebf17cd
SHA51221b19c2b4cac0a6aafd8fadb12c376dfae87f06033dcb9c5b5c18bd2f7f94b352204b650a08a0bce8c6de071b94110fd95979466ddbe8af07da0f914bdcbe3a6
-
memory/820-58-0x0000000000000000-mapping.dmp
-
memory/972-64-0x0000000000000000-mapping.dmp
-
memory/1544-57-0x0000000000000000-mapping.dmp
-
memory/1544-59-0x000007FEFBA91000-0x000007FEFBA93000-memory.dmpFilesize
8KB
-
memory/1756-54-0x000007FEF3710000-0x000007FEF4133000-memory.dmpFilesize
10.1MB
-
memory/1756-55-0x000007FEF2670000-0x000007FEF3706000-memory.dmpFilesize
16.6MB
-
memory/1756-56-0x00000000022E6000-0x0000000002305000-memory.dmpFilesize
124KB
-
memory/1984-61-0x0000000000000000-mapping.dmp
-
memory/1984-62-0x0000000075F61000-0x0000000075F63000-memory.dmpFilesize
8KB