55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b

Analysis

max time kernel
152s
max time network
182s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe
Size

206KB
MD5

6c21d0c5867d51e82f3ece72274e21d2
SHA1

a71bc1a0391d1dd6bf94aab8746a234034700b4e
SHA256

55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b
SHA512

2a7d8cb81937055c68a2915cda35eeeb71d7e52efcfb4feea15bcca6c7b85c8350e668da520659c0c493be68926393963604c106611600feaa3927b3550196b4
SSDEEP

6144:oDpoeh0tRrQu3kHYPiVrhZN3SIqOWnbBO3Q9Y3Fqtw:E0tVhqVrDN3S7sg9Y39

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
460	saco.exe
1476	saco.exe

Deletes itself 1 IoCs

pid	Process
1860	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
940	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe
844	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe
460	saco.exe
460	saco.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	saco.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4989F29E-0E3C-E0B4-A893-527D47D0FCBA} = "C:\\Users\\Admin\\AppData\\Roaming\\Yquq\\saco.exe"	saco.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 940 set thread context of 844	940	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	28
PID 460 set thread context of 1476	460	saco.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

resource	yara_rule
behavioral1/files/0x000c000000012326-69.dat	nsis_installer_1
behavioral1/files/0x000c000000012326-69.dat	nsis_installer_2
behavioral1/files/0x000c000000012326-71.dat	nsis_installer_1
behavioral1/files/0x000c000000012326-71.dat	nsis_installer_2
behavioral1/files/0x000c000000012326-73.dat	nsis_installer_1
behavioral1/files/0x000c000000012326-73.dat	nsis_installer_2
behavioral1/files/0x000c000000012326-77.dat	nsis_installer_1
behavioral1/files/0x000c000000012326-77.dat	nsis_installer_2
behavioral1/files/0x000c000000012326-86.dat	nsis_installer_1
behavioral1/files/0x000c000000012326-86.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1476	saco.exe
1476	saco.exe
1476	saco.exe
1476	saco.exe
1476	saco.exe
1476	saco.exe
1476	saco.exe
1476	saco.exe
1476	saco.exe
1476	saco.exe
1476	saco.exe
1476	saco.exe
1476	saco.exe
1476	saco.exe
1476	saco.exe
1476	saco.exe
1476	saco.exe
1476	saco.exe
1476	saco.exe
1476	saco.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	844	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 844	940	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	28
PID 940 wrote to memory of 844	940	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	28
PID 940 wrote to memory of 844	940	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	28
PID 940 wrote to memory of 844	940	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	28
PID 940 wrote to memory of 844	940	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	28
PID 940 wrote to memory of 844	940	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	28
PID 940 wrote to memory of 844	940	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	28
PID 940 wrote to memory of 844	940	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	28
PID 940 wrote to memory of 844	940	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	28
PID 940 wrote to memory of 844	940	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	28
PID 940 wrote to memory of 844	940	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	28
PID 940 wrote to memory of 844	940	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	28
PID 844 wrote to memory of 460	844	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	29
PID 844 wrote to memory of 460	844	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	29
PID 844 wrote to memory of 460	844	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	29
PID 844 wrote to memory of 460	844	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	29
PID 844 wrote to memory of 460	844	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	29
PID 844 wrote to memory of 460	844	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	29
PID 844 wrote to memory of 460	844	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	29
PID 460 wrote to memory of 1476	460	saco.exe	30
PID 460 wrote to memory of 1476	460	saco.exe	30
PID 460 wrote to memory of 1476	460	saco.exe	30
PID 460 wrote to memory of 1476	460	saco.exe	30
PID 460 wrote to memory of 1476	460	saco.exe	30
PID 460 wrote to memory of 1476	460	saco.exe	30
PID 460 wrote to memory of 1476	460	saco.exe	30
PID 460 wrote to memory of 1476	460	saco.exe	30
PID 460 wrote to memory of 1476	460	saco.exe	30
PID 460 wrote to memory of 1476	460	saco.exe	30
PID 460 wrote to memory of 1476	460	saco.exe	30
PID 460 wrote to memory of 1476	460	saco.exe	30
PID 1476 wrote to memory of 1216	1476	saco.exe	8
PID 1476 wrote to memory of 1216	1476	saco.exe	8
PID 1476 wrote to memory of 1216	1476	saco.exe	8
PID 1476 wrote to memory of 1216	1476	saco.exe	8
PID 1476 wrote to memory of 1216	1476	saco.exe	8
PID 1476 wrote to memory of 1304	1476	saco.exe	17
PID 1476 wrote to memory of 1304	1476	saco.exe	17
PID 1476 wrote to memory of 1304	1476	saco.exe	17
PID 1476 wrote to memory of 1304	1476	saco.exe	17
PID 1476 wrote to memory of 1304	1476	saco.exe	17
PID 1476 wrote to memory of 1376	1476	saco.exe	15
PID 1476 wrote to memory of 1376	1476	saco.exe	15
PID 1476 wrote to memory of 1376	1476	saco.exe	15
PID 1476 wrote to memory of 1376	1476	saco.exe	15
PID 1476 wrote to memory of 1376	1476	saco.exe	15
PID 1476 wrote to memory of 844	1476	saco.exe	28
PID 1476 wrote to memory of 844	1476	saco.exe	28
PID 1476 wrote to memory of 844	1476	saco.exe	28
PID 1476 wrote to memory of 844	1476	saco.exe	28
PID 1476 wrote to memory of 844	1476	saco.exe	28
PID 844 wrote to memory of 1860	844	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	31
PID 844 wrote to memory of 1860	844	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	31
PID 844 wrote to memory of 1860	844	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	31
PID 844 wrote to memory of 1860	844	55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe	31
PID 1476 wrote to memory of 1860	1476	saco.exe	31
PID 1476 wrote to memory of 1860	1476	saco.exe	31
PID 1476 wrote to memory of 1860	1476	saco.exe	31
PID 1476 wrote to memory of 1860	1476	saco.exe	31
PID 1476 wrote to memory of 1860	1476	saco.exe	31
PID 1476 wrote to memory of 1368	1476	saco.exe	32
PID 1476 wrote to memory of 548	1476	saco.exe	33
PID 1476 wrote to memory of 548	1476	saco.exe	33
PID 1476 wrote to memory of 548	1476	saco.exe	33

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1216

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1376
- C:\Users\Admin\AppData\Local\Temp\55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe
  "C:\Users\Admin\AppData\Local\Temp\55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe
    "C:\Users\Admin\AppData\Local\Temp\55b76d229ca2ae94f5594050bfe8dd91f8ec8b26c0c7ae1956688494b051084b.exe"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Users\Admin\AppData\Roaming\Yquq\saco.exe
      "C:\Users\Admin\AppData\Roaming\Yquq\saco.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:460
    - - C:\Users\Admin\AppData\Roaming\Yquq\saco.exe
        
        "C:\Users\Admin\AppData\Roaming\Yquq\saco.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1476
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfe80394a.bat"
      4⤵
      Deletes itself
      PID:1860

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17897961324346473961858362565-883259843314157900-69797020413815748161329584445"
1⤵
PID:1368

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:548

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpfe80394a.bat

Filesize
307B

MD5
03ee5315228b556cd4ca4ea17c06679e

SHA1
80fe2186655e15783b15a74ef909bb85c509ddd4

SHA256
d5cb6d0ad37b840f69055d906141614eb72af7cddf61cd52f173a8353d871e78

SHA512
3643e2c37916ac2715b84a79b42979501e57aecde09786cdb10984a5e93c3ade113ec13a09b9428c4c1a301d72a7aeb29af9523ecf44d44703c7b3758b48aa5f

Download Submit
C:\Users\Admin\AppData\Roaming\Yquq\saco.exe

Filesize
206KB

MD5
721b92726d58cee818e1619da714302a

SHA1
31e309ecd06e5c338b8a105c45d414d3d8772fdb

SHA256
013f423997db780bc7d75910468960413d7c2d97318894a79a424bb833bc6e75

SHA512
1ec246120a2c8d6e9fd69f24a08dc9bc9b1b8f70bad131bd95ec7e333fdc75f37b0bb7ec8aa9ce495fbf2e0ad7293444ea7d32ed4c04864eeeef066189da82f1

Download Submit
C:\Users\Admin\AppData\Roaming\Yquq\saco.exe

Filesize
206KB

MD5
721b92726d58cee818e1619da714302a

SHA1
31e309ecd06e5c338b8a105c45d414d3d8772fdb

SHA256
013f423997db780bc7d75910468960413d7c2d97318894a79a424bb833bc6e75

SHA512
1ec246120a2c8d6e9fd69f24a08dc9bc9b1b8f70bad131bd95ec7e333fdc75f37b0bb7ec8aa9ce495fbf2e0ad7293444ea7d32ed4c04864eeeef066189da82f1

Download Submit
C:\Users\Admin\AppData\Roaming\Yquq\saco.exe

Filesize
206KB

MD5
721b92726d58cee818e1619da714302a

SHA1
31e309ecd06e5c338b8a105c45d414d3d8772fdb

SHA256
013f423997db780bc7d75910468960413d7c2d97318894a79a424bb833bc6e75

SHA512
1ec246120a2c8d6e9fd69f24a08dc9bc9b1b8f70bad131bd95ec7e333fdc75f37b0bb7ec8aa9ce495fbf2e0ad7293444ea7d32ed4c04864eeeef066189da82f1

Download Submit
\Users\Admin\AppData\Local\Temp\nsd875B.tmp\authoritativeness.dll

Filesize
63KB

MD5
103f1a96977015f0f411cd5a1107399f

SHA1
3526e4fe4a8827d52079d20e7a2d0f07d2a26f24

SHA256
9d75cb9eccc06d70ecb876ad9d42564b793f4b6b76b6a15395efbae36ac60259

SHA512
2cb4f2723ee1bfd6dec84c264d4a8a9944c64f940f953e500a7b3cf7f49e06afd8e802f7d73dc2c06988eb8163bcce9f1d5c0fd28990bd0d8199ded58b720063

Download Submit
\Users\Admin\AppData\Local\Temp\nse399A.tmp\authoritativeness.dll

Filesize
63KB

MD5
103f1a96977015f0f411cd5a1107399f

SHA1
3526e4fe4a8827d52079d20e7a2d0f07d2a26f24

SHA256
9d75cb9eccc06d70ecb876ad9d42564b793f4b6b76b6a15395efbae36ac60259

SHA512
2cb4f2723ee1bfd6dec84c264d4a8a9944c64f940f953e500a7b3cf7f49e06afd8e802f7d73dc2c06988eb8163bcce9f1d5c0fd28990bd0d8199ded58b720063

Download Submit
\Users\Admin\AppData\Roaming\Yquq\saco.exe

Filesize
206KB

MD5
721b92726d58cee818e1619da714302a

SHA1
31e309ecd06e5c338b8a105c45d414d3d8772fdb

SHA256
013f423997db780bc7d75910468960413d7c2d97318894a79a424bb833bc6e75

SHA512
1ec246120a2c8d6e9fd69f24a08dc9bc9b1b8f70bad131bd95ec7e333fdc75f37b0bb7ec8aa9ce495fbf2e0ad7293444ea7d32ed4c04864eeeef066189da82f1

Download Submit
\Users\Admin\AppData\Roaming\Yquq\saco.exe

Filesize
206KB

MD5
721b92726d58cee818e1619da714302a

SHA1
31e309ecd06e5c338b8a105c45d414d3d8772fdb

SHA256
013f423997db780bc7d75910468960413d7c2d97318894a79a424bb833bc6e75

SHA512
1ec246120a2c8d6e9fd69f24a08dc9bc9b1b8f70bad131bd95ec7e333fdc75f37b0bb7ec8aa9ce495fbf2e0ad7293444ea7d32ed4c04864eeeef066189da82f1

Download Submit
memory/548-131-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/548-132-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/548-129-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/548-130-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/844-116-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/844-117-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/844-60-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/844-58-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/844-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/844-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/844-111-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/844-110-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/844-109-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/844-114-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/844-112-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/844-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/844-67-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/844-68-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/940-56-0x0000000000370000-0x0000000000388000-memory.dmp

Filesize
96KB

Download
memory/940-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1216-94-0x0000000001D20000-0x0000000001D47000-memory.dmp

Filesize
156KB

Download
memory/1216-93-0x0000000001D20000-0x0000000001D47000-memory.dmp

Filesize
156KB

Download
memory/1216-92-0x0000000001D20000-0x0000000001D47000-memory.dmp

Filesize
156KB

Download
memory/1216-91-0x0000000001D20000-0x0000000001D47000-memory.dmp

Filesize
156KB

Download
memory/1304-99-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1304-100-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1304-97-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1304-98-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1376-105-0x00000000025B0000-0x00000000025D7000-memory.dmp

Filesize
156KB

Download
memory/1376-103-0x00000000025B0000-0x00000000025D7000-memory.dmp

Filesize
156KB

Download
memory/1376-104-0x00000000025B0000-0x00000000025D7000-memory.dmp

Filesize
156KB

Download
memory/1376-106-0x00000000025B0000-0x00000000025D7000-memory.dmp

Filesize
156KB

Download
memory/1476-126-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1476-113-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1860-123-0x0000000000250000-0x0000000000277000-memory.dmp

Filesize
156KB

Download
memory/1860-122-0x0000000000250000-0x0000000000277000-memory.dmp

Filesize
156KB

Download
memory/1860-120-0x0000000000250000-0x0000000000277000-memory.dmp

Filesize
156KB

Download
memory/1860-121-0x0000000000250000-0x0000000000277000-memory.dmp

Filesize
156KB

Download
memory/1988-135-0x0000000001CE0000-0x0000000001D07000-memory.dmp

Filesize
156KB

Download
memory/1988-136-0x0000000001CE0000-0x0000000001D07000-memory.dmp

Filesize
156KB

Download
memory/1988-137-0x0000000001CE0000-0x0000000001D07000-memory.dmp

Filesize
156KB

Download
memory/1988-138-0x0000000001CE0000-0x0000000001D07000-memory.dmp

Filesize
156KB

Download