Overview

overview

9

Static

static

f7dc6cfcc9...12.exe

windows7-x64

f7dc6cfcc9...12.exe

windows10-2004-x64

Analysis

  • max time kernel
    10s
  • max time network
    24s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 12:30

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812.exe

  • Size

    216KB

  • MD5

    88f9c81bf69cde243fa55d8b77b07dd2

  • SHA1

    eee450f5fec2242d0d1057bd8e4d1f7ab2f11a6a

  • SHA256

    f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812

  • SHA512

    eeb6461292438f6d2ed90713d282c1535bb7c13ff2d085861b34dd0e3d45fdc8e07f0676b3f52bd76eea8392027ee88412cf649735084a7115c6ae6156e426dc

  • SSDEEP

    6144:L63B7PRp/6XP90OzsKP58jeLq4oYXskCTMC1j:WR7pU/mqBPOMzStJ

Score
9/10
evasionransomware

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
    ransomwareevasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812.exe
    "C:\Users\Admin\AppData\Local\Temp\f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\9682f859.tmp"
      2⤵
        PID:1304
    • C:\Windows\Installer\{511F7F16-8544-9F4D-52B7-3AAD2FFB057C}\syshost.exe
      "C:\Windows\Installer\{511F7F16-8544-9F4D-52B7-3AAD2FFB057C}\syshost.exe" /service
      1⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:3528
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2248
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:544
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:456
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:3124
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:4264
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:4712
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:4640
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:3820
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:3948
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39f3055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4664

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    1
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Installer\{511F7F16-8544-9F4D-52B7-3AAD2FFB057C}\syshost.exe
      Filesize

      216KB

      MD5

      88f9c81bf69cde243fa55d8b77b07dd2

      SHA1

      eee450f5fec2242d0d1057bd8e4d1f7ab2f11a6a

      SHA256

      f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812

      SHA512

      eeb6461292438f6d2ed90713d282c1535bb7c13ff2d085861b34dd0e3d45fdc8e07f0676b3f52bd76eea8392027ee88412cf649735084a7115c6ae6156e426dc

      Download Submit
    • C:\Windows\Installer\{511F7F16-8544-9F4D-52B7-3AAD2FFB057C}\syshost.exe
      Filesize

      216KB

      MD5

      88f9c81bf69cde243fa55d8b77b07dd2

      SHA1

      eee450f5fec2242d0d1057bd8e4d1f7ab2f11a6a

      SHA256

      f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812

      SHA512

      eeb6461292438f6d2ed90713d282c1535bb7c13ff2d085861b34dd0e3d45fdc8e07f0676b3f52bd76eea8392027ee88412cf649735084a7115c6ae6156e426dc

      Download Submit
    • memory/456-140-0x0000000000000000-mapping.dmp
      Download
    • memory/544-139-0x0000000000000000-mapping.dmp
      Download
    • memory/1304-134-0x0000000000000000-mapping.dmp
      Download
    • memory/1964-137-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

      Download
    • memory/1964-138-0x0000000002030000-0x0000000002036000-memory.dmp
      Filesize

      24KB

      Download
    • memory/2248-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2636-148-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

      Download
    • memory/2636-149-0x0000000000590000-0x0000000000596000-memory.dmp
      Filesize

      24KB

      Download
    • memory/2636-147-0x0000000000CF0000-0x0000000000DF0000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2636-150-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

      Download
    • memory/3124-141-0x0000000000000000-mapping.dmp
      Download
    • memory/3528-135-0x0000000000000000-mapping.dmp
      Download
    • memory/3820-145-0x0000000000000000-mapping.dmp
      Download
    • memory/3948-146-0x0000000000000000-mapping.dmp
      Download
    • memory/4264-142-0x0000000000000000-mapping.dmp
      Download
    • memory/4640-144-0x0000000000000000-mapping.dmp
      Download
    • memory/4712-143-0x0000000000000000-mapping.dmp
      Download