adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53

Analysis

max time kernel
151s
max time network
118s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe
Size

310KB
MD5

65c009ec4bc81ac1d4d3883974003b0a
SHA1

6ea8e112aee7e53d98dada520a25ef804a8f7399
SHA256

adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53
SHA512

977062301afcdb9e3a588db7f7fd95bfb3b18c68bccd379f7f579cf4b3b823178beffc25faa248e9d3d9f7ef898116c96c08c927b649faa7110549d7d4ef064d
SSDEEP

6144:5yZcAuFcCf38XolyxnDFJ6VcRBha8wB9iLsU64XxrzEWekrBNYsLjZiT:gTOcCf6y05u/y+OrBNYsZiT

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\25875 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msohlmzv.pif"	svchost.exe

Executes dropped EXE 3 IoCs

Processes:

card4610468692679384 .execard4610468692679384.execard4610468692679384.exe

pid process

572 card4610468692679384 .exe
1436 card4610468692679384.exe
1548 card4610468692679384.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1056 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.execard4610468692679384 .execard4610468692679384.exe

pid process

2032 adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe
572 card4610468692679384 .exe
1436 card4610468692679384.exe

pid	process
572	card4610468692679384 .exe
1436	card4610468692679384.exe
1548	card4610468692679384.exe

pid	process
1056	cmd.exe

pid	process
2032	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe
572	card4610468692679384 .exe
1436	card4610468692679384.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

card4610468692679384.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	card4610468692679384.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	card4610468692679384.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

card4610468692679384.exe

description pid process target process

PID 1436 set thread context of 1548 1436 card4610468692679384.exe card4610468692679384.exe
Drops file in Program Files directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\PROGRA~3\LOCALS~1\Temp\msohlmzv.pif svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

card4610468692679384.exe

pid process

1548 card4610468692679384.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

card4610468692679384.execard4610468692679384.exe

pid process

1436 card4610468692679384.exe
1436 card4610468692679384.exe
1548 card4610468692679384.exe
1548 card4610468692679384.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1928 AcroRd32.exe
1928 AcroRd32.exe
1928 AcroRd32.exe
1928 AcroRd32.exe

description	pid	process	target process
PID 1436 set thread context of 1548	1436	card4610468692679384.exe	card4610468692679384.exe

description	ioc	process
File created	C:\PROGRA~3\LOCALS~1\Temp\msohlmzv.pif	svchost.exe

pid	process
1548	card4610468692679384.exe

pid	process
1436	card4610468692679384.exe
1436	card4610468692679384.exe
1548	card4610468692679384.exe
1548	card4610468692679384.exe

pid	process
1928	AcroRd32.exe
1928	AcroRd32.exe
1928	AcroRd32.exe
1928	AcroRd32.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.execard4610468692679384 .execard4610468692679384.execard4610468692679384.exe

description	pid	process	target process
PID 2032 wrote to memory of 572	2032	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	card4610468692679384 .exe
PID 2032 wrote to memory of 572	2032	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	card4610468692679384 .exe
PID 2032 wrote to memory of 572	2032	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	card4610468692679384 .exe
PID 2032 wrote to memory of 572	2032	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	card4610468692679384 .exe
PID 2032 wrote to memory of 572	2032	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	card4610468692679384 .exe
PID 2032 wrote to memory of 572	2032	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	card4610468692679384 .exe
PID 2032 wrote to memory of 572	2032	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	card4610468692679384 .exe
PID 2032 wrote to memory of 1928	2032	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	AcroRd32.exe
PID 2032 wrote to memory of 1928	2032	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	AcroRd32.exe
PID 2032 wrote to memory of 1928	2032	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	AcroRd32.exe
PID 2032 wrote to memory of 1928	2032	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	AcroRd32.exe
PID 2032 wrote to memory of 1056	2032	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	cmd.exe
PID 2032 wrote to memory of 1056	2032	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	cmd.exe
PID 2032 wrote to memory of 1056	2032	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	cmd.exe
PID 2032 wrote to memory of 1056	2032	adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe	cmd.exe
PID 572 wrote to memory of 1436	572	card4610468692679384 .exe	card4610468692679384.exe
PID 572 wrote to memory of 1436	572	card4610468692679384 .exe	card4610468692679384.exe
PID 572 wrote to memory of 1436	572	card4610468692679384 .exe	card4610468692679384.exe
PID 572 wrote to memory of 1436	572	card4610468692679384 .exe	card4610468692679384.exe
PID 572 wrote to memory of 1508	572	card4610468692679384 .exe	cmd.exe
PID 572 wrote to memory of 1508	572	card4610468692679384 .exe	cmd.exe
PID 572 wrote to memory of 1508	572	card4610468692679384 .exe	cmd.exe
PID 572 wrote to memory of 1508	572	card4610468692679384 .exe	cmd.exe
PID 1436 wrote to memory of 1548	1436	card4610468692679384.exe	card4610468692679384.exe
PID 1436 wrote to memory of 1548	1436	card4610468692679384.exe	card4610468692679384.exe
PID 1436 wrote to memory of 1548	1436	card4610468692679384.exe	card4610468692679384.exe
PID 1436 wrote to memory of 1548	1436	card4610468692679384.exe	card4610468692679384.exe
PID 1548 wrote to memory of 2012	1548	card4610468692679384.exe	svchost.exe
PID 1548 wrote to memory of 2012	1548	card4610468692679384.exe	svchost.exe
PID 1548 wrote to memory of 2012	1548	card4610468692679384.exe	svchost.exe
PID 1548 wrote to memory of 2012	1548	card4610468692679384.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe
"C:\Users\Admin\AppData\Local\Temp\adcfdc5380cec3fb9265a0ec010b92fe0348be16d9c27399f8f96b42f15bec53.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\card4610468692679384 .exe
"C:\Users\Admin\AppData\Local\Temp\card4610468692679384 .exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572

C:\Users\Admin\AppData\Local\Temp\card4610468692679384.exe
"C:\Users\Admin\AppData\Local\Temp\card4610468692679384.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\card4610468692679384.exe
"C:\Users\Admin\AppData\Local\Temp\card4610468692679384.exe"
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
5⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
3⤵
PID:1508

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\card4610468692679384.pdf"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
2⤵
- Deletes itself
PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
Filesize
300B

MD5
5d72968ba35b54618c9110174cf65484

SHA1
78d46908e84909c8ed2b7fade721973150a731d5

SHA256
6edd7ce4c1c67f7065577bae0de3b5b27e180f66938473774b4c9c078f8cc5cb

SHA512
a30f6d3d9b16222bf7e7bc70b2d63133d9f94e78925180e1f5dd7e19975f829e8d494ffc2900694786206634603ed76d43be41b863e2a94ad871d8bbaf049c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
Filesize
214B

MD5
875ae18f7be9bbe948319f2f6537e988

SHA1
e5d3741a1e16617e8e5733cf4e91f1e9e502ae14

SHA256
51c399f37ac49b0a121405f654c9c86b58dcc01705406925d33b88a65b12f917

SHA512
00d7388e173cb0b933e04555eb0489f9a83da0f57a9f52699e6a18fa0f80206530a4dc830e1f58a78cfde2e3f44d5f5b3c1acedb42368e3696480abae71e9445

Download Submit
C:\Users\Admin\AppData\Local\Temp\card4610468692679384 .exe
Filesize
177KB

MD5
d69f8ac047d601181cfb1f373db3bb7b

SHA1
eab4d288204dd5d0c9f554ee7a1c9943d0ebee40

SHA256
358d34ee9e3ec88d11c28ad6e56091d129377a05299f7117a32afc9df83c626f

SHA512
b362883db98b854bfbe180d1e9715115d16bd4c20e8a447d8540d88b1ec8f3ff562c7c28913e93efd109d6514de27cb45e9ed35e1e3f765b8657670588bd44cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\card4610468692679384 .exe
Filesize
177KB

MD5
d69f8ac047d601181cfb1f373db3bb7b

SHA1
eab4d288204dd5d0c9f554ee7a1c9943d0ebee40

SHA256
358d34ee9e3ec88d11c28ad6e56091d129377a05299f7117a32afc9df83c626f

SHA512
b362883db98b854bfbe180d1e9715115d16bd4c20e8a447d8540d88b1ec8f3ff562c7c28913e93efd109d6514de27cb45e9ed35e1e3f765b8657670588bd44cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\card4610468692679384.exe
Filesize
226KB

MD5
f51f595b416e370cc46f65c7e62c8a41

SHA1
67c2f5a5dc5b1a3f6d259e7065260c7caa0d50c9

SHA256
7c3d6a21af2d9f20b71f61565c772a5aaa0c38613a5bb836b80b3578f46b7301

SHA512
f26a99f8229cbdf7551851e96fdb72b28c919fb3492556604b695dee4565c813d6964f168c0ce3ab00da2a9b34df8c9f0212a9919a033b21f60a46537c8569c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\card4610468692679384.exe
Filesize
226KB

MD5
f51f595b416e370cc46f65c7e62c8a41

SHA1
67c2f5a5dc5b1a3f6d259e7065260c7caa0d50c9

SHA256
7c3d6a21af2d9f20b71f61565c772a5aaa0c38613a5bb836b80b3578f46b7301

SHA512
f26a99f8229cbdf7551851e96fdb72b28c919fb3492556604b695dee4565c813d6964f168c0ce3ab00da2a9b34df8c9f0212a9919a033b21f60a46537c8569c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\card4610468692679384.exe
Filesize
226KB

MD5
f51f595b416e370cc46f65c7e62c8a41

SHA1
67c2f5a5dc5b1a3f6d259e7065260c7caa0d50c9

SHA256
7c3d6a21af2d9f20b71f61565c772a5aaa0c38613a5bb836b80b3578f46b7301

SHA512
f26a99f8229cbdf7551851e96fdb72b28c919fb3492556604b695dee4565c813d6964f168c0ce3ab00da2a9b34df8c9f0212a9919a033b21f60a46537c8569c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\card4610468692679384.pdf
Filesize
80KB

MD5
e171debd0d6749cc61cf836f0f80bc29

SHA1
c67d404ef98dd7dc81e6e8b7d25cd12be98bed5b

SHA256
dc46b6b468eee7f2feeb3c3f1757d31a92345ceb5aa3bed5633cb149c96475e2

SHA512
b2d2eeabd89b912bd2bc72efa2381c8d32d47f315b007125405e7aef5ff98936fc47312dd4d42473b96374c8af281497a9275e2d113ded924e6ec8d3721de8cd

Download Submit
\Users\Admin\AppData\Local\Temp\card4610468692679384 .exe
Filesize
177KB

MD5
d69f8ac047d601181cfb1f373db3bb7b

SHA1
eab4d288204dd5d0c9f554ee7a1c9943d0ebee40

SHA256
358d34ee9e3ec88d11c28ad6e56091d129377a05299f7117a32afc9df83c626f

SHA512
b362883db98b854bfbe180d1e9715115d16bd4c20e8a447d8540d88b1ec8f3ff562c7c28913e93efd109d6514de27cb45e9ed35e1e3f765b8657670588bd44cb

Download Submit
\Users\Admin\AppData\Local\Temp\card4610468692679384.exe
Filesize
226KB

MD5
f51f595b416e370cc46f65c7e62c8a41

SHA1
67c2f5a5dc5b1a3f6d259e7065260c7caa0d50c9

SHA256
7c3d6a21af2d9f20b71f61565c772a5aaa0c38613a5bb836b80b3578f46b7301

SHA512
f26a99f8229cbdf7551851e96fdb72b28c919fb3492556604b695dee4565c813d6964f168c0ce3ab00da2a9b34df8c9f0212a9919a033b21f60a46537c8569c9

Download Submit
\Users\Admin\AppData\Local\Temp\card4610468692679384.exe
Filesize
226KB

MD5
f51f595b416e370cc46f65c7e62c8a41

SHA1
67c2f5a5dc5b1a3f6d259e7065260c7caa0d50c9

SHA256
7c3d6a21af2d9f20b71f61565c772a5aaa0c38613a5bb836b80b3578f46b7301

SHA512
f26a99f8229cbdf7551851e96fdb72b28c919fb3492556604b695dee4565c813d6964f168c0ce3ab00da2a9b34df8c9f0212a9919a033b21f60a46537c8569c9

Download Submit
memory/572-56-0x0000000000000000-mapping.dmp

Download
memory/1056-61-0x0000000000000000-mapping.dmp

Download
memory/1436-65-0x0000000000000000-mapping.dmp

Download
memory/1508-68-0x0000000000000000-mapping.dmp

Download
memory/1548-73-0x000000000040141C-mapping.dmp

Download
memory/1548-75-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1928-59-0x0000000000000000-mapping.dmp

Download
memory/2012-76-0x0000000000000000-mapping.dmp

Download
memory/2012-77-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/2012-78-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/2012-79-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/2032-54-0x0000000076B51000-0x0000000076B53000-memory.dmp

Filesize
8KB

Download