290c18628497b3e06123ab7c8d780c45bda395dbbd583199e310233b17323b09

Analysis

max time kernel
119s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

290c18628497b3e06123ab7c8d780c45bda395dbbd583199e310233b17323b09.exe
Size

294KB
MD5

fabce060cb66a07b7a94869811170fde
SHA1

3ef6cf6a9b56442ff0ae4440df492ce13f53b5aa
SHA256

290c18628497b3e06123ab7c8d780c45bda395dbbd583199e310233b17323b09
SHA512

8d3c6c821b9d063c191e54913f3d50a2d2c963a1f0e4f413dd6b7f975e395177365b65cf336eda043fedc55651cc81450b9470dcdfd6bcaecd8fcb104f7b5572
SSDEEP

6144:n/0uo4Fb3TzzCVkfuqDVABIgVmqZ04H6nfCXvC:nJNt+VqsHwCXvC

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

abc.exesmss.exe

pid process

4396 abc.exe
804 smss.exe

pid	process
4396	abc.exe
804	smss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

290c18628497b3e06123ab7c8d780c45bda395dbbd583199e310233b17323b09.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	290c18628497b3e06123ab7c8d780c45bda395dbbd583199e310233b17323b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	290c18628497b3e06123ab7c8d780c45bda395dbbd583199e310233b17323b09.exe

Drops file in Program Files directory 2 IoCs

Processes:

abc.exe

description	ioc	process
File created	C:\Program Files (x86)\Outlook Express\smss.exe	abc.exe
File opened for modification	C:\Program Files (x86)\Outlook Express\smss.exe	abc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

smss.exe

description pid process

Token: SeDebugPrivilege 804 smss.exe

description	pid	process
Token: SeDebugPrivilege	804	smss.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

290c18628497b3e06123ab7c8d780c45bda395dbbd583199e310233b17323b09.exeabc.exe

description	pid	process	target process
PID 3668 wrote to memory of 4396	3668	290c18628497b3e06123ab7c8d780c45bda395dbbd583199e310233b17323b09.exe	abc.exe
PID 3668 wrote to memory of 4396	3668	290c18628497b3e06123ab7c8d780c45bda395dbbd583199e310233b17323b09.exe	abc.exe
PID 3668 wrote to memory of 4396	3668	290c18628497b3e06123ab7c8d780c45bda395dbbd583199e310233b17323b09.exe	abc.exe
PID 4396 wrote to memory of 452	4396	abc.exe	cmd.exe
PID 4396 wrote to memory of 452	4396	abc.exe	cmd.exe
PID 4396 wrote to memory of 452	4396	abc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\290c18628497b3e06123ab7c8d780c45bda395dbbd583199e310233b17323b09.exe
"C:\Users\Admin\AppData\Local\Temp\290c18628497b3e06123ab7c8d780c45bda395dbbd583199e310233b17323b09.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3668

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\abc.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\abc.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8205.bat
3⤵
PID:452

C:\Program Files (x86)\Outlook Express\smss.exe
"C:\Program Files (x86)\Outlook Express\smss.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Outlook Express\smss.exe
Filesize
536KB

MD5
c93e45df0890ba24410a1cf42f98ee17

SHA1
1ecdd453b984270deb8152bf234ce10989571589

SHA256
6b483cf943c8f7c9653a4cfb872da8d97d20b57b1c1f818ac72df60c368025b6

SHA512
468dc6062c35023c6e3fe781d44d498c75d18a94d32c4bd62a87f71f63621d1665770d36ec046846b8e8a535a38227b699587908d5df1e9124514dedb9715f3b

Download Submit
C:\Program Files (x86)\Outlook Express\smss.exe
Filesize
536KB

MD5
c93e45df0890ba24410a1cf42f98ee17

SHA1
1ecdd453b984270deb8152bf234ce10989571589

SHA256
6b483cf943c8f7c9653a4cfb872da8d97d20b57b1c1f818ac72df60c368025b6

SHA512
468dc6062c35023c6e3fe781d44d498c75d18a94d32c4bd62a87f71f63621d1665770d36ec046846b8e8a535a38227b699587908d5df1e9124514dedb9715f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8205.bat
Filesize
162B

MD5
274d5fb395f06f064947b7907f2567d6

SHA1
5c15662b6030ca43a85a642b20213cc37dbe7c7d

SHA256
c9799b3f487f05afe25a03456b3d4e810a8eebe8955377d321c019ca83057819

SHA512
78140f6595dc2982070b744204c7b3fad4254de7cd5786e69c0e26e57e26c44764d7ca32ac8583bf494dcc81e51673313d8d7f9071f964e43c9a6b1adb2d091e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\abc.exe
Filesize
536KB

MD5
c93e45df0890ba24410a1cf42f98ee17

SHA1
1ecdd453b984270deb8152bf234ce10989571589

SHA256
6b483cf943c8f7c9653a4cfb872da8d97d20b57b1c1f818ac72df60c368025b6

SHA512
468dc6062c35023c6e3fe781d44d498c75d18a94d32c4bd62a87f71f63621d1665770d36ec046846b8e8a535a38227b699587908d5df1e9124514dedb9715f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\abc.exe
Filesize
536KB

MD5
c93e45df0890ba24410a1cf42f98ee17

SHA1
1ecdd453b984270deb8152bf234ce10989571589

SHA256
6b483cf943c8f7c9653a4cfb872da8d97d20b57b1c1f818ac72df60c368025b6

SHA512
468dc6062c35023c6e3fe781d44d498c75d18a94d32c4bd62a87f71f63621d1665770d36ec046846b8e8a535a38227b699587908d5df1e9124514dedb9715f3b

Download Submit
memory/452-137-0x0000000000000000-mapping.dmp

Download
memory/4396-132-0x0000000000000000-mapping.dmp

Download