bc6b7838aed0283638884fca8cc4fc3f1495b2b39bf1a2c9eb0a4868f9c38c79

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA.exe
Size

1.4MB
MD5

d35a0218361627d544d28334ca3c2cd7
SHA1

1de8ab2ada55056d0c1131c20671e167d854fdac
SHA256

bc6b7838aed0283638884fca8cc4fc3f1495b2b39bf1a2c9eb0a4868f9c38c79
SHA512

2acd1a573d5ca6b0a738d2e6ad2316f19a80f013ec0a7e205dcbd08b6bb852b5e7dda619e7cf515d2983294b4e7b18dc309dddd146bec65a1c087fa61667e76b
SSDEEP

24576:LAOcZXMuhlNU6mcQIM20GHr2nf4UsZzCJ45M4KnmdMLFspB6Q7Cj1:NEPWcQGFr84UsZn5QnmdMLE8Q7C1

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
108	kuumxwf.exe
1912	RegSvcs.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	kuumxwf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	kuumxwf.exe

Loads dropped DLL 3 IoCs

pid	Process
1012	WScript.exe
108	kuumxwf.exe
108	kuumxwf.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	kuumxwf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\6_21 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6_21\\start.vbs"	kuumxwf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	kuumxwf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6_21\\kuumxwf.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\6_21\\EECHVT~1.DOC"	kuumxwf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6_21\\Update.vbs"	kuumxwf.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 108 set thread context of 1912	108	kuumxwf.exe	37
PID 108 set thread context of 1916	108	kuumxwf.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe
108	kuumxwf.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 1012	956	SOA.exe	27
PID 956 wrote to memory of 1012	956	SOA.exe	27
PID 956 wrote to memory of 1012	956	SOA.exe	27
PID 956 wrote to memory of 1012	956	SOA.exe	27
PID 1012 wrote to memory of 108	1012	WScript.exe	28
PID 1012 wrote to memory of 108	1012	WScript.exe	28
PID 1012 wrote to memory of 108	1012	WScript.exe	28
PID 1012 wrote to memory of 108	1012	WScript.exe	28
PID 1012 wrote to memory of 108	1012	WScript.exe	28
PID 1012 wrote to memory of 108	1012	WScript.exe	28
PID 1012 wrote to memory of 108	1012	WScript.exe	28
PID 108 wrote to memory of 636	108	kuumxwf.exe	29
PID 108 wrote to memory of 636	108	kuumxwf.exe	29
PID 108 wrote to memory of 636	108	kuumxwf.exe	29
PID 108 wrote to memory of 636	108	kuumxwf.exe	29
PID 108 wrote to memory of 556	108	kuumxwf.exe	30
PID 108 wrote to memory of 556	108	kuumxwf.exe	30
PID 108 wrote to memory of 556	108	kuumxwf.exe	30
PID 108 wrote to memory of 556	108	kuumxwf.exe	30
PID 108 wrote to memory of 1604	108	kuumxwf.exe	31
PID 108 wrote to memory of 1604	108	kuumxwf.exe	31
PID 108 wrote to memory of 1604	108	kuumxwf.exe	31
PID 108 wrote to memory of 1604	108	kuumxwf.exe	31
PID 108 wrote to memory of 848	108	kuumxwf.exe	32
PID 108 wrote to memory of 848	108	kuumxwf.exe	32
PID 108 wrote to memory of 848	108	kuumxwf.exe	32
PID 108 wrote to memory of 848	108	kuumxwf.exe	32
PID 108 wrote to memory of 1540	108	kuumxwf.exe	33
PID 108 wrote to memory of 1540	108	kuumxwf.exe	33
PID 108 wrote to memory of 1540	108	kuumxwf.exe	33
PID 108 wrote to memory of 1540	108	kuumxwf.exe	33
PID 108 wrote to memory of 984	108	kuumxwf.exe	34
PID 108 wrote to memory of 984	108	kuumxwf.exe	34
PID 108 wrote to memory of 984	108	kuumxwf.exe	34
PID 108 wrote to memory of 984	108	kuumxwf.exe	34
PID 108 wrote to memory of 1952	108	kuumxwf.exe	35
PID 108 wrote to memory of 1952	108	kuumxwf.exe	35
PID 108 wrote to memory of 1952	108	kuumxwf.exe	35
PID 108 wrote to memory of 1952	108	kuumxwf.exe	35
PID 108 wrote to memory of 1916	108	kuumxwf.exe	36
PID 108 wrote to memory of 1916	108	kuumxwf.exe	36
PID 108 wrote to memory of 1916	108	kuumxwf.exe	36
PID 108 wrote to memory of 1916	108	kuumxwf.exe	36
PID 108 wrote to memory of 1916	108	kuumxwf.exe	36
PID 108 wrote to memory of 1916	108	kuumxwf.exe	36
PID 108 wrote to memory of 1916	108	kuumxwf.exe	36
PID 108 wrote to memory of 1912	108	kuumxwf.exe	37
PID 108 wrote to memory of 1912	108	kuumxwf.exe	37
PID 108 wrote to memory of 1912	108	kuumxwf.exe	37
PID 108 wrote to memory of 1912	108	kuumxwf.exe	37
PID 108 wrote to memory of 1912	108	kuumxwf.exe	37
PID 108 wrote to memory of 1912	108	kuumxwf.exe	37
PID 108 wrote to memory of 1912	108	kuumxwf.exe	37
PID 108 wrote to memory of 1912	108	kuumxwf.exe	37
PID 108 wrote to memory of 1916	108	kuumxwf.exe	36
PID 108 wrote to memory of 1916	108	kuumxwf.exe	36

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\6_21\mmpc.vbe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Users\Admin\AppData\Local\Temp\6_21\kuumxwf.exe
    "C:\Users\Admin\AppData\Local\Temp\6_21\kuumxwf.exe" eechvt.docx
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:108
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:636
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:848
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:984
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Executes dropped EXE
      PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6_21\eechvt.docx

Filesize
103.4MB

MD5
78dd14bc52e6fc75715bfe92e0c6692a

SHA1
22d729a2f6404316a9543d33b30d5690b0e740cd

SHA256
d3fa88084c98e36019386de00ac6a79fbaad80bc882e1ec5514d9f96988bb8aa

SHA512
4ff7e1bd28835844197abd572d408ce1502f1e8b3fe3a47fb0c0b42508cf5dafc62d60b41fa2dedfa280e26b941e11ecaa2134f547249e6fbcb4e425e6eb12f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_21\kuumxwf.exe

Filesize
924KB

MD5
fd406d1474a8785eeadb0de62631867a

SHA1
9430597cfdd47f68ec3a88fb5c071b88832a4dc3

SHA256
cf42fd1e3fa71ddb1a49b36e78ec679241c2140b9dfbd2f4f2777323b5e4957e

SHA512
12eef0f96375f8d0e88dff249ac81e1b1251a9bdeefe865fb95d794013890b91f91d14522dd52298033c4ac21e3f29b2a8c4ea3239f22d6cef28b8f9a9165da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_21\kuumxwf.exe

Filesize
924KB

MD5
fd406d1474a8785eeadb0de62631867a

SHA1
9430597cfdd47f68ec3a88fb5c071b88832a4dc3

SHA256
cf42fd1e3fa71ddb1a49b36e78ec679241c2140b9dfbd2f4f2777323b5e4957e

SHA512
12eef0f96375f8d0e88dff249ac81e1b1251a9bdeefe865fb95d794013890b91f91d14522dd52298033c4ac21e3f29b2a8c4ea3239f22d6cef28b8f9a9165da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_21\muaeln.bmp

Filesize
80KB

MD5
0ca179fdcea0d5819c2e4e607a7a03b6

SHA1
6bb79be93dcea41e01d15befedfbb338b00c2152

SHA256
f686aa5f309a5f19f1e5f4841a3bb6961a0c62a947318887ef83518cb1d3589e

SHA512
a78da2276efca95882e09117c17205308dc276cdb0f0bbfef7e45d9658d963e6be20d4f93d70fee933c5f7dcaa2964cb5376f3dd645effd1648a5d74415df46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_21\muhlecj.bmr

Filesize
1004KB

MD5
d783b716a5bfce6f1b8e8689984676f4

SHA1
e04055ecc2e9f104c0723f25b859fe020fda245a

SHA256
c4a09c9e0f831a6b7aafac51d65188a54203ca4104dadec931adbd2bc523878f

SHA512
626f19d2de95a5981915a4e0a94d8b4516fcb947468df3287a29a05bec4682378031510506f49ac7db6fc8d11cae8676c624fa20fc3914f7783b2b24afabaa4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\temp\6_21\mmpc.vbe

Filesize
52KB

MD5
b2152eebceb8d17d92fd80958abc4b3e

SHA1
704152bd1b4adacebe66a6d3c5d8f8d3b9417422

SHA256
06bdfcd261781865f13ab0fcc90d00ef3211b3957cd751339b984935fb0c6850

SHA512
b6386430f6bf4d1b995eac1ec269520d8943529297bcccbe1df33e865eaaacf9476979e18dde6d32ef95a9fdddc18c6cb856d0efb2ba048c9e9fad05e7ff2ec2

Download Submit
\Users\Admin\AppData\Local\Temp\6_21\kuumxwf.exe

Filesize
924KB

MD5
fd406d1474a8785eeadb0de62631867a

SHA1
9430597cfdd47f68ec3a88fb5c071b88832a4dc3

SHA256
cf42fd1e3fa71ddb1a49b36e78ec679241c2140b9dfbd2f4f2777323b5e4957e

SHA512
12eef0f96375f8d0e88dff249ac81e1b1251a9bdeefe865fb95d794013890b91f91d14522dd52298033c4ac21e3f29b2a8c4ea3239f22d6cef28b8f9a9165da8

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/108-60-0x0000000000000000-mapping.dmp

Download
memory/556-66-0x0000000000000000-mapping.dmp

Download
memory/636-65-0x0000000000000000-mapping.dmp

Download
memory/848-68-0x0000000000000000-mapping.dmp

Download
memory/956-54-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/984-70-0x0000000000000000-mapping.dmp

Download
memory/1012-55-0x0000000000000000-mapping.dmp

Download
memory/1540-69-0x0000000000000000-mapping.dmp

Download
memory/1604-67-0x0000000000000000-mapping.dmp

Download
memory/1912-76-0x0000000000403E24-mapping.dmp

Download
memory/1916-78-0x0000000000400000-0x0000000000A29000-memory.dmp

Filesize
6.2MB

Download
memory/1916-80-0x0000000000400000-0x0000000000A29000-memory.dmp

Filesize
6.2MB

Download
memory/1952-71-0x0000000000000000-mapping.dmp

Download