Analysis
-
max time kernel
172s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 13:17
Static task
static1
Behavioral task
behavioral1
Sample
db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exe
Resource
win10v2004-20220812-en
General
-
Target
db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exe
-
Size
322KB
-
MD5
b6771b11f7aa2e739501488355d8326a
-
SHA1
5c5870b25a4211f2cc853f788f8bbb4ad71e4072
-
SHA256
db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0
-
SHA512
584fa09bf588ade4739ba8578d5cd0022331c91f388c81bf27c9480117db0cd43e0191ca15f396cb8aa94cbfd4ee58e2123043d5fae150fce8bacca26d506ff6
-
SSDEEP
6144:Bz+92mhAMJ/cPl3i8/G9AKQ3SRGFLuT0bxDBgD9lkC06BAOMg9lDOV:BK2mhAMJ/cPlJGdQ3SRMLugbxuDzVnLi
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
red_webssearches.exeDToolZip.exeDToolZip.exepid process 4908 red_webssearches.exe 1100 DToolZip.exe 1584 DToolZip.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
red_webssearches.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion red_webssearches.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion red_webssearches.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 4488 rundll32.exe 4076 rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
red_webssearches.exedescription ioc process File opened for modification \??\PhysicalDrive0 red_webssearches.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
red_webssearches.exerundll32.exerundll32.exepid process 4908 red_webssearches.exe 4908 red_webssearches.exe 4488 rundll32.exe 4488 rundll32.exe 4488 rundll32.exe 4488 rundll32.exe 4076 rundll32.exe 4076 rundll32.exe 4076 rundll32.exe 4076 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exerundll32.exedescription pid process Token: SeDebugPrivilege 4488 rundll32.exe Token: SeDebugPrivilege 4488 rundll32.exe Token: SeDebugPrivilege 4076 rundll32.exe Token: SeDebugPrivilege 4076 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
red_webssearches.exeDToolZip.exeDToolZip.exepid process 4908 red_webssearches.exe 1100 DToolZip.exe 1584 DToolZip.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exered_webssearches.exedescription pid process target process PID 3364 wrote to memory of 4908 3364 db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exe red_webssearches.exe PID 3364 wrote to memory of 4908 3364 db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exe red_webssearches.exe PID 3364 wrote to memory of 4908 3364 db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exe red_webssearches.exe PID 4908 wrote to memory of 4488 4908 red_webssearches.exe rundll32.exe PID 4908 wrote to memory of 4488 4908 red_webssearches.exe rundll32.exe PID 4908 wrote to memory of 4488 4908 red_webssearches.exe rundll32.exe PID 4908 wrote to memory of 1100 4908 red_webssearches.exe DToolZip.exe PID 4908 wrote to memory of 1100 4908 red_webssearches.exe DToolZip.exe PID 4908 wrote to memory of 1100 4908 red_webssearches.exe DToolZip.exe PID 4908 wrote to memory of 4076 4908 red_webssearches.exe rundll32.exe PID 4908 wrote to memory of 4076 4908 red_webssearches.exe rundll32.exe PID 4908 wrote to memory of 4076 4908 red_webssearches.exe rundll32.exe PID 4908 wrote to memory of 1584 4908 red_webssearches.exe DToolZip.exe PID 4908 wrote to memory of 1584 4908 red_webssearches.exe DToolZip.exe PID 4908 wrote to memory of 1584 4908 red_webssearches.exe DToolZip.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exe"C:\Users\Admin\AppData\Local\Temp\db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\red_webssearches.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\red_webssearches.exe" -silence -ptid=red2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DTool.dll,DoD 13⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DToolZip.exeC:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DToolZip.exe -x -o C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\1.zip -d C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DTool.dll,DoD 23⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DToolZip.exeC:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DToolZip.exe -x -o C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\2.zip -d C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\tmp3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DTool.dllFilesize
190KB
MD5b0daac9195ed549b89bfea99ceb1a39b
SHA1fbc97963b642ec1a993d94bc7d41b8268116ed9e
SHA256f530dc7295b102a0b89ee5ac3654e476e037280ca2b849a48ab84c450404aede
SHA512e9792dd6bee47063c4ed4bd62aaa59036fed5cd214e1510021470351ce3251e92f049ff0fefe99344d361cbd1a284ce706e733ee9519a41f7c1fa5a53c7cc70d
-
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DTool.dllFilesize
190KB
MD5b0daac9195ed549b89bfea99ceb1a39b
SHA1fbc97963b642ec1a993d94bc7d41b8268116ed9e
SHA256f530dc7295b102a0b89ee5ac3654e476e037280ca2b849a48ab84c450404aede
SHA512e9792dd6bee47063c4ed4bd62aaa59036fed5cd214e1510021470351ce3251e92f049ff0fefe99344d361cbd1a284ce706e733ee9519a41f7c1fa5a53c7cc70d
-
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DTool.dllFilesize
190KB
MD5b0daac9195ed549b89bfea99ceb1a39b
SHA1fbc97963b642ec1a993d94bc7d41b8268116ed9e
SHA256f530dc7295b102a0b89ee5ac3654e476e037280ca2b849a48ab84c450404aede
SHA512e9792dd6bee47063c4ed4bd62aaa59036fed5cd214e1510021470351ce3251e92f049ff0fefe99344d361cbd1a284ce706e733ee9519a41f7c1fa5a53c7cc70d
-
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DTool.dllFilesize
190KB
MD5b0daac9195ed549b89bfea99ceb1a39b
SHA1fbc97963b642ec1a993d94bc7d41b8268116ed9e
SHA256f530dc7295b102a0b89ee5ac3654e476e037280ca2b849a48ab84c450404aede
SHA512e9792dd6bee47063c4ed4bd62aaa59036fed5cd214e1510021470351ce3251e92f049ff0fefe99344d361cbd1a284ce706e733ee9519a41f7c1fa5a53c7cc70d
-
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DToolZip.exeFilesize
220KB
MD504d02d6f85c6025b55f570746884922b
SHA1f8c84731b604a2a5b0eb865acce523560aac3fd1
SHA2569566eabe217a46841a2e0dde6ca001c3366ae68350dee612cdd06cca0e8ee5c0
SHA512d70df32cb55c86f8555a69bf47aec55582282eb5be872b3d9983447c17e4661bb3db43b3746938168f6e70a2a3679d174abc8bdb7439e6ae35debb37f665e0af
-
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DToolZip.exeFilesize
220KB
MD504d02d6f85c6025b55f570746884922b
SHA1f8c84731b604a2a5b0eb865acce523560aac3fd1
SHA2569566eabe217a46841a2e0dde6ca001c3366ae68350dee612cdd06cca0e8ee5c0
SHA512d70df32cb55c86f8555a69bf47aec55582282eb5be872b3d9983447c17e4661bb3db43b3746938168f6e70a2a3679d174abc8bdb7439e6ae35debb37f665e0af
-
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DToolZip.exeFilesize
220KB
MD504d02d6f85c6025b55f570746884922b
SHA1f8c84731b604a2a5b0eb865acce523560aac3fd1
SHA2569566eabe217a46841a2e0dde6ca001c3366ae68350dee612cdd06cca0e8ee5c0
SHA512d70df32cb55c86f8555a69bf47aec55582282eb5be872b3d9983447c17e4661bb3db43b3746938168f6e70a2a3679d174abc8bdb7439e6ae35debb37f665e0af
-
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DToolZip.exeFilesize
220KB
MD504d02d6f85c6025b55f570746884922b
SHA1f8c84731b604a2a5b0eb865acce523560aac3fd1
SHA2569566eabe217a46841a2e0dde6ca001c3366ae68350dee612cdd06cca0e8ee5c0
SHA512d70df32cb55c86f8555a69bf47aec55582282eb5be872b3d9983447c17e4661bb3db43b3746938168f6e70a2a3679d174abc8bdb7439e6ae35debb37f665e0af
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\red_webssearches.exeFilesize
706KB
MD5da6dcd1f5db81941c5d93f34af6c1655
SHA14417d9d1de9c504b113bb266407b3663c5fe6c0c
SHA25655c1be255a3ea21ecde16db3b17059c14927602a77008097d1d769a981832d76
SHA5122781c080c723f170967fadaf99eede40c996c7731c0ebed9573c96e4ec1aa871668e51b30b10fa0a35f86769cc0577d05651eb17462385264ffeec9b5d2b00da
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\red_webssearches.exeFilesize
706KB
MD5da6dcd1f5db81941c5d93f34af6c1655
SHA14417d9d1de9c504b113bb266407b3663c5fe6c0c
SHA25655c1be255a3ea21ecde16db3b17059c14927602a77008097d1d769a981832d76
SHA5122781c080c723f170967fadaf99eede40c996c7731c0ebed9573c96e4ec1aa871668e51b30b10fa0a35f86769cc0577d05651eb17462385264ffeec9b5d2b00da
-
memory/1100-138-0x0000000000000000-mapping.dmp
-
memory/1584-144-0x0000000000000000-mapping.dmp
-
memory/4076-141-0x0000000000000000-mapping.dmp
-
memory/4488-135-0x0000000000000000-mapping.dmp
-
memory/4908-132-0x0000000000000000-mapping.dmp