af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458

Analysis

max time kernel
153s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 19:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
Size

3.6MB
MD5

4662cd2877125853ab1cd6b7620bac28
SHA1

75ba2393dc1b80ed880c9b8b5bb845b3d94a0893
SHA256

af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458
SHA512

0c2725e0c60285c6706068b2d65c8b5e1454fd6e3214b7a19e1c3806fe700bcd694529407d98decb69f302ed1efe1fae606d318bcbc7b323abd1f260c0508b22
SSDEEP

98304:I++FVVMUSRNbXklTSyfUktjIHt03wkLRmNcNvuaflrV:INFVVBSjrkYyfUUjIH8p2I

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2044	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe

Loads dropped DLL 4 IoCs

pid	Process
2012	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2044	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
Token: SeLoadDriverPrivilege	2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
Token: SeCreateGlobalPrivilege	2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
Token: 33	2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
Token: SeSecurityPrivilege	2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
Token: SeTakeOwnershipPrivilege	2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
Token: SeManageVolumePrivilege	2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
Token: SeBackupPrivilege	2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
Token: SeCreatePagefilePrivilege	2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
Token: SeShutdownPrivilege	2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
Token: SeRestorePrivilege	2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
Token: 33	2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
Token: SeIncBasePriorityPrivilege	2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2000	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2044	2012	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe	27
PID 2012 wrote to memory of 2044	2012	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe	27
PID 2012 wrote to memory of 2044	2012	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe	27
PID 2012 wrote to memory of 2044	2012	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe	27
PID 2044 wrote to memory of 2000	2044	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe	28
PID 2044 wrote to memory of 2000	2044	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe	28
PID 2044 wrote to memory of 2000	2044	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe	28
PID 2044 wrote to memory of 2000	2044	af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe	28

C:\Users\Admin\AppData\Local\Temp\af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
"C:\Users\Admin\AppData\Local\Temp\af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\cetrainers\CET601B.tmp\af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
  "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET601B.tmp\af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\cetrainers\CET601B.tmp\extracted\af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe
    C:\Users\Admin\AppData\Local\Temp\cetrainers\CET601B.tmp\extracted\af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET601B.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET601B.tmp\CET_Archive.dat

Filesize
3.4MB

MD5
789409e363e0910d6d1786799f782f9d

SHA1
fcbab7518c0e56ebf80dbb3189b7afc06bd869d1

SHA256
8eb0cbf4ce26615612cd87af781cc13e468b8f2a3550a269bf75d7fd4d31add6

SHA512
29d591023cb7675bfe52037a0626c0f57b22449afb2d123d430f9cf548996b8497e19d5d63fd480c5d1a9d907645781dd0da4b65e08a534b3cbc4b68c87ca060

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET601B.tmp\af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe

Filesize
196KB

MD5
808de473370ef6b5d98ab752f245a3ca

SHA1
800bd4ad10c17471829693fac3cee4502b14f029

SHA256
65cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39

SHA512
fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET601B.tmp\extracted\CET_TRAINER.CETRAINER

Filesize
151KB

MD5
f128669e7c0e14371469ddeb7d34221d

SHA1
48a7d30e18e30a39f71b4a0d2d2cdeeb91ca00f7

SHA256
5e24ed824d155f24a9385234cdb3c60b17e408e4c01ef5169cd8fe5f6f8a3e54

SHA512
cef338c287f12439ded3ac74ace4269b2b52002980ce86e0b2319d8fcf7581a74071af47d910562d055c88fd52cd01bb3f8a9ff567e5a7c4ca485a24ca05f267

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET601B.tmp\extracted\af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe

Filesize
6.4MB

MD5
d2aa9bb0e3220378c1022e8c951b73ee

SHA1
b20b0bd8e5cdd280c5dc922ffd896df50d208cb7

SHA256
bf25b6c415673b3797572b7e57688278f72dbd69836aca38dced83b6e3045aae

SHA512
52615e97a512c84a6981a19a1ec80223bad1f623c745db4b5841d4650c925da70bffd48f0ad8c5eaabf8564f671537592c7660a86c7821e89f17021f648e2464

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET601B.tmp\extracted\defines.lua

Filesize
4KB

MD5
137698460f16dd9d7c5dcd95497fde8c

SHA1
f271fd46db36fe597afb103cb5285d504b51e519

SHA256
69cc27cc19c4f47586d4e65f5b22329f66d5d6dc9b86670cdc8e3c19d2e39829

SHA512
3c6e21781e6855f551fc5c6d04f8a14029256d1d8c4e83071d3648103be28adbbfe45d548e918772e9cb2ba386d025171ea578581d7ee193c2af7d4545f1319a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET601B.tmp\extracted\lua5.1-32.dll

Filesize
329KB

MD5
8abe7dd2963502fe189f42fa7cba4f74

SHA1
53122c0d89c956411cfa2cdbe3334d3fa434713e

SHA256
bb89ed00c1974e376e8faada62a2eee7c3229ff3c2734771ea16d2d5df97e74a

SHA512
9df601cc2b9ada2df59885149007db4afb9c965b5981685949996e1a05174c24b5b9cefeb4dd09dbae7aae21485bcffbefb83fe6ce5ffff74875b231eada993f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET601B.tmp\extracted\win32\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CET601B.tmp\af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe

Filesize
196KB

MD5
808de473370ef6b5d98ab752f245a3ca

SHA1
800bd4ad10c17471829693fac3cee4502b14f029

SHA256
65cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39

SHA512
fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CET601B.tmp\extracted\af59d00e96ee3f3b7bb5b4923b08741a95f94a07875597ce766bbf0afdd2d458.exe

Filesize
6.4MB

MD5
d2aa9bb0e3220378c1022e8c951b73ee

SHA1
b20b0bd8e5cdd280c5dc922ffd896df50d208cb7

SHA256
bf25b6c415673b3797572b7e57688278f72dbd69836aca38dced83b6e3045aae

SHA512
52615e97a512c84a6981a19a1ec80223bad1f623c745db4b5841d4650c925da70bffd48f0ad8c5eaabf8564f671537592c7660a86c7821e89f17021f648e2464

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CET601B.tmp\extracted\lua5.1-32.dll

Filesize
329KB

MD5
8abe7dd2963502fe189f42fa7cba4f74

SHA1
53122c0d89c956411cfa2cdbe3334d3fa434713e

SHA256
bb89ed00c1974e376e8faada62a2eee7c3229ff3c2734771ea16d2d5df97e74a

SHA512
9df601cc2b9ada2df59885149007db4afb9c965b5981685949996e1a05174c24b5b9cefeb4dd09dbae7aae21485bcffbefb83fe6ce5ffff74875b231eada993f

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CET601B.tmp\extracted\win32\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
memory/2000-61-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/2000-64-0x00000000742D1000-0x00000000742D3000-memory.dmp

Filesize
8KB

Download