Analysis
-
max time kernel
203s -
max time network
209s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 19:42
Static task
static1
Behavioral task
behavioral1
Sample
7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exe
Resource
win10v2004-20220812-en
General
-
Target
7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exe
-
Size
90KB
-
MD5
64c1ca809f3bd60278231c983407309d
-
SHA1
1900feaff1e2ae5f8af1d7bd2ad0961c04107969
-
SHA256
7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e
-
SHA512
53ea6ea68382868bda7d2a47e0590dee55e30c27f24fcbcf6da02b7f7739781adfe3640ec2c6d2ca774e18ec63e50af57da62c3007e055dcae21f2464c8b963c
-
SSDEEP
1536:+tdwiFJBHoeeCF2wNRgR/G2J7kPIPm3yCJK/Hw5zEy:+tKe1FYORgVrJ7kw+3zJ6c
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
server.exezhunquel.exesvchoost.exegaccwq.exepid process 1624 server.exe 800 zhunquel.exe 664 svchoost.exe 1128 gaccwq.exe -
Loads dropped DLL 5 IoCs
Processes:
7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exegaccwq.exepid process 2016 7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exe 2016 7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exe 2016 7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exe 2016 7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exe 1128 gaccwq.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchoost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\svchoost.exe" svchoost.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
gaccwq.exedescription ioc process File opened (read-only) \??\X: gaccwq.exe File opened (read-only) \??\Y: gaccwq.exe File opened (read-only) \??\G: gaccwq.exe File opened (read-only) \??\J: gaccwq.exe File opened (read-only) \??\L: gaccwq.exe File opened (read-only) \??\M: gaccwq.exe File opened (read-only) \??\N: gaccwq.exe File opened (read-only) \??\F: gaccwq.exe File opened (read-only) \??\H: gaccwq.exe File opened (read-only) \??\R: gaccwq.exe File opened (read-only) \??\T: gaccwq.exe File opened (read-only) \??\U: gaccwq.exe File opened (read-only) \??\W: gaccwq.exe File opened (read-only) \??\Z: gaccwq.exe File opened (read-only) \??\Q: gaccwq.exe File opened (read-only) \??\S: gaccwq.exe File opened (read-only) \??\V: gaccwq.exe File opened (read-only) \??\E: gaccwq.exe File opened (read-only) \??\I: gaccwq.exe File opened (read-only) \??\K: gaccwq.exe File opened (read-only) \??\O: gaccwq.exe File opened (read-only) \??\P: gaccwq.exe -
Drops file in System32 directory 3 IoCs
Processes:
server.exegaccwq.exedescription ioc process File opened for modification C:\Windows\SysWOW64\gaccwq.exe server.exe File created C:\Windows\SysWOW64\gei33.dll gaccwq.exe File created C:\Windows\SysWOW64\gaccwq.exe server.exe -
Drops file in Program Files directory 2 IoCs
Processes:
gaccwq.exedescription ioc process File created C:\Program Files\7-Zip\lpk.dll gaccwq.exe File opened for modification C:\Program Files\7-Zip\lpk.dll gaccwq.exe -
Drops file in Windows directory 2 IoCs
Processes:
zhunquel.exedescription ioc process File opened for modification C:\Windows\svchoost.exe zhunquel.exe File created C:\Windows\svchoost.exe zhunquel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchoost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchoost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchoost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
zhunquel.exedescription pid process Token: SeIncBasePriorityPrivilege 800 zhunquel.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exezhunquel.exedescription pid process target process PID 2016 wrote to memory of 1624 2016 7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exe server.exe PID 2016 wrote to memory of 1624 2016 7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exe server.exe PID 2016 wrote to memory of 1624 2016 7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exe server.exe PID 2016 wrote to memory of 1624 2016 7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exe server.exe PID 2016 wrote to memory of 800 2016 7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exe zhunquel.exe PID 2016 wrote to memory of 800 2016 7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exe zhunquel.exe PID 2016 wrote to memory of 800 2016 7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exe zhunquel.exe PID 2016 wrote to memory of 800 2016 7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exe zhunquel.exe PID 800 wrote to memory of 664 800 zhunquel.exe svchoost.exe PID 800 wrote to memory of 664 800 zhunquel.exe svchoost.exe PID 800 wrote to memory of 664 800 zhunquel.exe svchoost.exe PID 800 wrote to memory of 664 800 zhunquel.exe svchoost.exe PID 800 wrote to memory of 680 800 zhunquel.exe cmd.exe PID 800 wrote to memory of 680 800 zhunquel.exe cmd.exe PID 800 wrote to memory of 680 800 zhunquel.exe cmd.exe PID 800 wrote to memory of 680 800 zhunquel.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exe"C:\Users\Admin\AppData\Local\Temp\7c6cba5b9d9443e59f197b66ad8915bd0b98f3da20eba149f0bf5af3ec7c5a2e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\zhunquel.exe"C:\Users\Admin\AppData\Local\Temp\zhunquel.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\svchoost.exe"C:\Windows\svchoost.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
PID:664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\zhunquel.exe > nul3⤵PID:680
-
C:\Windows\SysWOW64\gaccwq.exeC:\Windows\SysWOW64\gaccwq.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1128
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
48KB
MD52c1917403d113d83404f898ae71939d2
SHA18e8dcba29fa8453244a6bc2323247f746d42b2d2
SHA2562b45aa333f5648ce0e14b35c3d0b2096a48734595c9a894e777429ca8c03c977
SHA512b93c7f45fd578e851a5b9d77e80b8ea1f991aa0c351e2eabc386f96adda564699f12db0d64767429212087efcaf6cfe931f6242b007f9ed3578babb601a298f4
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
48KB
MD52c1917403d113d83404f898ae71939d2
SHA18e8dcba29fa8453244a6bc2323247f746d42b2d2
SHA2562b45aa333f5648ce0e14b35c3d0b2096a48734595c9a894e777429ca8c03c977
SHA512b93c7f45fd578e851a5b9d77e80b8ea1f991aa0c351e2eabc386f96adda564699f12db0d64767429212087efcaf6cfe931f6242b007f9ed3578babb601a298f4
-
C:\Users\Admin\AppData\Local\Temp\zhunquel.exeFilesize
52KB
MD5bb2e482ad846d9580af1fe199564e92e
SHA1f51b3ac4ef1cd2850a584786fcdf4080fffda782
SHA25632d6cf30b2e844d40a43b0959370d654fb295336dacbe1553532b1ab8d01a825
SHA512315229731a43d3a6587e641b9bc37da4ff0c9dcb5d8380caffa49ff7985a648c3f6953751970e573d8a94984057643bec031b2a7109c88720d66698e3927fb37
-
C:\Users\Admin\AppData\Local\Temp\zhunquel.exeFilesize
52KB
MD5bb2e482ad846d9580af1fe199564e92e
SHA1f51b3ac4ef1cd2850a584786fcdf4080fffda782
SHA25632d6cf30b2e844d40a43b0959370d654fb295336dacbe1553532b1ab8d01a825
SHA512315229731a43d3a6587e641b9bc37da4ff0c9dcb5d8380caffa49ff7985a648c3f6953751970e573d8a94984057643bec031b2a7109c88720d66698e3927fb37
-
C:\Windows\SysWOW64\gaccwq.exeFilesize
48KB
MD52c1917403d113d83404f898ae71939d2
SHA18e8dcba29fa8453244a6bc2323247f746d42b2d2
SHA2562b45aa333f5648ce0e14b35c3d0b2096a48734595c9a894e777429ca8c03c977
SHA512b93c7f45fd578e851a5b9d77e80b8ea1f991aa0c351e2eabc386f96adda564699f12db0d64767429212087efcaf6cfe931f6242b007f9ed3578babb601a298f4
-
C:\Windows\SysWOW64\gaccwq.exeFilesize
48KB
MD52c1917403d113d83404f898ae71939d2
SHA18e8dcba29fa8453244a6bc2323247f746d42b2d2
SHA2562b45aa333f5648ce0e14b35c3d0b2096a48734595c9a894e777429ca8c03c977
SHA512b93c7f45fd578e851a5b9d77e80b8ea1f991aa0c351e2eabc386f96adda564699f12db0d64767429212087efcaf6cfe931f6242b007f9ed3578babb601a298f4
-
C:\Windows\svchoost.exeFilesize
52KB
MD5bb2e482ad846d9580af1fe199564e92e
SHA1f51b3ac4ef1cd2850a584786fcdf4080fffda782
SHA25632d6cf30b2e844d40a43b0959370d654fb295336dacbe1553532b1ab8d01a825
SHA512315229731a43d3a6587e641b9bc37da4ff0c9dcb5d8380caffa49ff7985a648c3f6953751970e573d8a94984057643bec031b2a7109c88720d66698e3927fb37
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
48KB
MD52c1917403d113d83404f898ae71939d2
SHA18e8dcba29fa8453244a6bc2323247f746d42b2d2
SHA2562b45aa333f5648ce0e14b35c3d0b2096a48734595c9a894e777429ca8c03c977
SHA512b93c7f45fd578e851a5b9d77e80b8ea1f991aa0c351e2eabc386f96adda564699f12db0d64767429212087efcaf6cfe931f6242b007f9ed3578babb601a298f4
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
48KB
MD52c1917403d113d83404f898ae71939d2
SHA18e8dcba29fa8453244a6bc2323247f746d42b2d2
SHA2562b45aa333f5648ce0e14b35c3d0b2096a48734595c9a894e777429ca8c03c977
SHA512b93c7f45fd578e851a5b9d77e80b8ea1f991aa0c351e2eabc386f96adda564699f12db0d64767429212087efcaf6cfe931f6242b007f9ed3578babb601a298f4
-
\Users\Admin\AppData\Local\Temp\zhunquel.exeFilesize
52KB
MD5bb2e482ad846d9580af1fe199564e92e
SHA1f51b3ac4ef1cd2850a584786fcdf4080fffda782
SHA25632d6cf30b2e844d40a43b0959370d654fb295336dacbe1553532b1ab8d01a825
SHA512315229731a43d3a6587e641b9bc37da4ff0c9dcb5d8380caffa49ff7985a648c3f6953751970e573d8a94984057643bec031b2a7109c88720d66698e3927fb37
-
\Users\Admin\AppData\Local\Temp\zhunquel.exeFilesize
52KB
MD5bb2e482ad846d9580af1fe199564e92e
SHA1f51b3ac4ef1cd2850a584786fcdf4080fffda782
SHA25632d6cf30b2e844d40a43b0959370d654fb295336dacbe1553532b1ab8d01a825
SHA512315229731a43d3a6587e641b9bc37da4ff0c9dcb5d8380caffa49ff7985a648c3f6953751970e573d8a94984057643bec031b2a7109c88720d66698e3927fb37
-
\Windows\SysWOW64\gei33.dllFilesize
58KB
MD563f4ce502bba6a10d20b5affb92dc3d2
SHA1404468f5485f2786735ffbf6ab055856f6cf29e1
SHA2565caaf07e970e0abd2dfdb250177febe8ba8ca9cf6dfb09f6c498d4ae96187bc6
SHA5122c9a5d5d20c4432bd9f8c8b8ffa7d0acc1d0f07d05f6d1ea21fcb417f1ccef9ef7c4406988b06a483cd1102b411635a3f9e69bc833d307675a10f5b920def9b3
-
memory/664-66-0x0000000000000000-mapping.dmp
-
memory/680-69-0x0000000000000000-mapping.dmp
-
memory/800-62-0x0000000000000000-mapping.dmp
-
memory/1624-58-0x0000000000000000-mapping.dmp
-
memory/2016-54-0x00000000760C1000-0x00000000760C3000-memory.dmpFilesize
8KB
-
memory/2016-64-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2016-56-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB