64ffd52a7752329769658d4d842625d44a2658baf275a64b8cb2fdbf53d23c9e

Analysis

max time kernel
149s
max time network
52s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26/11/2022, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64ffd52a7752329769658d4d842625d44a2658baf275a64b8cb2fdbf53d23c9e.exe
Size

4.5MB
MD5

421596e992a63498141042b230f4cb38
SHA1

7585a2d9c5517b37830f18735079b4536b18a07f
SHA256

64ffd52a7752329769658d4d842625d44a2658baf275a64b8cb2fdbf53d23c9e
SHA512

8c5340656a2e750aae7ff02debf32c4c7f649a6092a87764182ab1f9f222f44d185d8243b4b00982b422c5d407b79988ef9cff1f9506691b087ac7859e1fb55b
SSDEEP

98304:cdfULHU8f+93EcSp3NEbEOLEDXuahtPv6o39hSIIggxvMW4fERr1S4:SUL0a+BCNqEOuXuUPPNwGgxEWPp1d

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
112	invantiblock.exe
1748	exp.exe
828	exp.exe

Loads dropped DLL 4 IoCs

pid	Process
1672	64ffd52a7752329769658d4d842625d44a2658baf275a64b8cb2fdbf53d23c9e.exe
1672	64ffd52a7752329769658d4d842625d44a2658baf275a64b8cb2fdbf53d23c9e.exe
1672	64ffd52a7752329769658d4d842625d44a2658baf275a64b8cb2fdbf53d23c9e.exe
1672	64ffd52a7752329769658d4d842625d44a2658baf275a64b8cb2fdbf53d23c9e.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\chk.tmp	invantiblock.exe
File created	C:\Windows\exp.exe	invantiblock.exe
File opened for modification	C:\Windows\exp.exe	invantiblock.exe
File created	C:\Windows\ESCT_log.txt	exp.exe
File opened for modification	C:\Windows\ESCT_log.txt	exp.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2036	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
112	invantiblock.exe
112	invantiblock.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1496	WMIC.exe
Token: SeSecurityPrivilege	1496	WMIC.exe
Token: SeTakeOwnershipPrivilege	1496	WMIC.exe
Token: SeLoadDriverPrivilege	1496	WMIC.exe
Token: SeSystemtimePrivilege	1496	WMIC.exe
Token: SeBackupPrivilege	1496	WMIC.exe
Token: SeRestorePrivilege	1496	WMIC.exe
Token: SeShutdownPrivilege	1496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1496	WMIC.exe
Token: SeUndockPrivilege	1496	WMIC.exe
Token: SeManageVolumePrivilege	1496	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1496	WMIC.exe
Token: SeSecurityPrivilege	1496	WMIC.exe
Token: SeTakeOwnershipPrivilege	1496	WMIC.exe
Token: SeLoadDriverPrivilege	1496	WMIC.exe
Token: SeSystemtimePrivilege	1496	WMIC.exe
Token: SeBackupPrivilege	1496	WMIC.exe
Token: SeRestorePrivilege	1496	WMIC.exe
Token: SeShutdownPrivilege	1496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1496	WMIC.exe
Token: SeUndockPrivilege	1496	WMIC.exe
Token: SeManageVolumePrivilege	1496	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1756	WMIC.exe
Token: SeSecurityPrivilege	1756	WMIC.exe
Token: SeTakeOwnershipPrivilege	1756	WMIC.exe
Token: SeLoadDriverPrivilege	1756	WMIC.exe
Token: SeSystemtimePrivilege	1756	WMIC.exe
Token: SeBackupPrivilege	1756	WMIC.exe
Token: SeRestorePrivilege	1756	WMIC.exe
Token: SeShutdownPrivilege	1756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1756	WMIC.exe
Token: SeUndockPrivilege	1756	WMIC.exe
Token: SeManageVolumePrivilege	1756	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1756	WMIC.exe
Token: SeSecurityPrivilege	1756	WMIC.exe
Token: SeTakeOwnershipPrivilege	1756	WMIC.exe
Token: SeLoadDriverPrivilege	1756	WMIC.exe
Token: SeSystemtimePrivilege	1756	WMIC.exe
Token: SeBackupPrivilege	1756	WMIC.exe
Token: SeRestorePrivilege	1756	WMIC.exe
Token: SeShutdownPrivilege	1756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1756	WMIC.exe
Token: SeUndockPrivilege	1756	WMIC.exe
Token: SeManageVolumePrivilege	1756	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1740	WMIC.exe
Token: SeSecurityPrivilege	1740	WMIC.exe
Token: SeTakeOwnershipPrivilege	1740	WMIC.exe
Token: SeLoadDriverPrivilege	1740	WMIC.exe
Token: SeSystemtimePrivilege	1740	WMIC.exe
Token: SeBackupPrivilege	1740	WMIC.exe
Token: SeRestorePrivilege	1740	WMIC.exe
Token: SeShutdownPrivilege	1740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1740	WMIC.exe
Token: SeUndockPrivilege	1740	WMIC.exe
Token: SeManageVolumePrivilege	1740	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1740	WMIC.exe
Token: SeSecurityPrivilege	1740	WMIC.exe
Token: SeTakeOwnershipPrivilege	1740	WMIC.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 112	1672	64ffd52a7752329769658d4d842625d44a2658baf275a64b8cb2fdbf53d23c9e.exe	27
PID 1672 wrote to memory of 112	1672	64ffd52a7752329769658d4d842625d44a2658baf275a64b8cb2fdbf53d23c9e.exe	27
PID 1672 wrote to memory of 112	1672	64ffd52a7752329769658d4d842625d44a2658baf275a64b8cb2fdbf53d23c9e.exe	27
PID 1672 wrote to memory of 112	1672	64ffd52a7752329769658d4d842625d44a2658baf275a64b8cb2fdbf53d23c9e.exe	27
PID 1672 wrote to memory of 112	1672	64ffd52a7752329769658d4d842625d44a2658baf275a64b8cb2fdbf53d23c9e.exe	27
PID 1672 wrote to memory of 112	1672	64ffd52a7752329769658d4d842625d44a2658baf275a64b8cb2fdbf53d23c9e.exe	27
PID 1672 wrote to memory of 112	1672	64ffd52a7752329769658d4d842625d44a2658baf275a64b8cb2fdbf53d23c9e.exe	27
PID 112 wrote to memory of 1904	112	invantiblock.exe	28
PID 112 wrote to memory of 1904	112	invantiblock.exe	28
PID 112 wrote to memory of 1904	112	invantiblock.exe	28
PID 112 wrote to memory of 1904	112	invantiblock.exe	28
PID 112 wrote to memory of 1904	112	invantiblock.exe	28
PID 112 wrote to memory of 1904	112	invantiblock.exe	28
PID 112 wrote to memory of 1904	112	invantiblock.exe	28
PID 1904 wrote to memory of 1748	1904	cmd.exe	30
PID 1904 wrote to memory of 1748	1904	cmd.exe	30
PID 1904 wrote to memory of 1748	1904	cmd.exe	30
PID 1904 wrote to memory of 1748	1904	cmd.exe	30
PID 1904 wrote to memory of 1748	1904	cmd.exe	30
PID 1904 wrote to memory of 1748	1904	cmd.exe	30
PID 1904 wrote to memory of 1748	1904	cmd.exe	30
PID 1748 wrote to memory of 1172	1748	exp.exe	31
PID 1748 wrote to memory of 1172	1748	exp.exe	31
PID 1748 wrote to memory of 1172	1748	exp.exe	31
PID 1748 wrote to memory of 1172	1748	exp.exe	31
PID 1172 wrote to memory of 2036	1172	cmd.exe	33
PID 1172 wrote to memory of 2036	1172	cmd.exe	33
PID 1172 wrote to memory of 2036	1172	cmd.exe	33
PID 1172 wrote to memory of 2036	1172	cmd.exe	33
PID 828 wrote to memory of 1660	828	exp.exe	35
PID 828 wrote to memory of 1660	828	exp.exe	35
PID 828 wrote to memory of 1660	828	exp.exe	35
PID 828 wrote to memory of 1660	828	exp.exe	35
PID 1660 wrote to memory of 1496	1660	cmd.exe	37
PID 1660 wrote to memory of 1496	1660	cmd.exe	37
PID 1660 wrote to memory of 1496	1660	cmd.exe	37
PID 1660 wrote to memory of 1496	1660	cmd.exe	37
PID 828 wrote to memory of 1000	828	exp.exe	39
PID 828 wrote to memory of 1000	828	exp.exe	39
PID 828 wrote to memory of 1000	828	exp.exe	39
PID 828 wrote to memory of 1000	828	exp.exe	39
PID 1000 wrote to memory of 1756	1000	cmd.exe	41
PID 1000 wrote to memory of 1756	1000	cmd.exe	41
PID 1000 wrote to memory of 1756	1000	cmd.exe	41
PID 1000 wrote to memory of 1756	1000	cmd.exe	41
PID 828 wrote to memory of 316	828	exp.exe	42
PID 828 wrote to memory of 316	828	exp.exe	42
PID 828 wrote to memory of 316	828	exp.exe	42
PID 828 wrote to memory of 316	828	exp.exe	42
PID 316 wrote to memory of 1740	316	cmd.exe	44
PID 316 wrote to memory of 1740	316	cmd.exe	44
PID 316 wrote to memory of 1740	316	cmd.exe	44
PID 316 wrote to memory of 1740	316	cmd.exe	44
PID 828 wrote to memory of 364	828	exp.exe	45
PID 828 wrote to memory of 364	828	exp.exe	45
PID 828 wrote to memory of 364	828	exp.exe	45
PID 828 wrote to memory of 364	828	exp.exe	45
PID 364 wrote to memory of 280	364	cmd.exe	47
PID 364 wrote to memory of 280	364	cmd.exe	47
PID 364 wrote to memory of 280	364	cmd.exe	47
PID 364 wrote to memory of 280	364	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\64ffd52a7752329769658d4d842625d44a2658baf275a64b8cb2fdbf53d23c9e.exe
"C:\Users\Admin\AppData\Local\Temp\64ffd52a7752329769658d4d842625d44a2658baf275a64b8cb2fdbf53d23c9e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\sdkjncuisdfs876df7sd656f75d5d\invantiblock.exe
  "C:\Users\Admin\AppData\Local\Temp\sdkjncuisdfs876df7sd656f75d5d\invantiblock.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C C:\Windows\exp.exe /install /silent
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\exp.exe
      C:\Windows\exp.exe /install /silent
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc start esexp
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1172
      - C:\Windows\SysWOW64\sc.exe
        
        sc start esexp
        6⤵
        Launches sc.exe
        
        PID:2036

C:\Windows\exp.exe
C:\Windows\exp.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C wmic bios get serialnumber,name,Manufacturer
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic bios get serialnumber,name,Manufacturer
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C wmic bios get serialnumber,name,Manufacturer
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic bios get serialnumber,name,Manufacturer
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C wmic diskdrive get name,size,model
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic diskdrive get name,size,model
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C GETMAC /NH /V
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Windows\SysWOW64\getmac.exe
    GETMAC /NH /V
    3⤵
    PID:280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sdkjncuisdfs876df7sd656f75d5d\EsetAntiBlock.exe

Filesize
2.4MB

MD5
a444b6053da7bd4e865ba3ca9c21ff09

SHA1
e44ce2629ecd55862514b852d758bcd620ae9bdb

SHA256
9ee220224e56d6a81925cd2158c6f7165249c3c5917bceb04aeade65770f28a2

SHA512
999677002f6843d9083fc403e5b6d9dc199fde453e41b66dabb334d6349c7f8e60c0e3caa101f0d376b0591ae6a8e350a4a494f739ce71da25661a7196906810

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdkjncuisdfs876df7sd656f75d5d\invantiblock.exe

Filesize
2.0MB

MD5
b190d6b7d7ba2c4bae3da375fb74bbf8

SHA1
a98c6b0c19e8c78aeed878842f15e5a012a154ef

SHA256
6e2c4adffba8028109ba4899d4b24f927ea6aed48589def72d1f5cd20ef524ed

SHA512
1c2562d6837eac3fba1f173dd3a604f9b096a834631c435de9626ade955043f5e1d8e661b8511fa932c8a85c74324f647e93cb9fabc440ba987b53d061da46ed

Download Submit
C:\Windows\exp.exe

Filesize
2.4MB

MD5
a444b6053da7bd4e865ba3ca9c21ff09

SHA1
e44ce2629ecd55862514b852d758bcd620ae9bdb

SHA256
9ee220224e56d6a81925cd2158c6f7165249c3c5917bceb04aeade65770f28a2

SHA512
999677002f6843d9083fc403e5b6d9dc199fde453e41b66dabb334d6349c7f8e60c0e3caa101f0d376b0591ae6a8e350a4a494f739ce71da25661a7196906810

Download Submit
C:\Windows\exp.exe

Filesize
2.4MB

MD5
a444b6053da7bd4e865ba3ca9c21ff09

SHA1
e44ce2629ecd55862514b852d758bcd620ae9bdb

SHA256
9ee220224e56d6a81925cd2158c6f7165249c3c5917bceb04aeade65770f28a2

SHA512
999677002f6843d9083fc403e5b6d9dc199fde453e41b66dabb334d6349c7f8e60c0e3caa101f0d376b0591ae6a8e350a4a494f739ce71da25661a7196906810

Download Submit
C:\Windows\exp.exe

Filesize
2.4MB

MD5
a444b6053da7bd4e865ba3ca9c21ff09

SHA1
e44ce2629ecd55862514b852d758bcd620ae9bdb

SHA256
9ee220224e56d6a81925cd2158c6f7165249c3c5917bceb04aeade65770f28a2

SHA512
999677002f6843d9083fc403e5b6d9dc199fde453e41b66dabb334d6349c7f8e60c0e3caa101f0d376b0591ae6a8e350a4a494f739ce71da25661a7196906810

Download Submit
\Users\Admin\AppData\Local\Temp\sdkjncuisdfs876df7sd656f75d5d\invantiblock.exe

Filesize
2.0MB

MD5
b190d6b7d7ba2c4bae3da375fb74bbf8

SHA1
a98c6b0c19e8c78aeed878842f15e5a012a154ef

SHA256
6e2c4adffba8028109ba4899d4b24f927ea6aed48589def72d1f5cd20ef524ed

SHA512
1c2562d6837eac3fba1f173dd3a604f9b096a834631c435de9626ade955043f5e1d8e661b8511fa932c8a85c74324f647e93cb9fabc440ba987b53d061da46ed

Download Submit
\Users\Admin\AppData\Local\Temp\sdkjncuisdfs876df7sd656f75d5d\invantiblock.exe

Filesize
2.0MB

MD5
b190d6b7d7ba2c4bae3da375fb74bbf8

SHA1
a98c6b0c19e8c78aeed878842f15e5a012a154ef

SHA256
6e2c4adffba8028109ba4899d4b24f927ea6aed48589def72d1f5cd20ef524ed

SHA512
1c2562d6837eac3fba1f173dd3a604f9b096a834631c435de9626ade955043f5e1d8e661b8511fa932c8a85c74324f647e93cb9fabc440ba987b53d061da46ed

Download Submit
\Users\Admin\AppData\Local\Temp\sdkjncuisdfs876df7sd656f75d5d\invantiblock.exe

Filesize
2.0MB

MD5
b190d6b7d7ba2c4bae3da375fb74bbf8

SHA1
a98c6b0c19e8c78aeed878842f15e5a012a154ef

SHA256
6e2c4adffba8028109ba4899d4b24f927ea6aed48589def72d1f5cd20ef524ed

SHA512
1c2562d6837eac3fba1f173dd3a604f9b096a834631c435de9626ade955043f5e1d8e661b8511fa932c8a85c74324f647e93cb9fabc440ba987b53d061da46ed

Download Submit
\Users\Admin\AppData\Local\Temp\sdkjncuisdfs876df7sd656f75d5d\invantiblock.exe

Filesize
2.0MB

MD5
b190d6b7d7ba2c4bae3da375fb74bbf8

SHA1
a98c6b0c19e8c78aeed878842f15e5a012a154ef

SHA256
6e2c4adffba8028109ba4899d4b24f927ea6aed48589def72d1f5cd20ef524ed

SHA512
1c2562d6837eac3fba1f173dd3a604f9b096a834631c435de9626ade955043f5e1d8e661b8511fa932c8a85c74324f647e93cb9fabc440ba987b53d061da46ed

Download Submit
memory/1672-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download