Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 22:52
Static task
static1
Behavioral task
behavioral1
Sample
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe
Resource
win10v2004-20221111-en
General
-
Target
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe
-
Size
1.2MB
-
MD5
33a67ab9f3cd79bb48c8e3db30728986
-
SHA1
b0154442643a0d8dafd036a501bf5e40245a0841
-
SHA256
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3
-
SHA512
4c0f15131b9a5d05ded58b51fc75e1d0c2070f7b6b859b0fb84d2c5c23d8bcc257e342d8f44734004b4b48ee2be1a50f0218610ba67fdc23af2d89bc6c15fd83
-
SSDEEP
24576:A8ndVY0XKelcxVs1I5pYLqEeYmoRq1CNRa9XURbHudjrcSdg:A8nzYIOUQW2EeYBRq1Ag9XURbHuhm
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BBBCfg\\file.exe" reg.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 2012 svhost.exe -
Loads dropped DLL 1 IoCs
Processes:
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exepid process 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exedescription pid process target process PID 1488 set thread context of 2012 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exepid process 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 2012 svhost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exesvhost.exedescription pid process Token: SeDebugPrivilege 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe Token: 33 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe Token: SeIncBasePriorityPrivilege 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe Token: SeDebugPrivilege 2012 svhost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 2024 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svhost.exepid process 2012 svhost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.execmd.exedescription pid process target process PID 1488 wrote to memory of 948 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe cmd.exe PID 1488 wrote to memory of 948 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe cmd.exe PID 1488 wrote to memory of 948 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe cmd.exe PID 1488 wrote to memory of 948 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe cmd.exe PID 948 wrote to memory of 2040 948 cmd.exe reg.exe PID 948 wrote to memory of 2040 948 cmd.exe reg.exe PID 948 wrote to memory of 2040 948 cmd.exe reg.exe PID 948 wrote to memory of 2040 948 cmd.exe reg.exe PID 1488 wrote to memory of 2012 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe PID 1488 wrote to memory of 2012 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe PID 1488 wrote to memory of 2012 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe PID 1488 wrote to memory of 2012 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe PID 1488 wrote to memory of 2012 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe PID 1488 wrote to memory of 2012 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe PID 1488 wrote to memory of 2012 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe PID 1488 wrote to memory of 2012 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe PID 1488 wrote to memory of 2012 1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe"C:\Users\Admin\AppData\Local\Temp\48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BBBCfg\file.exe" /f3⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeC:\Users\Admin\AppData\Local\Temp\svhost.exe2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\File.jpgFilesize
17KB
MD54b8e15489fbb3de3d4e2710cc736388c
SHA1e4b54e411fae0dd7293a8f4f3f9a46509b14ef2f
SHA2562d1d26bd528025cfe1e13b8ec3c2979222f47b499e8992f687bfd50360ba9f4a
SHA5124e7222c2e8368793bbd40b136abb33f459b027d77c67f9c37a2dc9ade5914fdfe06a84b76c8fa588a25340f27bc6e823f534f382ea36ad739831b3da33c258c4
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
memory/948-57-0x0000000000000000-mapping.dmp
-
memory/1488-54-0x0000000076681000-0x0000000076683000-memory.dmpFilesize
8KB
-
memory/1488-55-0x0000000074B80000-0x000000007512B000-memory.dmpFilesize
5.7MB
-
memory/1488-76-0x0000000074B80000-0x000000007512B000-memory.dmpFilesize
5.7MB
-
memory/2012-65-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2012-66-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2012-63-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2012-67-0x0000000000445A2E-mapping.dmp
-
memory/2012-70-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2012-72-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2012-61-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2012-75-0x0000000074B80000-0x000000007512B000-memory.dmpFilesize
5.7MB
-
memory/2012-60-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2012-78-0x0000000074B80000-0x000000007512B000-memory.dmpFilesize
5.7MB
-
memory/2040-58-0x0000000000000000-mapping.dmp