Analysis
-
max time kernel
41s -
max time network
68s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26/11/2022, 23:55
Static task
static1
Behavioral task
behavioral1
Sample
img_0928211.exe
Resource
win7-20220812-en
General
-
Target
img_0928211.exe
-
Size
921KB
-
MD5
5672794169f1beab73201234b407f8f9
-
SHA1
19b9763d26c8466d6092ecc41318710f549f5886
-
SHA256
fe5439378961e964d35e1e079c5675111def39ec03f5e87db38132313a618a2f
-
SHA512
5dd83345e9f2aec11587bcc1a04bd8fecb86206d2f990bf9a754768a207ad011a90a299192bc94c2e38b204d08f484ac6d607c3700b28ad6c12c18d07b7e7c44
-
SSDEEP
24576:O20gPgFK8vO9SlDGNON2Y2Dd0PiHXBhqB:3KOQlDUXDCPi3BhqB
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gfcbk.exe -
Executes dropped EXE 1 IoCs
pid Process 944 gfcbk.exe -
Loads dropped DLL 4 IoCs
pid Process 1960 img_0928211.exe 1960 img_0928211.exe 1960 img_0928211.exe 1960 img_0928211.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce gfcbk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\99o623u41dw = "C:\\Users\\Admin\\99o623u41dw\\slimnvmimjjkbr.vbs" gfcbk.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gfcbk.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 944 set thread context of 1348 944 gfcbk.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe 944 gfcbk.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 944 gfcbk.exe Token: SeDebugPrivilege 944 gfcbk.exe Token: SeDebugPrivilege 944 gfcbk.exe Token: SeDebugPrivilege 944 gfcbk.exe Token: SeDebugPrivilege 944 gfcbk.exe Token: SeDebugPrivilege 944 gfcbk.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1960 wrote to memory of 944 1960 img_0928211.exe 28 PID 1960 wrote to memory of 944 1960 img_0928211.exe 28 PID 1960 wrote to memory of 944 1960 img_0928211.exe 28 PID 1960 wrote to memory of 944 1960 img_0928211.exe 28 PID 1960 wrote to memory of 944 1960 img_0928211.exe 28 PID 1960 wrote to memory of 944 1960 img_0928211.exe 28 PID 1960 wrote to memory of 944 1960 img_0928211.exe 28 PID 944 wrote to memory of 1348 944 gfcbk.exe 29 PID 944 wrote to memory of 1348 944 gfcbk.exe 29 PID 944 wrote to memory of 1348 944 gfcbk.exe 29 PID 944 wrote to memory of 1348 944 gfcbk.exe 29 PID 944 wrote to memory of 1348 944 gfcbk.exe 29 PID 944 wrote to memory of 1348 944 gfcbk.exe 29 PID 944 wrote to memory of 1348 944 gfcbk.exe 29 PID 944 wrote to memory of 1348 944 gfcbk.exe 29 PID 944 wrote to memory of 880 944 gfcbk.exe 30 PID 944 wrote to memory of 880 944 gfcbk.exe 30 PID 944 wrote to memory of 880 944 gfcbk.exe 30 PID 944 wrote to memory of 880 944 gfcbk.exe 30 PID 944 wrote to memory of 880 944 gfcbk.exe 30 PID 944 wrote to memory of 880 944 gfcbk.exe 30 PID 944 wrote to memory of 880 944 gfcbk.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\img_0928211.exe"C:\Users\Admin\AppData\Local\Temp\img_0928211.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\99o623u41dw\gfcbk.exe"C:\Users\Admin\99o623u41dw\gfcbk.exe" arjegv2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:1348
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\99O623~1\run.vbs"3⤵PID:880
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\99O623~1\run.vbs"3⤵PID:812
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD55af78a7ae95dc6dbf695b7c467d8b5cf
SHA110f23008204410a796b973d9650640d8b741fee2
SHA25609eaa6dc4de1fac152662f4a2b50e724a7835b3c7883c3cd41fb67ee1e1fe04d
SHA51239b7d5931a7c2a0d8176fdaa5b4af4a8d1a4d5baac0865fac40d984b890e9ee9748c64361e50d2c4ce4fdc8a7f3503ca0ad9c311faba09e9e40a843dc35431ce
-
Filesize
200B
MD5e7ed5b3ce727a6a3b2880c5425635a53
SHA19d7cc91df067969232fdd914eab9c72cb2f8227e
SHA256ec00d718336b97497192c9b919e1a3704db4e2bfdef7ddcf69abddf46269fdbc
SHA512d6a8d1b93a17bb11efbfcf996cae9568cd8d4dda7f91d137875bec67b164c4b36a2f6a744cfafc8f194825133b0feaac1b49b457c928becc8ea732bd6a0b9bab
-
Filesize
280.5MB
MD5e8a49826e98e50df869a51cd31781079
SHA1451437b6d6cc7cb287e114e7beca6ce74fb39d57
SHA256fc22c9533e7109817e21d9a4e6cf1dd800ec8f531914757ffc79f1d7d6886263
SHA51280e3c9b86b35a7ed815d6f16f5869f1d172a2f38b3528ece2ca208df3406aca245517771d408aafeae8fba97a328aadf95a675e305b330f0614cfce6f441c4a1
-
Filesize
807KB
MD5205e802415422fa581afd6973e61d0e4
SHA1aa9abf929198f24af7e57f1864a6d370649e2af2
SHA2563c529e81cd390f8d0163131e8a2b2b32fcc8feb465cbdd1680e54be05691ab8c
SHA5128273b63c1d879d73c3f92e4c5bab1469744f2db56f095e826fcdc392d62815e4e4247e46fcab8d90cea59444fd5c61120b674ef74b851b3282507d48113feb59
-
Filesize
807KB
MD5205e802415422fa581afd6973e61d0e4
SHA1aa9abf929198f24af7e57f1864a6d370649e2af2
SHA2563c529e81cd390f8d0163131e8a2b2b32fcc8feb465cbdd1680e54be05691ab8c
SHA5128273b63c1d879d73c3f92e4c5bab1469744f2db56f095e826fcdc392d62815e4e4247e46fcab8d90cea59444fd5c61120b674ef74b851b3282507d48113feb59
-
Filesize
807KB
MD5205e802415422fa581afd6973e61d0e4
SHA1aa9abf929198f24af7e57f1864a6d370649e2af2
SHA2563c529e81cd390f8d0163131e8a2b2b32fcc8feb465cbdd1680e54be05691ab8c
SHA5128273b63c1d879d73c3f92e4c5bab1469744f2db56f095e826fcdc392d62815e4e4247e46fcab8d90cea59444fd5c61120b674ef74b851b3282507d48113feb59
-
Filesize
807KB
MD5205e802415422fa581afd6973e61d0e4
SHA1aa9abf929198f24af7e57f1864a6d370649e2af2
SHA2563c529e81cd390f8d0163131e8a2b2b32fcc8feb465cbdd1680e54be05691ab8c
SHA5128273b63c1d879d73c3f92e4c5bab1469744f2db56f095e826fcdc392d62815e4e4247e46fcab8d90cea59444fd5c61120b674ef74b851b3282507d48113feb59
-
Filesize
807KB
MD5205e802415422fa581afd6973e61d0e4
SHA1aa9abf929198f24af7e57f1864a6d370649e2af2
SHA2563c529e81cd390f8d0163131e8a2b2b32fcc8feb465cbdd1680e54be05691ab8c
SHA5128273b63c1d879d73c3f92e4c5bab1469744f2db56f095e826fcdc392d62815e4e4247e46fcab8d90cea59444fd5c61120b674ef74b851b3282507d48113feb59