22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249

Analysis

max time kernel
169s
max time network
240s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249.exe
Size

569KB
MD5

6e13ce8eed45e35d8fdaccd83fec9df0
SHA1

e5a907db2f97081efda62aeb91633c8bf062653f
SHA256

22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249
SHA512

787ec3a2984a6f43c80d98e22dbc20daaf65f53115949fa1426e2a6434cfe7fdaa6d39219a490153a9e85b905514b7416409bd79f8a60ef21f87f7024d488efd
SSDEEP

12288:Venw5KP26ei5Mw5cccjQEQ6JeyaJZIfbint7n:Vew5KP2635tIQ2JJ8Ket7

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 5 IoCs

Processes:

5997.tmp6589.tmpupdate.exeUpdate.exe

pid process

1840 5997.tmp
2032 6589.tmp
1520 update.exe
460
1832 Update.exe
Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\526932a.exe explorer.exe

pid	process
1840	5997.tmp
2032	6589.tmp
1520	update.exe
460
1832	Update.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\526932a.exe	explorer.exe

Loads dropped DLL 6 IoCs

Processes:

22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249.exe6589.tmp

pid	process
1348	22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249.exe
1348	22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249.exe
1348	22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249.exe
2032	6589.tmp
2032	6589.tmp
460

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\526932 = "C:\\526932a\\526932a.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*26932 = "C:\\526932a\\526932a.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\526932a = "C:\\Users\\Admin\\AppData\\Roaming\\526932a.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*26932a = "C:\\Users\\Admin\\AppData\\Roaming\\526932a.exe"	explorer.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 myexternalip.com
8 myexternalip.com
4 ip-addr.es

flow	ioc
6	myexternalip.com
8	myexternalip.com
4	ip-addr.es

Drops file in System32 directory 1 IoCs

Processes:

Update.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Update.exe

Drops file in Windows directory 2 IoCs

Processes:

update.exeUpdate.exe

description ioc process

File created C:\Windows\FrameworkUpdate\Update.exe update.exe
File created C:\Windows\FrameworkUpdate\Update.exe Update.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1756 vssadmin.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

Update.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Update.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Update.exe

pid process

1832 Update.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

5997.tmpexplorer.exe

pid process

1840 5997.tmp
1128 explorer.exe

description	ioc	process
File created	C:\Windows\FrameworkUpdate\Update.exe	update.exe
File created	C:\Windows\FrameworkUpdate\Update.exe	Update.exe

pid	process
1756	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Update.exe

pid	process
1832	Update.exe

pid	process
1840	5997.tmp
1128	explorer.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vssvc.exe6589.tmpupdate.exeUpdate.exe

description	pid	process
Token: SeBackupPrivilege	1624	vssvc.exe
Token: SeRestorePrivilege	1624	vssvc.exe
Token: SeAuditPrivilege	1624	vssvc.exe
Token: SeImpersonatePrivilege	2032	6589.tmp
Token: SeTcbPrivilege	2032	6589.tmp
Token: SeChangeNotifyPrivilege	2032	6589.tmp
Token: SeCreateTokenPrivilege	2032	6589.tmp
Token: SeBackupPrivilege	2032	6589.tmp
Token: SeIncreaseQuotaPrivilege	2032	6589.tmp
Token: SeAssignPrimaryTokenPrivilege	2032	6589.tmp
Token: SeImpersonatePrivilege	1520	update.exe
Token: SeTcbPrivilege	1520	update.exe
Token: SeChangeNotifyPrivilege	1520	update.exe
Token: SeCreateTokenPrivilege	1520	update.exe
Token: SeBackupPrivilege	1520	update.exe
Token: SeIncreaseQuotaPrivilege	1520	update.exe
Token: SeAssignPrimaryTokenPrivilege	1520	update.exe
Token: SeImpersonatePrivilege	1832	Update.exe
Token: SeTcbPrivilege	1832	Update.exe
Token: SeChangeNotifyPrivilege	1832	Update.exe
Token: SeCreateTokenPrivilege	1832	Update.exe
Token: SeBackupPrivilege	1832	Update.exe
Token: SeIncreaseQuotaPrivilege	1832	Update.exe
Token: SeAssignPrimaryTokenPrivilege	1832	Update.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249.exe5997.tmpexplorer.exe6589.tmp

description	pid	process	target process
PID 1348 wrote to memory of 1840	1348	22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249.exe	5997.tmp
PID 1348 wrote to memory of 1840	1348	22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249.exe	5997.tmp
PID 1348 wrote to memory of 1840	1348	22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249.exe	5997.tmp
PID 1348 wrote to memory of 1840	1348	22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249.exe	5997.tmp
PID 1840 wrote to memory of 1128	1840	5997.tmp	explorer.exe
PID 1840 wrote to memory of 1128	1840	5997.tmp	explorer.exe
PID 1840 wrote to memory of 1128	1840	5997.tmp	explorer.exe
PID 1840 wrote to memory of 1128	1840	5997.tmp	explorer.exe
PID 1348 wrote to memory of 2032	1348	22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249.exe	6589.tmp
PID 1348 wrote to memory of 2032	1348	22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249.exe	6589.tmp
PID 1348 wrote to memory of 2032	1348	22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249.exe	6589.tmp
PID 1348 wrote to memory of 2032	1348	22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249.exe	6589.tmp
PID 1128 wrote to memory of 972	1128	explorer.exe	svchost.exe
PID 1128 wrote to memory of 972	1128	explorer.exe	svchost.exe
PID 1128 wrote to memory of 972	1128	explorer.exe	svchost.exe
PID 1128 wrote to memory of 972	1128	explorer.exe	svchost.exe
PID 1128 wrote to memory of 1756	1128	explorer.exe	vssadmin.exe
PID 1128 wrote to memory of 1756	1128	explorer.exe	vssadmin.exe
PID 1128 wrote to memory of 1756	1128	explorer.exe	vssadmin.exe
PID 1128 wrote to memory of 1756	1128	explorer.exe	vssadmin.exe
PID 2032 wrote to memory of 1520	2032	6589.tmp	update.exe
PID 2032 wrote to memory of 1520	2032	6589.tmp	update.exe
PID 2032 wrote to memory of 1520	2032	6589.tmp	update.exe
PID 2032 wrote to memory of 1520	2032	6589.tmp	update.exe

C:\Users\Admin\AppData\Local\Temp\22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249.exe
"C:\Users\Admin\AppData\Local\Temp\22f9cb5081ec252ba8a80d21c0c07a5c21487279e63cc175d59b921be273d249.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\5997.tmp
  C:\Users\Admin\AppData\Local\Temp\5997.tmp
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\syswow64\explorer.exe
    "C:\Windows\syswow64\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\syswow64\svchost.exe
      -k netsvcs
      4⤵
      PID:972
  - - C:\Windows\syswow64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:1756
- C:\Users\Admin\AppData\Local\Temp\6589.tmp
  C:\Users\Admin\AppData\Local\Temp\6589.tmp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\update.exe
    C:\Users\Admin\AppData\Local\Temp\\update.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\FrameworkUpdate\Update.exe
C:\Windows\FrameworkUpdate\Update.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5997.tmp

Filesize
183KB

MD5
177aca4604a85fef33b31719795470cd

SHA1
a45d21fd68286799356dc6f20300b72ba36782cc

SHA256
e629c6e193c7e2d2ea2fa7bcafa7fb3b27029bbbc1839f5222139fa53bccd97d

SHA512
21d935a87d26739b92f16a271d47cc3e2a71d8e541f2969a24126d8954589d583d9d2f12138404af6e797c12b2514a1fd1c956460ac2d7d922cb18275e8425ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\5997.tmp

Filesize
183KB

MD5
177aca4604a85fef33b31719795470cd

SHA1
a45d21fd68286799356dc6f20300b72ba36782cc

SHA256
e629c6e193c7e2d2ea2fa7bcafa7fb3b27029bbbc1839f5222139fa53bccd97d

SHA512
21d935a87d26739b92f16a271d47cc3e2a71d8e541f2969a24126d8954589d583d9d2f12138404af6e797c12b2514a1fd1c956460ac2d7d922cb18275e8425ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\6589.tmp

Filesize
264KB

MD5
942300f6ae2911e62e20f5ad6be00563

SHA1
3f5d6dc8b4a7bf72053a50bff8fe9b1d8b8683a7

SHA256
b3a635510d1548d04e1fc344268995e0c7a7a702d9f77551df4d92c618a133fa

SHA512
674968111f96f68051ad294e627089156b93a477a7b90a5e761b631fb75bb8016a34ae57e5cad50212303043c70307d374c7ed5cda0279c387aae04a111e5ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
87KB

MD5
2edfb828c3bc9e0e83057b37f8e616ba

SHA1
5fb134507170db78342496d2406d8aa8ac585ba8

SHA256
fefbe74e2e835b2ebc13eb643bb96fcd596ab1cd8bf001a11f595cb00ff35e58

SHA512
57bcee80ad147abdf64a6fc2ed4c556005afd9385594e961c9b465a4d58bd47e989c719d48a7d5d55d572e9647cc5b8c75b9dd7d02d87b4ea520ae9f9fcca5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
87KB

MD5
2edfb828c3bc9e0e83057b37f8e616ba

SHA1
5fb134507170db78342496d2406d8aa8ac585ba8

SHA256
fefbe74e2e835b2ebc13eb643bb96fcd596ab1cd8bf001a11f595cb00ff35e58

SHA512
57bcee80ad147abdf64a6fc2ed4c556005afd9385594e961c9b465a4d58bd47e989c719d48a7d5d55d572e9647cc5b8c75b9dd7d02d87b4ea520ae9f9fcca5d7

Download Submit
C:\Windows\FrameworkUpdate\Update.exe

Filesize
87KB

MD5
2edfb828c3bc9e0e83057b37f8e616ba

SHA1
5fb134507170db78342496d2406d8aa8ac585ba8

SHA256
fefbe74e2e835b2ebc13eb643bb96fcd596ab1cd8bf001a11f595cb00ff35e58

SHA512
57bcee80ad147abdf64a6fc2ed4c556005afd9385594e961c9b465a4d58bd47e989c719d48a7d5d55d572e9647cc5b8c75b9dd7d02d87b4ea520ae9f9fcca5d7

Download Submit
C:\Windows\FrameworkUpdate\Update.exe

Filesize
87KB

MD5
2edfb828c3bc9e0e83057b37f8e616ba

SHA1
5fb134507170db78342496d2406d8aa8ac585ba8

SHA256
fefbe74e2e835b2ebc13eb643bb96fcd596ab1cd8bf001a11f595cb00ff35e58

SHA512
57bcee80ad147abdf64a6fc2ed4c556005afd9385594e961c9b465a4d58bd47e989c719d48a7d5d55d572e9647cc5b8c75b9dd7d02d87b4ea520ae9f9fcca5d7

Download Submit
\Users\Admin\AppData\Local\Temp\5997.tmp

Filesize
183KB

MD5
177aca4604a85fef33b31719795470cd

SHA1
a45d21fd68286799356dc6f20300b72ba36782cc

SHA256
e629c6e193c7e2d2ea2fa7bcafa7fb3b27029bbbc1839f5222139fa53bccd97d

SHA512
21d935a87d26739b92f16a271d47cc3e2a71d8e541f2969a24126d8954589d583d9d2f12138404af6e797c12b2514a1fd1c956460ac2d7d922cb18275e8425ae

Download Submit
\Users\Admin\AppData\Local\Temp\6589.tmp

Filesize
264KB

MD5
942300f6ae2911e62e20f5ad6be00563

SHA1
3f5d6dc8b4a7bf72053a50bff8fe9b1d8b8683a7

SHA256
b3a635510d1548d04e1fc344268995e0c7a7a702d9f77551df4d92c618a133fa

SHA512
674968111f96f68051ad294e627089156b93a477a7b90a5e761b631fb75bb8016a34ae57e5cad50212303043c70307d374c7ed5cda0279c387aae04a111e5ffd

Download Submit
\Users\Admin\AppData\Local\Temp\6589.tmp

Filesize
264KB

MD5
942300f6ae2911e62e20f5ad6be00563

SHA1
3f5d6dc8b4a7bf72053a50bff8fe9b1d8b8683a7

SHA256
b3a635510d1548d04e1fc344268995e0c7a7a702d9f77551df4d92c618a133fa

SHA512
674968111f96f68051ad294e627089156b93a477a7b90a5e761b631fb75bb8016a34ae57e5cad50212303043c70307d374c7ed5cda0279c387aae04a111e5ffd

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
87KB

MD5
2edfb828c3bc9e0e83057b37f8e616ba

SHA1
5fb134507170db78342496d2406d8aa8ac585ba8

SHA256
fefbe74e2e835b2ebc13eb643bb96fcd596ab1cd8bf001a11f595cb00ff35e58

SHA512
57bcee80ad147abdf64a6fc2ed4c556005afd9385594e961c9b465a4d58bd47e989c719d48a7d5d55d572e9647cc5b8c75b9dd7d02d87b4ea520ae9f9fcca5d7

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
87KB

MD5
2edfb828c3bc9e0e83057b37f8e616ba

SHA1
5fb134507170db78342496d2406d8aa8ac585ba8

SHA256
fefbe74e2e835b2ebc13eb643bb96fcd596ab1cd8bf001a11f595cb00ff35e58

SHA512
57bcee80ad147abdf64a6fc2ed4c556005afd9385594e961c9b465a4d58bd47e989c719d48a7d5d55d572e9647cc5b8c75b9dd7d02d87b4ea520ae9f9fcca5d7

Download Submit
\Windows\FrameworkUpdate\Update.exe

Filesize
87KB

MD5
2edfb828c3bc9e0e83057b37f8e616ba

SHA1
5fb134507170db78342496d2406d8aa8ac585ba8

SHA256
fefbe74e2e835b2ebc13eb643bb96fcd596ab1cd8bf001a11f595cb00ff35e58

SHA512
57bcee80ad147abdf64a6fc2ed4c556005afd9385594e961c9b465a4d58bd47e989c719d48a7d5d55d572e9647cc5b8c75b9dd7d02d87b4ea520ae9f9fcca5d7

Download Submit
\Windows\FrameworkUpdate\Update.exe

Filesize
87KB

MD5
2edfb828c3bc9e0e83057b37f8e616ba

SHA1
5fb134507170db78342496d2406d8aa8ac585ba8

SHA256
fefbe74e2e835b2ebc13eb643bb96fcd596ab1cd8bf001a11f595cb00ff35e58

SHA512
57bcee80ad147abdf64a6fc2ed4c556005afd9385594e961c9b465a4d58bd47e989c719d48a7d5d55d572e9647cc5b8c75b9dd7d02d87b4ea520ae9f9fcca5d7

Download Submit
memory/972-73-0x0000000000000000-mapping.dmp

Download
memory/972-76-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/1128-65-0x0000000074671000-0x0000000074673000-memory.dmp

Filesize
8KB

Download
memory/1128-67-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/1128-61-0x0000000000000000-mapping.dmp

Download
memory/1348-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1348-55-0x0000000002C70000-0x0000000002CE6000-memory.dmp

Filesize
472KB

Download
memory/1348-77-0x0000000000400000-0x000000000140E000-memory.dmp

Filesize
16.1MB

Download
memory/1348-56-0x0000000000400000-0x000000000140E000-memory.dmp

Filesize
16.1MB

Download
memory/1520-85-0x0000000140000000-0x0000000140047000-memory.dmp

Filesize
284KB

Download
memory/1520-81-0x0000000000000000-mapping.dmp

Download
memory/1520-94-0x0000000140000000-0x0000000140047000-memory.dmp

Filesize
284KB

Download
memory/1520-84-0x0000000140000000-0x0000000140047000-memory.dmp

Filesize
284KB

Download
memory/1520-91-0x0000000140000000-0x0000000140047000-memory.dmp

Filesize
284KB

Download
memory/1756-74-0x0000000000000000-mapping.dmp

Download
memory/1832-90-0x0000000140000000-0x0000000140047000-memory.dmp

Filesize
284KB

Download
memory/1832-92-0x0000000140000000-0x0000000140047000-memory.dmp

Filesize
284KB

Download
memory/1832-95-0x0000000140000000-0x0000000140047000-memory.dmp

Filesize
284KB

Download
memory/1840-62-0x0000000000240000-0x0000000000256000-memory.dmp

Filesize
88KB

Download
memory/1840-58-0x0000000000000000-mapping.dmp

Download
memory/1840-64-0x0000000000400000-0x000000000138B000-memory.dmp

Filesize
15.5MB

Download
memory/2032-78-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2032-70-0x0000000000000000-mapping.dmp

Download
memory/2032-83-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download