1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874

Analysis

max time kernel
192s
max time network
213s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe
Size

547KB
MD5

9aa95b27ff879d63f093759239086a50
SHA1

889325176e8c14cf31f0d940abcb0c027af5072b
SHA256

1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874
SHA512

4349e92b874316c8479d006452652e7e755f55116364bcc86f29719a4123f518736d7bb1df9c8a5f09ca9a5ec858974d0b4182710fc442209fc0cfa094e7db74
SSDEEP

12288:uQ3gf7q14BqI/jHzh1GRLYT1ZneaqiTALuNGSRWGN62PedWTEOr:5gTq1KqI/zz/GqZnE/uNGyltPeggOr

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 5 IoCs

Processes:

F3A4.tmpFFB6.tmpupdate.exeUpdate.exe

pid process

1000 F3A4.tmp
1008 FFB6.tmp
1552 update.exe
464
1660 Update.exe
Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\526932a.exe explorer.exe

pid	process
1000	F3A4.tmp
1008	FFB6.tmp
1552	update.exe
464
1660	Update.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\526932a.exe	explorer.exe

Loads dropped DLL 6 IoCs

Processes:

1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exeFFB6.tmp

pid	process
1064	1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe
1064	1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe
1064	1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe
1008	FFB6.tmp
1008	FFB6.tmp
464

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\526932 = "C:\\526932a\\526932a.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*26932 = "C:\\526932a\\526932a.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\526932a = "C:\\Users\\Admin\\AppData\\Roaming\\526932a.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*26932a = "C:\\Users\\Admin\\AppData\\Roaming\\526932a.exe"	explorer.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-addr.es
5 myexternalip.com
7 myexternalip.com
Drops file in Windows directory 2 IoCs

Processes:

update.exeUpdate.exe

description ioc process

File created C:\Windows\FrameworkUpdate\Update.exe update.exe
File created C:\Windows\FrameworkUpdate\Update.exe Update.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

524 vssadmin.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

F3A4.tmpexplorer.exe

pid process

1000 F3A4.tmp
2024 explorer.exe

flow	ioc
3	ip-addr.es
5	myexternalip.com
7	myexternalip.com

description	ioc	process
File created	C:\Windows\FrameworkUpdate\Update.exe	update.exe
File created	C:\Windows\FrameworkUpdate\Update.exe	Update.exe

pid	process
524	vssadmin.exe

pid	process
1000	F3A4.tmp
2024	explorer.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vssvc.exeFFB6.tmpupdate.exeUpdate.exe

description	pid	process
Token: SeBackupPrivilege	1348	vssvc.exe
Token: SeRestorePrivilege	1348	vssvc.exe
Token: SeAuditPrivilege	1348	vssvc.exe
Token: SeImpersonatePrivilege	1008	FFB6.tmp
Token: SeTcbPrivilege	1008	FFB6.tmp
Token: SeChangeNotifyPrivilege	1008	FFB6.tmp
Token: SeCreateTokenPrivilege	1008	FFB6.tmp
Token: SeBackupPrivilege	1008	FFB6.tmp
Token: SeIncreaseQuotaPrivilege	1008	FFB6.tmp
Token: SeAssignPrimaryTokenPrivilege	1008	FFB6.tmp
Token: SeImpersonatePrivilege	1552	update.exe
Token: SeTcbPrivilege	1552	update.exe
Token: SeChangeNotifyPrivilege	1552	update.exe
Token: SeCreateTokenPrivilege	1552	update.exe
Token: SeBackupPrivilege	1552	update.exe
Token: SeIncreaseQuotaPrivilege	1552	update.exe
Token: SeAssignPrimaryTokenPrivilege	1552	update.exe
Token: SeImpersonatePrivilege	1660	Update.exe
Token: SeTcbPrivilege	1660	Update.exe
Token: SeChangeNotifyPrivilege	1660	Update.exe
Token: SeCreateTokenPrivilege	1660	Update.exe
Token: SeBackupPrivilege	1660	Update.exe
Token: SeIncreaseQuotaPrivilege	1660	Update.exe
Token: SeAssignPrimaryTokenPrivilege	1660	Update.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exeF3A4.tmpexplorer.exeFFB6.tmp

description	pid	process	target process
PID 1064 wrote to memory of 1000	1064	1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe	F3A4.tmp
PID 1064 wrote to memory of 1000	1064	1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe	F3A4.tmp
PID 1064 wrote to memory of 1000	1064	1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe	F3A4.tmp
PID 1064 wrote to memory of 1000	1064	1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe	F3A4.tmp
PID 1000 wrote to memory of 2024	1000	F3A4.tmp	explorer.exe
PID 1000 wrote to memory of 2024	1000	F3A4.tmp	explorer.exe
PID 1000 wrote to memory of 2024	1000	F3A4.tmp	explorer.exe
PID 1000 wrote to memory of 2024	1000	F3A4.tmp	explorer.exe
PID 1064 wrote to memory of 1008	1064	1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe	FFB6.tmp
PID 1064 wrote to memory of 1008	1064	1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe	FFB6.tmp
PID 1064 wrote to memory of 1008	1064	1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe	FFB6.tmp
PID 1064 wrote to memory of 1008	1064	1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe	FFB6.tmp
PID 2024 wrote to memory of 768	2024	explorer.exe	svchost.exe
PID 2024 wrote to memory of 768	2024	explorer.exe	svchost.exe
PID 2024 wrote to memory of 768	2024	explorer.exe	svchost.exe
PID 2024 wrote to memory of 768	2024	explorer.exe	svchost.exe
PID 2024 wrote to memory of 524	2024	explorer.exe	vssadmin.exe
PID 2024 wrote to memory of 524	2024	explorer.exe	vssadmin.exe
PID 2024 wrote to memory of 524	2024	explorer.exe	vssadmin.exe
PID 2024 wrote to memory of 524	2024	explorer.exe	vssadmin.exe
PID 1008 wrote to memory of 1552	1008	FFB6.tmp	update.exe
PID 1008 wrote to memory of 1552	1008	FFB6.tmp	update.exe
PID 1008 wrote to memory of 1552	1008	FFB6.tmp	update.exe
PID 1008 wrote to memory of 1552	1008	FFB6.tmp	update.exe

C:\Users\Admin\AppData\Local\Temp\1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe
"C:\Users\Admin\AppData\Local\Temp\1a99acb43ad9cc114b7858ff1b08c228696279b3fc719e42981b233c5dab0874.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Local\Temp\F3A4.tmp
C:\Users\Admin\AppData\Local\Temp\F3A4.tmp
2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\syswow64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\syswow64\svchost.exe
-k netsvcs
4⤵
PID:768

C:\Windows\syswow64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:524

C:\Users\Admin\AppData\Local\Temp\FFB6.tmp
C:\Users\Admin\AppData\Local\Temp\FFB6.tmp
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\update.exe
C:\Users\Admin\AppData\Local\Temp\\update.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\FrameworkUpdate\Update.exe
C:\Windows\FrameworkUpdate\Update.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F3A4.tmp
Filesize
165KB

MD5
bb16150dac73a699d4cf80c2a57ccf49

SHA1
0412c35713fef33ffc7c674f2d3f26889372593e

SHA256
c6b59297a4fa5e4f6c7c59dc197b5097ecfbb615691dad8292229456f862b54b

SHA512
18ceb2214cfd7754222bcd0623deb6927256ebf1c2e3ce1098dcd337c0e4f4dc4738596e2cd661122f6eaf2c977a7fba7e67a5e57be1f0087aded15b8df29fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\F3A4.tmp
Filesize
165KB

MD5
bb16150dac73a699d4cf80c2a57ccf49

SHA1
0412c35713fef33ffc7c674f2d3f26889372593e

SHA256
c6b59297a4fa5e4f6c7c59dc197b5097ecfbb615691dad8292229456f862b54b

SHA512
18ceb2214cfd7754222bcd0623deb6927256ebf1c2e3ce1098dcd337c0e4f4dc4738596e2cd661122f6eaf2c977a7fba7e67a5e57be1f0087aded15b8df29fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFB6.tmp
Filesize
268KB

MD5
4e361203ebaa7247beea3ce8274cbf08

SHA1
8326e672261c012552251116eba6f9e98158a815

SHA256
a4e9511ab25e80b6a2ecdbad8f0f501ae3d62d2bc1fe4f71085ebdd995dcf217

SHA512
f8aeeb51938fc0b56ff7cac47676d12d6b36a24b681374c4dfb6656e4c03904c811ac8039d610229dd418fd38f2b0007066c0338bdc3b8d0beb6affba48ab517

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe
Filesize
93KB

MD5
54cf93f7976501f309ce569fcd2db677

SHA1
07690d9ada0bd3f4ee8c499a079f0177f4e462b9

SHA256
36ea10cf67e673133e71eccb8652630c563474c29f757c74d22ba117b72a3c09

SHA512
1800852018a939c909e868ab6797c5369e94a99adc0be0dfb3ab4d77676be014a30e7624ad2064bcc4344cb10003747c2ebf7f07b0e995d69e7b9c038c561109

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe
Filesize
93KB

MD5
54cf93f7976501f309ce569fcd2db677

SHA1
07690d9ada0bd3f4ee8c499a079f0177f4e462b9

SHA256
36ea10cf67e673133e71eccb8652630c563474c29f757c74d22ba117b72a3c09

SHA512
1800852018a939c909e868ab6797c5369e94a99adc0be0dfb3ab4d77676be014a30e7624ad2064bcc4344cb10003747c2ebf7f07b0e995d69e7b9c038c561109

Download Submit
C:\Windows\FrameworkUpdate\Update.exe
Filesize
93KB

MD5
54cf93f7976501f309ce569fcd2db677

SHA1
07690d9ada0bd3f4ee8c499a079f0177f4e462b9

SHA256
36ea10cf67e673133e71eccb8652630c563474c29f757c74d22ba117b72a3c09

SHA512
1800852018a939c909e868ab6797c5369e94a99adc0be0dfb3ab4d77676be014a30e7624ad2064bcc4344cb10003747c2ebf7f07b0e995d69e7b9c038c561109

Download Submit
C:\Windows\FrameworkUpdate\Update.exe
Filesize
93KB

MD5
54cf93f7976501f309ce569fcd2db677

SHA1
07690d9ada0bd3f4ee8c499a079f0177f4e462b9

SHA256
36ea10cf67e673133e71eccb8652630c563474c29f757c74d22ba117b72a3c09

SHA512
1800852018a939c909e868ab6797c5369e94a99adc0be0dfb3ab4d77676be014a30e7624ad2064bcc4344cb10003747c2ebf7f07b0e995d69e7b9c038c561109

Download Submit
\Users\Admin\AppData\Local\Temp\F3A4.tmp
Filesize
165KB

MD5
bb16150dac73a699d4cf80c2a57ccf49

SHA1
0412c35713fef33ffc7c674f2d3f26889372593e

SHA256
c6b59297a4fa5e4f6c7c59dc197b5097ecfbb615691dad8292229456f862b54b

SHA512
18ceb2214cfd7754222bcd0623deb6927256ebf1c2e3ce1098dcd337c0e4f4dc4738596e2cd661122f6eaf2c977a7fba7e67a5e57be1f0087aded15b8df29fa8

Download Submit
\Users\Admin\AppData\Local\Temp\FFB6.tmp
Filesize
268KB

MD5
4e361203ebaa7247beea3ce8274cbf08

SHA1
8326e672261c012552251116eba6f9e98158a815

SHA256
a4e9511ab25e80b6a2ecdbad8f0f501ae3d62d2bc1fe4f71085ebdd995dcf217

SHA512
f8aeeb51938fc0b56ff7cac47676d12d6b36a24b681374c4dfb6656e4c03904c811ac8039d610229dd418fd38f2b0007066c0338bdc3b8d0beb6affba48ab517

Download Submit
\Users\Admin\AppData\Local\Temp\FFB6.tmp
Filesize
268KB

MD5
4e361203ebaa7247beea3ce8274cbf08

SHA1
8326e672261c012552251116eba6f9e98158a815

SHA256
a4e9511ab25e80b6a2ecdbad8f0f501ae3d62d2bc1fe4f71085ebdd995dcf217

SHA512
f8aeeb51938fc0b56ff7cac47676d12d6b36a24b681374c4dfb6656e4c03904c811ac8039d610229dd418fd38f2b0007066c0338bdc3b8d0beb6affba48ab517

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe
Filesize
93KB

MD5
54cf93f7976501f309ce569fcd2db677

SHA1
07690d9ada0bd3f4ee8c499a079f0177f4e462b9

SHA256
36ea10cf67e673133e71eccb8652630c563474c29f757c74d22ba117b72a3c09

SHA512
1800852018a939c909e868ab6797c5369e94a99adc0be0dfb3ab4d77676be014a30e7624ad2064bcc4344cb10003747c2ebf7f07b0e995d69e7b9c038c561109

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe
Filesize
93KB

MD5
54cf93f7976501f309ce569fcd2db677

SHA1
07690d9ada0bd3f4ee8c499a079f0177f4e462b9

SHA256
36ea10cf67e673133e71eccb8652630c563474c29f757c74d22ba117b72a3c09

SHA512
1800852018a939c909e868ab6797c5369e94a99adc0be0dfb3ab4d77676be014a30e7624ad2064bcc4344cb10003747c2ebf7f07b0e995d69e7b9c038c561109

Download Submit
\Windows\FrameworkUpdate\Update.exe
Filesize
93KB

MD5
54cf93f7976501f309ce569fcd2db677

SHA1
07690d9ada0bd3f4ee8c499a079f0177f4e462b9

SHA256
36ea10cf67e673133e71eccb8652630c563474c29f757c74d22ba117b72a3c09

SHA512
1800852018a939c909e868ab6797c5369e94a99adc0be0dfb3ab4d77676be014a30e7624ad2064bcc4344cb10003747c2ebf7f07b0e995d69e7b9c038c561109

Download Submit
\Windows\FrameworkUpdate\Update.exe
Filesize
93KB

MD5
54cf93f7976501f309ce569fcd2db677

SHA1
07690d9ada0bd3f4ee8c499a079f0177f4e462b9

SHA256
36ea10cf67e673133e71eccb8652630c563474c29f757c74d22ba117b72a3c09

SHA512
1800852018a939c909e868ab6797c5369e94a99adc0be0dfb3ab4d77676be014a30e7624ad2064bcc4344cb10003747c2ebf7f07b0e995d69e7b9c038c561109

Download Submit
memory/524-74-0x0000000000000000-mapping.dmp

Download
memory/768-79-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/768-73-0x0000000000000000-mapping.dmp

Download
memory/768-76-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/1000-62-0x0000000000240000-0x0000000000256000-memory.dmp

Filesize
88KB

Download
memory/1000-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1000-58-0x0000000000000000-mapping.dmp

Download
memory/1008-70-0x0000000000000000-mapping.dmp

Download
memory/1008-78-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1008-84-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1064-72-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1064-56-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1064-55-0x0000000001C90000-0x0000000001D06000-memory.dmp

Filesize
472KB

Download
memory/1064-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1552-85-0x0000000140000000-0x0000000140048000-memory.dmp

Filesize
288KB

Download
memory/1552-82-0x0000000000000000-mapping.dmp

Download
memory/1552-90-0x0000000140000000-0x0000000140048000-memory.dmp

Filesize
288KB

Download
memory/1552-93-0x0000000140000000-0x0000000140048000-memory.dmp

Filesize
288KB

Download
memory/1660-91-0x0000000140000000-0x0000000140048000-memory.dmp

Filesize
288KB

Download
memory/1660-94-0x0000000140000000-0x0000000140048000-memory.dmp

Filesize
288KB

Download
memory/2024-66-0x00000000000E0000-0x0000000000104000-memory.dmp

Filesize
144KB

Download
memory/2024-65-0x0000000074A61000-0x0000000074A63000-memory.dmp

Filesize
8KB

Download
memory/2024-61-0x0000000000000000-mapping.dmp

Download