0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634

Analysis

max time kernel
196s
max time network
238s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26/11/2022, 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
Size

343KB
MD5

d13f8cb8e80592f9104c550c342321c8
SHA1

b4201bbb276ec99b60f6e025029132160651e089
SHA256

0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634
SHA512

366682dec6cf3da52bcb5435b7308ff3781679806994171470e2157d7edb93655818235373547ffa65f04a59499b633a7925f8e5b7c59e9fb0321c68c67cd548
SSDEEP

6144:EEDZkqQUrXAs4NCbomYfmwcyDFKbm8now9cdemJ56c0X4i:EEtk5UrXAsKmw7Kbm8WrJnAp

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\file.exe"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
992	svhost.exe

Loads dropped DLL 3 IoCs

pid	Process
2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
992	svhost.exe
992	svhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 992	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
788	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
Token: 33	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
Token: SeIncBasePriorityPrivilege	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1248	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	28
PID 2012 wrote to memory of 1248	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	28
PID 2012 wrote to memory of 1248	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	28
PID 2012 wrote to memory of 1248	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	28
PID 2012 wrote to memory of 1248	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	28
PID 2012 wrote to memory of 1248	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	28
PID 2012 wrote to memory of 1248	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	28
PID 2012 wrote to memory of 992	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	31
PID 2012 wrote to memory of 992	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	31
PID 2012 wrote to memory of 992	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	31
PID 2012 wrote to memory of 992	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	31
PID 2012 wrote to memory of 992	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	31
PID 2012 wrote to memory of 992	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	31
PID 2012 wrote to memory of 992	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	31
PID 2012 wrote to memory of 992	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	31
PID 2012 wrote to memory of 992	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	31
PID 2012 wrote to memory of 992	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	31
PID 2012 wrote to memory of 992	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	31
PID 2012 wrote to memory of 992	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	31
PID 1248 wrote to memory of 1020	1248	cmd.exe	30
PID 1248 wrote to memory of 1020	1248	cmd.exe	30
PID 1248 wrote to memory of 1020	1248	cmd.exe	30
PID 1248 wrote to memory of 1020	1248	cmd.exe	30
PID 1248 wrote to memory of 1020	1248	cmd.exe	30
PID 1248 wrote to memory of 1020	1248	cmd.exe	30
PID 1248 wrote to memory of 1020	1248	cmd.exe	30
PID 1020 wrote to memory of 1632	1020	wscript.exe	32
PID 1020 wrote to memory of 1632	1020	wscript.exe	32
PID 1020 wrote to memory of 1632	1020	wscript.exe	32
PID 1020 wrote to memory of 1632	1020	wscript.exe	32
PID 1020 wrote to memory of 1632	1020	wscript.exe	32
PID 1020 wrote to memory of 1632	1020	wscript.exe	32
PID 1020 wrote to memory of 1632	1020	wscript.exe	32
PID 1632 wrote to memory of 1964	1632	cmd.exe	34
PID 1632 wrote to memory of 1964	1632	cmd.exe	34
PID 1632 wrote to memory of 1964	1632	cmd.exe	34
PID 1632 wrote to memory of 1964	1632	cmd.exe	34
PID 1632 wrote to memory of 1964	1632	cmd.exe	34
PID 1632 wrote to memory of 1964	1632	cmd.exe	34
PID 1632 wrote to memory of 1964	1632	cmd.exe	34
PID 2012 wrote to memory of 764	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	35
PID 2012 wrote to memory of 764	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	35
PID 2012 wrote to memory of 764	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	35
PID 2012 wrote to memory of 764	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	35
PID 2012 wrote to memory of 764	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	35
PID 2012 wrote to memory of 764	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	35
PID 2012 wrote to memory of 764	2012	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	35
PID 764 wrote to memory of 788	764	cmd.exe	37
PID 764 wrote to memory of 788	764	cmd.exe	37
PID 764 wrote to memory of 788	764	cmd.exe	37
PID 764 wrote to memory of 788	764	cmd.exe	37
PID 764 wrote to memory of 788	764	cmd.exe	37
PID 764 wrote to memory of 788	764	cmd.exe	37
PID 764 wrote to memory of 788	764	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
"C:\Users\Admin\AppData\Local\Temp\0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\file.exe" /f
        5⤵
        Modifies WinLogon for persistence
        
        PID:1964
- C:\Users\Admin\AppData\Roaming\svhost.exe
  C:\Users\Admin\AppData\Roaming\svhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\svhost.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6540
    3⤵
    - Delays execution with timeout.exe
    PID:788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FolderName\file.exe

Filesize
343KB

MD5
d13f8cb8e80592f9104c550c342321c8

SHA1
b4201bbb276ec99b60f6e025029132160651e089

SHA256
0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634

SHA512
366682dec6cf3da52bcb5435b7308ff3781679806994171470e2157d7edb93655818235373547ffa65f04a59499b633a7925f8e5b7c59e9fb0321c68c67cd548

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
76B

MD5
5e57f6f4e3242ad9719ed5e65346e83e

SHA1
72346d0208c5edeb69f41ddb4374d56d87221dad

SHA256
4ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c

SHA512
7dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat

Filesize
270B

MD5
aed4ec7f14d1d34ef757e47fae5d0e0a

SHA1
8c3c9051cc5b8e85e6344f0177dc14ab9954605e

SHA256
ca7685a434f689c23d1d6bcc6eb6ae89d05a3b47e29d6a87ddbaf5d7714967b7

SHA512
f6b34a5266fa6e1e4500909830d4219fa18a17a1ecea142919e0ca109fb64e14a76c7b11eaf90b799ec22695209c176da4d589111f16ec374ba654c924547859

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\svhost.bat

Filesize
207B

MD5
dcbd65f06382095d68dc4891594ee26a

SHA1
af96a24f299862f96699525d524049ac383fb020

SHA256
a6d44f5466500ceb352789249d1d48748b8dc1897c102270e22ca54cfe9d1a99

SHA512
38bf7ffe032c7152c54796e26c2a02ccbbae935d20d8c1b712213f736f09fd18d2079d187bdae60cb1c4c9d049a2eec70a16150414e75758835c918e76066b28

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Roaming\svhost.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Roaming\svhost.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Roaming\svhost.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
memory/992-74-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/992-66-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/992-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/992-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/992-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/992-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/992-83-0x0000000000401000-0x0000000000410000-memory.dmp

Filesize
60KB

Download
memory/2012-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/2012-56-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-55-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-92-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download