Overview
overview
10Static
static
8©ɱ...08.exe
windows7-x64
1©ɱ...08.exe
windows10-2004-x64
1©ɱ...17.exe
windows7-x64
5©ɱ...17.exe
windows10-2004-x64
3©ɱ...20.exe
windows7-x64
3©ɱ...20.exe
windows10-2004-x64
1©ɱ...22.exe
windows7-x64
6©ɱ...22.exe
windows10-2004-x64
6©ɱ...40.exe
windows7-x64
5©ɱ...40.exe
windows10-2004-x64
5©ɱ...46.exe
windows7-x64
3©ɱ...46.exe
windows10-2004-x64
4©ɱ...53.exe
windows7-x64
6©ɱ...53.exe
windows10-2004-x64
6©ɱ...58.exe
windows7-x64
1©ɱ...58.exe
windows10-2004-x64
1©ɱ...77.exe
windows7-x64
3©ɱ...77.exe
windows10-2004-x64
3©ɱ...80.exe
windows7-x64
10©ɱ...80.exe
windows10-2004-x64
10©ɱ...83.exe
windows7-x64
8©ɱ...83.exe
windows10-2004-x64
8©ɱ...89.exe
windows7-x64
10©ɱ...89.exe
windows10-2004-x64
6©ɱ...93.exe
windows7-x64
1©ɱ...93.exe
windows10-2004-x64
1©ɱ...95.exe
windows7-x64
3©ɱ...95.exe
windows10-2004-x64
4©ɱ...98.exe
windows7-x64
10©ɱ...98.exe
windows10-2004-x64
6Analysis
-
max time kernel
152s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 09:08
Behavioral task
behavioral1
Sample
©ɱ/008.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
©ɱ/008.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
©ɱ/017.exe
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
©ɱ/017.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
©ɱ/020.exe
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
©ɱ/020.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
©ɱ/022.exe
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
©ɱ/022.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral9
Sample
©ɱ/040.exe
Resource
win7-20221111-en
Behavioral task
behavioral10
Sample
©ɱ/040.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral11
Sample
©ɱ/046.exe
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
©ɱ/046.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
©ɱ/053.exe
Resource
win7-20221111-en
Behavioral task
behavioral14
Sample
©ɱ/053.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral15
Sample
©ɱ/058.exe
Resource
win7-20220901-en
Behavioral task
behavioral16
Sample
©ɱ/058.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral17
Sample
©ɱ/077.exe
Resource
win7-20220812-en
Behavioral task
behavioral18
Sample
©ɱ/077.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
©ɱ/080.exe
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
©ɱ/080.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
©ɱ/083.exe
Resource
win7-20220901-en
Behavioral task
behavioral22
Sample
©ɱ/083.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
©ɱ/089.exe
Resource
win7-20220812-en
Behavioral task
behavioral24
Sample
©ɱ/089.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral25
Sample
©ɱ/093.exe
Resource
win7-20220812-en
Behavioral task
behavioral26
Sample
©ɱ/093.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral27
Sample
©ɱ/095.exe
Resource
win7-20221111-en
Behavioral task
behavioral28
Sample
©ɱ/095.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral29
Sample
©ɱ/098.exe
Resource
win7-20220901-en
Behavioral task
behavioral30
Sample
©ɱ/098.exe
Resource
win10v2004-20221111-en
General
-
Target
©ɱ/080.exe
-
Size
665KB
-
MD5
35b4961fe8a00f6c51df70beab8cf460
-
SHA1
b8e5f78380f066b4a1987f05afaef6a08f7e8990
-
SHA256
8cdccffd533f4d54596a5a686f48322d2f9a995acb2b9bfcc175c62915b1c948
-
SHA512
f2f75cea9ece39671e4ad266198bbbf0c27ea407e4e3fa5c2325003ea8baaf7a7cb5d239fbe14ec25d2354e06cde6f0d29bb2aa8ee7c2661816fea1bee3a7776
-
SSDEEP
12288:fhkDgouVA2nxKkozvdRgQriDwOIQmxiZnYQE7PJcD4anJVC:lRmJk8oQricOIvxiZY15anTC
Malware Config
Signatures
-
Processes:
080.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 080.exe -
Drops file in Drivers directory 1 IoCs
Processes:
080.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\protocol 080.exe -
Processes:
resource yara_rule behavioral20/memory/512-135-0x0000000000400000-0x0000000000487000-memory.dmp upx behavioral20/memory/512-136-0x0000000000400000-0x0000000000487000-memory.dmp upx behavioral20/memory/512-137-0x0000000000400000-0x0000000000487000-memory.dmp upx behavioral20/memory/512-138-0x0000000000400000-0x0000000000487000-memory.dmp upx behavioral20/memory/512-139-0x0000000000400000-0x0000000000487000-memory.dmp upx behavioral20/memory/512-140-0x0000000000400000-0x0000000000487000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
080.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run 080.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HostUpdate.exe" 080.exe -
Processes:
080.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 080.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
080.exe080.exedescription pid process PID 812 set thread context of 0 812 080.exe PID 1836 set thread context of 512 1836 080.exe 080.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
080.exepid process 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe 512 080.exe -
Suspicious behavior: RenamesItself 2 IoCs
Processes:
080.exe080.exepid process 812 080.exe 512 080.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
080.exe080.exedescription pid process target process PID 812 wrote to memory of 1836 812 080.exe 080.exe PID 812 wrote to memory of 1836 812 080.exe 080.exe PID 812 wrote to memory of 1836 812 080.exe 080.exe PID 1836 wrote to memory of 512 1836 080.exe 080.exe PID 1836 wrote to memory of 512 1836 080.exe 080.exe PID 1836 wrote to memory of 512 1836 080.exe 080.exe PID 1836 wrote to memory of 512 1836 080.exe 080.exe PID 1836 wrote to memory of 512 1836 080.exe 080.exe PID 1836 wrote to memory of 512 1836 080.exe 080.exe PID 1836 wrote to memory of 512 1836 080.exe 080.exe PID 1836 wrote to memory of 512 1836 080.exe 080.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
080.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 080.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\©ɱ\080.exe"C:\Users\Admin\AppData\Local\Temp\©ɱ\080.exe"1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\080.exeC:\Users\Admin\AppData\Local\Temp\080.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\080.exe"C:\Users\Admin\AppData\Local\Temp\080.exe"3⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/0-133-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/512-134-0x0000000000000000-mapping.dmp
-
memory/512-135-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/512-136-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/512-137-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/512-138-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/512-139-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/512-140-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/1836-132-0x0000000000000000-mapping.dmp