Overview

overview

10

Static

static

1

100.exe

windows7-x64

8

100.exe

windows10-2004-x64

10

101.exe

windows7-x64

1

101.exe

windows10-2004-x64

1

102.exe

windows7-x64

8

102.exe

windows10-2004-x64

5

103.exe

windows7-x64

8

103.exe

windows10-2004-x64

1

105.exe

windows7-x64

10

105.exe

windows10-2004-x64

10

106.exe

windows7-x64

8

106.exe

windows10-2004-x64

1

107.exe

windows7-x64

6

107.exe

windows10-2004-x64

6

108.exe

windows7-x64

10

108.exe

windows10-2004-x64

10

109.exe

windows7-x64

10

109.exe

windows10-2004-x64

5

110.exe

windows7-x64

10

110.exe

windows10-2004-x64

10

111.exe

windows7-x64

10

111.exe

windows10-2004-x64

10

112.exe

windows7-x64

8

112.exe

windows10-2004-x64

7

113.exe

windows7-x64

10

113.exe

windows10-2004-x64

10

114.exe

windows7-x64

10

114.exe

windows10-2004-x64

8

115.exe

windows7-x64

10

115.exe

windows10-2004-x64

10

116.exe

windows7-x64

8

116.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    171s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 11:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    112.exe

  • Size

    187KB

  • MD5

    1b16b152c1fde08b8089adf6132f5d4d

  • SHA1

    025f3f3760221f62415376ac2ecb6bd8d426762e

  • SHA256

    1fc0ea9775d1a71a08af06b83e829664b19a9122ce0dfececfc205aa72fcbc44

  • SHA512

    7af997e7b9daa383f6956d9c267ae14d83c223a625a47d5c5c7b9a1391c04332f4315d0ae314d2ab7ea1648c9db2d3b60251e431d288909dd9f31ce8cddaff4e

  • SSDEEP

    3072:EDQkrZoosbIfXJMq6WLs0JiG3VU2wBOZfYyqUElu/UvymUPPGwuDjwauVxrITZFE:EDpoeCOLNHFU2COZfYyTElu86mpFwa6/

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 8 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1120
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1204
        • C:\Users\Admin\AppData\Local\Temp\112.exe
          "C:\Users\Admin\AppData\Local\Temp\112.exe"
          2⤵
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1948
          • C:\Users\Admin\AppData\Local\Temp\112.exe
            "C:\Users\Admin\AppData\Local\Temp\112.exe"
            3⤵
            • Loads dropped DLL
            • Modifies Internet Explorer settings
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:908
            • C:\Users\Admin\AppData\Roaming\Cauh\ryin.exe
              "C:\Users\Admin\AppData\Roaming\Cauh\ryin.exe"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2036
              • C:\Users\Admin\AppData\Roaming\Cauh\ryin.exe
                "C:\Users\Admin\AppData\Roaming\Cauh\ryin.exe"
                5⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1692
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc877edf3.bat"
              4⤵
              • Deletes itself
              PID:1264
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:1176
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "-3124889851794076942-1228023509-11776573181557249878-1955140193538318072-616653782"
          1⤵
            PID:1300
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            1⤵
              PID:868
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              1⤵
                PID:1080
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                1⤵
                  PID:588

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\tmpc877edf3.bat
                  Filesize

                  185B

                  MD5

                  93bac90b76c04d323c6b83d68889e365

                  SHA1

                  c29529fbd38bff6c318beacd5df375c517c75e4c

                  SHA256

                  662bea481412385b9c73fc2bf8e21914f56a149790c2ab71edb0f6cd01a50fe0

                  SHA512

                  3c900d6b14faa28ddf2333a034ebb6cab1e66f1890baa29e75347a5593bf404fe3b8fca19a435f25a608c1a3fc7bee720d252de5b24a923b276514534279495c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Cauh\ryin.exe
                  Filesize

                  187KB

                  MD5

                  1265678ac187c8267a5bcf9098e59641

                  SHA1

                  ca7aa3af555469b497679421024828f8a5086871

                  SHA256

                  30e8ddfe87a2b3e69210be686fce61a3883d849e9680f27a23f37d30dc360da3

                  SHA512

                  2d13b2b5a346f28060c3ff572e90a15c14e03b61898309b895dd97524b6725b12e965c291724b6114cc9f6e3c53dadc80d01576aacb611ea5de1588b35e4a2df

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Cauh\ryin.exe
                  Filesize

                  187KB

                  MD5

                  1265678ac187c8267a5bcf9098e59641

                  SHA1

                  ca7aa3af555469b497679421024828f8a5086871

                  SHA256

                  30e8ddfe87a2b3e69210be686fce61a3883d849e9680f27a23f37d30dc360da3

                  SHA512

                  2d13b2b5a346f28060c3ff572e90a15c14e03b61898309b895dd97524b6725b12e965c291724b6114cc9f6e3c53dadc80d01576aacb611ea5de1588b35e4a2df

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Cauh\ryin.exe
                  Filesize

                  187KB

                  MD5

                  1265678ac187c8267a5bcf9098e59641

                  SHA1

                  ca7aa3af555469b497679421024828f8a5086871

                  SHA256

                  30e8ddfe87a2b3e69210be686fce61a3883d849e9680f27a23f37d30dc360da3

                  SHA512

                  2d13b2b5a346f28060c3ff572e90a15c14e03b61898309b895dd97524b6725b12e965c291724b6114cc9f6e3c53dadc80d01576aacb611ea5de1588b35e4a2df

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\nseE3AE.tmp\brokerages.dll
                  Filesize

                  16KB

                  MD5

                  1236c52aeb7ff29f443d50e4d326d0d1

                  SHA1

                  ee19d4a6a2ed9985b691b851ac0caba3268b0981

                  SHA256

                  8aba0509facbd46831ce38a569acf5909efd5c0a84aeca1fe80774b9879ed5b2

                  SHA512

                  89831f7fd674c92ef2ff08a711d326170324d0cfa0064dd38a0063b27986b4f4e7ecb538ab5bb816c8cc3059fe25bdceadc8452f40e08874f6e46c1b14dfbd17

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\nso7BA8.tmp\brokerages.dll
                  Filesize

                  16KB

                  MD5

                  1236c52aeb7ff29f443d50e4d326d0d1

                  SHA1

                  ee19d4a6a2ed9985b691b851ac0caba3268b0981

                  SHA256

                  8aba0509facbd46831ce38a569acf5909efd5c0a84aeca1fe80774b9879ed5b2

                  SHA512

                  89831f7fd674c92ef2ff08a711d326170324d0cfa0064dd38a0063b27986b4f4e7ecb538ab5bb816c8cc3059fe25bdceadc8452f40e08874f6e46c1b14dfbd17

                  Download Submit

                • \Users\Admin\AppData\Roaming\Cauh\ryin.exe
                  Filesize

                  187KB

                  MD5

                  1265678ac187c8267a5bcf9098e59641

                  SHA1

                  ca7aa3af555469b497679421024828f8a5086871

                  SHA256

                  30e8ddfe87a2b3e69210be686fce61a3883d849e9680f27a23f37d30dc360da3

                  SHA512

                  2d13b2b5a346f28060c3ff572e90a15c14e03b61898309b895dd97524b6725b12e965c291724b6114cc9f6e3c53dadc80d01576aacb611ea5de1588b35e4a2df

                  Download Submit

                • memory/588-137-0x0000000000500000-0x0000000000527000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/588-138-0x0000000000500000-0x0000000000527000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/868-125-0x00000000002B0000-0x00000000002D7000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/868-126-0x00000000002B0000-0x00000000002D7000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/868-127-0x00000000002B0000-0x00000000002D7000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/868-128-0x00000000002B0000-0x00000000002D7000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/908-112-0x00000000002F0000-0x0000000000317000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/908-56-0x0000000000400000-0x0000000000427000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/908-67-0x0000000000400000-0x0000000000427000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/908-57-0x0000000000400000-0x0000000000427000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/908-59-0x0000000000400000-0x0000000000427000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/908-60-0x0000000000400000-0x0000000000427000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/908-62-0x0000000000400000-0x0000000000427000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/908-66-0x0000000000400000-0x0000000000427000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/908-111-0x0000000000400000-0x0000000000427000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/908-109-0x00000000002F0000-0x0000000000317000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/908-108-0x00000000002F0000-0x0000000000317000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/908-107-0x00000000002F0000-0x0000000000317000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/908-106-0x00000000002F0000-0x0000000000317000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1080-134-0x0000000000080000-0x00000000000A7000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1080-133-0x0000000000080000-0x00000000000A7000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1080-132-0x0000000000080000-0x00000000000A7000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1080-131-0x0000000000080000-0x00000000000A7000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1120-91-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1120-88-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1120-89-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1120-90-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1176-96-0x0000000000130000-0x0000000000157000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1176-97-0x0000000000130000-0x0000000000157000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1176-95-0x0000000000130000-0x0000000000157000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1176-94-0x0000000000130000-0x0000000000157000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1204-102-0x00000000025A0000-0x00000000025C7000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1204-100-0x00000000025A0000-0x00000000025C7000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1204-101-0x00000000025A0000-0x00000000025C7000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1204-103-0x00000000025A0000-0x00000000025C7000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1264-119-0x0000000000130000-0x0000000000157000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1692-122-0x0000000000400000-0x0000000000427000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1692-117-0x0000000000400000-0x0000000000427000-memory.dmp

                  Filesize

                  156KB

                  Download

                • memory/1948-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

                  Filesize

                  8KB

                  Download