daa8802270996f3d7b4835fd9fba42da054ad1a58403854c0f86b0666c631ac1

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

116.exe
Size

475KB
MD5

5693b49732f95de6062b19b6aea6d5b5
SHA1

fe2266c677a09e28fb86016331371976c133e7fd
SHA256

30ac74e39be0cf57579fbffbda9138386b2eefd45eac6df28da251d43a0d3d42
SHA512

fa7cb7f97b728322280a652d2f49735bf49daf47f5af6d50789c95d53979971255774bbadcf03a32e481dac17ec5e4905ab0221658f47ffdc12bc1a0727b80db
SSDEEP

6144:1DpoeHt8QJCUN0C7Py1av5oam+vqFvmkHf3HZHLhSk2cKgL:ZtVTN0C7PyktXVVk2cbL

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
336	sabox.exe
1688	sabox.exe

Deletes itself 1 IoCs

pid	Process
332	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
1700	116.exe
900	116.exe
336	sabox.exe
336	sabox.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	sabox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4DD5D0A8-EA99-68F2-0572-1D9A7E6257D8} = "C:\\Users\\Admin\\AppData\\Roaming\\Ulask\\sabox.exe"	sabox.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1700 set thread context of 900	1700	116.exe	27
PID 336 set thread context of 1688	336	sabox.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

resource	yara_rule
behavioral31/files/0x000c000000012324-68.dat	nsis_installer_1
behavioral31/files/0x000c000000012324-68.dat	nsis_installer_2
behavioral31/files/0x000c000000012324-70.dat	nsis_installer_1
behavioral31/files/0x000c000000012324-70.dat	nsis_installer_2
behavioral31/files/0x000c000000012324-72.dat	nsis_installer_1
behavioral31/files/0x000c000000012324-72.dat	nsis_installer_2
behavioral31/files/0x000c000000012324-75.dat	nsis_installer_1
behavioral31/files/0x000c000000012324-75.dat	nsis_installer_2
behavioral31/files/0x000c000000012324-84.dat	nsis_installer_1
behavioral31/files/0x000c000000012324-84.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe
1688	sabox.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	900	116.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 900	1700	116.exe	27
PID 1700 wrote to memory of 900	1700	116.exe	27
PID 1700 wrote to memory of 900	1700	116.exe	27
PID 1700 wrote to memory of 900	1700	116.exe	27
PID 1700 wrote to memory of 900	1700	116.exe	27
PID 1700 wrote to memory of 900	1700	116.exe	27
PID 1700 wrote to memory of 900	1700	116.exe	27
PID 1700 wrote to memory of 900	1700	116.exe	27
PID 1700 wrote to memory of 900	1700	116.exe	27
PID 1700 wrote to memory of 900	1700	116.exe	27
PID 1700 wrote to memory of 900	1700	116.exe	27
PID 1700 wrote to memory of 900	1700	116.exe	27
PID 900 wrote to memory of 336	900	116.exe	28
PID 900 wrote to memory of 336	900	116.exe	28
PID 900 wrote to memory of 336	900	116.exe	28
PID 900 wrote to memory of 336	900	116.exe	28
PID 900 wrote to memory of 336	900	116.exe	28
PID 900 wrote to memory of 336	900	116.exe	28
PID 900 wrote to memory of 336	900	116.exe	28
PID 336 wrote to memory of 1688	336	sabox.exe	29
PID 336 wrote to memory of 1688	336	sabox.exe	29
PID 336 wrote to memory of 1688	336	sabox.exe	29
PID 336 wrote to memory of 1688	336	sabox.exe	29
PID 336 wrote to memory of 1688	336	sabox.exe	29
PID 336 wrote to memory of 1688	336	sabox.exe	29
PID 336 wrote to memory of 1688	336	sabox.exe	29
PID 336 wrote to memory of 1688	336	sabox.exe	29
PID 336 wrote to memory of 1688	336	sabox.exe	29
PID 336 wrote to memory of 1688	336	sabox.exe	29
PID 336 wrote to memory of 1688	336	sabox.exe	29
PID 336 wrote to memory of 1688	336	sabox.exe	29
PID 900 wrote to memory of 332	900	116.exe	30
PID 900 wrote to memory of 332	900	116.exe	30
PID 900 wrote to memory of 332	900	116.exe	30
PID 900 wrote to memory of 332	900	116.exe	30
PID 1688 wrote to memory of 1128	1688	sabox.exe	9
PID 1688 wrote to memory of 1128	1688	sabox.exe	9
PID 1688 wrote to memory of 1128	1688	sabox.exe	9
PID 1688 wrote to memory of 1128	1688	sabox.exe	9
PID 1688 wrote to memory of 1128	1688	sabox.exe	9
PID 1688 wrote to memory of 1240	1688	sabox.exe	2
PID 1688 wrote to memory of 1240	1688	sabox.exe	2
PID 1688 wrote to memory of 1240	1688	sabox.exe	2
PID 1688 wrote to memory of 1240	1688	sabox.exe	2
PID 1688 wrote to memory of 1240	1688	sabox.exe	2
PID 1688 wrote to memory of 1280	1688	sabox.exe	8
PID 1688 wrote to memory of 1280	1688	sabox.exe	8
PID 1688 wrote to memory of 1280	1688	sabox.exe	8
PID 1688 wrote to memory of 1280	1688	sabox.exe	8
PID 1688 wrote to memory of 1280	1688	sabox.exe	8
PID 1688 wrote to memory of 1064	1688	sabox.exe	32
PID 1688 wrote to memory of 1064	1688	sabox.exe	32
PID 1688 wrote to memory of 1064	1688	sabox.exe	32
PID 1688 wrote to memory of 1064	1688	sabox.exe	32
PID 1688 wrote to memory of 1064	1688	sabox.exe	32
PID 1688 wrote to memory of 1824	1688	sabox.exe	33
PID 1688 wrote to memory of 1824	1688	sabox.exe	33
PID 1688 wrote to memory of 1824	1688	sabox.exe	33
PID 1688 wrote to memory of 1824	1688	sabox.exe	33
PID 1688 wrote to memory of 1824	1688	sabox.exe	33

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1240

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1280
- C:\Users\Admin\AppData\Local\Temp\116.exe
  "C:\Users\Admin\AppData\Local\Temp\116.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\116.exe
    "C:\Users\Admin\AppData\Local\Temp\116.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Users\Admin\AppData\Roaming\Ulask\sabox.exe
      "C:\Users\Admin\AppData\Roaming\Ulask\sabox.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:336
    - - C:\Users\Admin\AppData\Roaming\Ulask\sabox.exe
        
        "C:\Users\Admin\AppData\Roaming\Ulask\sabox.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1688
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1c208fc5.bat"
      4⤵
      Deletes itself
      PID:332

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1064

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1c208fc5.bat

Filesize
185B

MD5
707dc4e8552c6421b2686dff6225cecb

SHA1
6bb9152558f654bec2330389577ff1771c06303d

SHA256
f71e4da5e848331ae08ad5930c05f6174fb369fdc5f5e9352a12ead66766ff47

SHA512
a1743dcae36ff5ca3893b9ff2c0955f0b57099204b64e1ce8270bd724890e58a83470ec7943f0d322c6b32afc9ce7c1f4f17d45b5f162966cca7cf1a0774d4a5

Download Submit
C:\Users\Admin\AppData\Roaming\Ulask\sabox.exe

Filesize
475KB

MD5
03e903378e967d8ac74455b3f7908906

SHA1
ba01836b87db206d0f303be2db70edf73dc8dc39

SHA256
999ff80964f1f3e6a9b5d97f81cbf0496f35149ad2e74739a156b8c048d5e24c

SHA512
611088e1230be5565f7332bae3f8121fc814fc7e29c7b97f4a4d52701eec2655b130ae40074f1e6ae85187fecf8610b801316fab78a062d6f89ef4b788eafef4

Download Submit
C:\Users\Admin\AppData\Roaming\Ulask\sabox.exe

Filesize
475KB

MD5
03e903378e967d8ac74455b3f7908906

SHA1
ba01836b87db206d0f303be2db70edf73dc8dc39

SHA256
999ff80964f1f3e6a9b5d97f81cbf0496f35149ad2e74739a156b8c048d5e24c

SHA512
611088e1230be5565f7332bae3f8121fc814fc7e29c7b97f4a4d52701eec2655b130ae40074f1e6ae85187fecf8610b801316fab78a062d6f89ef4b788eafef4

Download Submit
C:\Users\Admin\AppData\Roaming\Ulask\sabox.exe

Filesize
475KB

MD5
03e903378e967d8ac74455b3f7908906

SHA1
ba01836b87db206d0f303be2db70edf73dc8dc39

SHA256
999ff80964f1f3e6a9b5d97f81cbf0496f35149ad2e74739a156b8c048d5e24c

SHA512
611088e1230be5565f7332bae3f8121fc814fc7e29c7b97f4a4d52701eec2655b130ae40074f1e6ae85187fecf8610b801316fab78a062d6f89ef4b788eafef4

Download Submit
\Users\Admin\AppData\Local\Temp\nseB2EE.tmp\lichenologist.dll

Filesize
66KB

MD5
42e4078c829a2e1d2734b0033847d2cc

SHA1
5f0279f9190c168d345e024f1e4b8739aec63cfc

SHA256
4cb8de133b9d26ba4d41ed9b4bae121e4b86760805d89f97331e2b5cbb4670b2

SHA512
56be830839f3a728cf844c1656a3cad1aed77d71754d5350b7133f4b02e5c947bcae5be23d7668f13255779ed8e51cc3001b831c76d777cb9e88343d23c093f2

Download Submit
\Users\Admin\AppData\Local\Temp\nsy319E.tmp\lichenologist.dll

Filesize
66KB

MD5
42e4078c829a2e1d2734b0033847d2cc

SHA1
5f0279f9190c168d345e024f1e4b8739aec63cfc

SHA256
4cb8de133b9d26ba4d41ed9b4bae121e4b86760805d89f97331e2b5cbb4670b2

SHA512
56be830839f3a728cf844c1656a3cad1aed77d71754d5350b7133f4b02e5c947bcae5be23d7668f13255779ed8e51cc3001b831c76d777cb9e88343d23c093f2

Download Submit
\Users\Admin\AppData\Roaming\Ulask\sabox.exe

Filesize
475KB

MD5
03e903378e967d8ac74455b3f7908906

SHA1
ba01836b87db206d0f303be2db70edf73dc8dc39

SHA256
999ff80964f1f3e6a9b5d97f81cbf0496f35149ad2e74739a156b8c048d5e24c

SHA512
611088e1230be5565f7332bae3f8121fc814fc7e29c7b97f4a4d52701eec2655b130ae40074f1e6ae85187fecf8610b801316fab78a062d6f89ef4b788eafef4

Download Submit
\Users\Admin\AppData\Roaming\Ulask\sabox.exe

Filesize
475KB

MD5
03e903378e967d8ac74455b3f7908906

SHA1
ba01836b87db206d0f303be2db70edf73dc8dc39

SHA256
999ff80964f1f3e6a9b5d97f81cbf0496f35149ad2e74739a156b8c048d5e24c

SHA512
611088e1230be5565f7332bae3f8121fc814fc7e29c7b97f4a4d52701eec2655b130ae40074f1e6ae85187fecf8610b801316fab78a062d6f89ef4b788eafef4

Download Submit
memory/900-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/900-60-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/900-88-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/900-62-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/900-67-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/900-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/900-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/900-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1064-114-0x0000000001C50000-0x0000000001C77000-memory.dmp

Filesize
156KB

Download
memory/1064-111-0x0000000001C50000-0x0000000001C77000-memory.dmp

Filesize
156KB

Download
memory/1064-113-0x0000000001C50000-0x0000000001C77000-memory.dmp

Filesize
156KB

Download
memory/1064-112-0x0000000001C50000-0x0000000001C77000-memory.dmp

Filesize
156KB

Download
memory/1128-92-0x0000000001D40000-0x0000000001D67000-memory.dmp

Filesize
156KB

Download
memory/1128-93-0x0000000001D40000-0x0000000001D67000-memory.dmp

Filesize
156KB

Download
memory/1128-94-0x0000000001D40000-0x0000000001D67000-memory.dmp

Filesize
156KB

Download
memory/1128-95-0x0000000001D40000-0x0000000001D67000-memory.dmp

Filesize
156KB

Download
memory/1240-98-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1240-101-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1240-99-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1240-100-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1280-107-0x0000000002A40000-0x0000000002A67000-memory.dmp

Filesize
156KB

Download
memory/1280-105-0x0000000002A40000-0x0000000002A67000-memory.dmp

Filesize
156KB

Download
memory/1280-106-0x0000000002A40000-0x0000000002A67000-memory.dmp

Filesize
156KB

Download
memory/1280-104-0x0000000002A40000-0x0000000002A67000-memory.dmp

Filesize
156KB

Download
memory/1688-108-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1700-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/1824-117-0x0000000003A60000-0x0000000003A87000-memory.dmp

Filesize
156KB

Download
memory/1824-118-0x0000000003A60000-0x0000000003A87000-memory.dmp

Filesize
156KB

Download
memory/1824-119-0x0000000003A60000-0x0000000003A87000-memory.dmp

Filesize
156KB

Download
memory/1824-120-0x0000000003A60000-0x0000000003A87000-memory.dmp

Filesize
156KB

Download