1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77

Analysis

max time kernel
52s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77.exe
Size

53KB
MD5

004c937223d3357876056e18bae773a2
SHA1

f013c84574379dfe8af90f70e9385a6079ae384e
SHA256

1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77
SHA512

fa72670c5176e55aeb79e216ba158f324d0553b3e645607a2b6cea7e3ecec356ce9bd6201cc58cfd0b9c76a46951fd6f1194fc92faf04e67bf5af75be534d64f
SSDEEP

768:l8nT2FQDzQuBKp8JY5G+zNmzX8RtHTQOnM3w7mnttOHTxwha5B+2jvL:l8njDzQs2PtHxMg7mtVMDz

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1072	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 6 IoCs

evasion

pid	Process
1680	taskkill.exe
692	taskkill.exe
1260	taskkill.exe
1268	taskkill.exe
1980	taskkill.exe
468	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	468	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	1260	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2008	1764	1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77.exe	26
PID 1764 wrote to memory of 2008	1764	1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77.exe	26
PID 1764 wrote to memory of 2008	1764	1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77.exe	26
PID 1764 wrote to memory of 2008	1764	1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77.exe	26
PID 2008 wrote to memory of 1268	2008	cmd.exe	28
PID 2008 wrote to memory of 1268	2008	cmd.exe	28
PID 2008 wrote to memory of 1268	2008	cmd.exe	28
PID 2008 wrote to memory of 1268	2008	cmd.exe	28
PID 2008 wrote to memory of 1720	2008	cmd.exe	30
PID 2008 wrote to memory of 1720	2008	cmd.exe	30
PID 2008 wrote to memory of 1720	2008	cmd.exe	30
PID 2008 wrote to memory of 1720	2008	cmd.exe	30
PID 1720 wrote to memory of 1076	1720	net.exe	31
PID 1720 wrote to memory of 1076	1720	net.exe	31
PID 1720 wrote to memory of 1076	1720	net.exe	31
PID 1720 wrote to memory of 1076	1720	net.exe	31
PID 2008 wrote to memory of 1980	2008	cmd.exe	32
PID 2008 wrote to memory of 1980	2008	cmd.exe	32
PID 2008 wrote to memory of 1980	2008	cmd.exe	32
PID 2008 wrote to memory of 1980	2008	cmd.exe	32
PID 2008 wrote to memory of 468	2008	cmd.exe	33
PID 2008 wrote to memory of 468	2008	cmd.exe	33
PID 2008 wrote to memory of 468	2008	cmd.exe	33
PID 2008 wrote to memory of 468	2008	cmd.exe	33
PID 2008 wrote to memory of 1680	2008	cmd.exe	34
PID 2008 wrote to memory of 1680	2008	cmd.exe	34
PID 2008 wrote to memory of 1680	2008	cmd.exe	34
PID 2008 wrote to memory of 1680	2008	cmd.exe	34
PID 2008 wrote to memory of 692	2008	cmd.exe	35
PID 2008 wrote to memory of 692	2008	cmd.exe	35
PID 2008 wrote to memory of 692	2008	cmd.exe	35
PID 2008 wrote to memory of 692	2008	cmd.exe	35
PID 2008 wrote to memory of 1260	2008	cmd.exe	36
PID 2008 wrote to memory of 1260	2008	cmd.exe	36
PID 2008 wrote to memory of 1260	2008	cmd.exe	36
PID 2008 wrote to memory of 1260	2008	cmd.exe	36
PID 2008 wrote to memory of 1880	2008	cmd.exe	37
PID 2008 wrote to memory of 1880	2008	cmd.exe	37
PID 2008 wrote to memory of 1880	2008	cmd.exe	37
PID 2008 wrote to memory of 1880	2008	cmd.exe	37
PID 2008 wrote to memory of 1880	2008	cmd.exe	37
PID 2008 wrote to memory of 1880	2008	cmd.exe	37
PID 2008 wrote to memory of 1880	2008	cmd.exe	37
PID 2008 wrote to memory of 1540	2008	cmd.exe	38
PID 2008 wrote to memory of 1540	2008	cmd.exe	38
PID 2008 wrote to memory of 1540	2008	cmd.exe	38
PID 2008 wrote to memory of 1540	2008	cmd.exe	38
PID 2008 wrote to memory of 1540	2008	cmd.exe	38
PID 2008 wrote to memory of 1540	2008	cmd.exe	38
PID 2008 wrote to memory of 1540	2008	cmd.exe	38
PID 2008 wrote to memory of 1072	2008	cmd.exe	39
PID 2008 wrote to memory of 1072	2008	cmd.exe	39
PID 2008 wrote to memory of 1072	2008	cmd.exe	39
PID 2008 wrote to memory of 1072	2008	cmd.exe	39
PID 2008 wrote to memory of 1416	2008	cmd.exe	40
PID 2008 wrote to memory of 1416	2008	cmd.exe	40
PID 2008 wrote to memory of 1416	2008	cmd.exe	40
PID 2008 wrote to memory of 1416	2008	cmd.exe	40
PID 2008 wrote to memory of 2044	2008	cmd.exe	41
PID 2008 wrote to memory of 2044	2008	cmd.exe	41
PID 2008 wrote to memory of 2044	2008	cmd.exe	41
PID 2008 wrote to memory of 2044	2008	cmd.exe	41
PID 2008 wrote to memory of 1960	2008	cmd.exe	42
PID 2008 wrote to memory of 1960	2008	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77.exe
"C:\Users\Admin\AppData\Local\Temp\1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\17683B1.bat" "C:\Users\Admin\AppData\Local\Temp\1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im nxprun.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1268
- - C:\Windows\SysWOW64\net.exe
    net stop AuxNxpSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AuxNxpSvc
      4⤵
      PID:1076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im nxpauxsvc.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im iexplore.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im hxdrun.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im hxdsvc.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im gamemenu.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1260
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe /s /u ExMon.dll
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u ExMon.dll
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\sc.exe
    sc delete nzHxDSvc
    3⤵
    - Launches sc.exe
    PID:1072
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nznotify" /f
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hxdnotify" /f
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v hxdrun /f
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{757EDB13-4C5D-4E1E-958C-2D2C8E2D37F7}" /f
    3⤵
    PID:684
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{241AEB64-8376-4889-882D-349B03DEC7B8}" /f
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1ACF9575-81F6-478E-8186-651FE9668B40}" /f
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{757EDB13-4C5D-4E1E-958C-2D2C8E2D37F7}" /f
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{241AEB64-8376-4889-882D-349B03DEC7B8}" /f
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1ACF9575-81F6-478E-8186-651FE9668B40}" /f
    3⤵
    PID:888
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{241AEB64-8376-4889-882D-349B03DEC7B8}" /f
    3⤵
    PID:856
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{757EDB13-4C5D-4E1E-958C-2D2C8E2D37F7}" /f
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\explorer.exe
    explorer
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\net.exe
    net start AuxNxpSvc
    3⤵
    PID:1612
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start AuxNxpSvc
      4⤵
      PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\17683B1.bat

Filesize
3KB

MD5
be85dc04c72d3175369f3d492d214fb3

SHA1
eeec58a6fa04f5c05a03bfe92b4109e8469a80a2

SHA256
224ac49da3a388e4f1de42d19caa388d2d9517de0ecf4345bec3ff4ca9cb03d0

SHA512
05a246352190ffa0b2c00eb0ba4d0bca1174cf7c63c7c9a84283f8f57d62e425c58130ffada0f0360679925168b6a51ece35be5cf12c26105a6930cc8c27d32c

Download Submit
memory/1748-86-0x0000000074641000-0x0000000074643000-memory.dmp

Filesize
8KB

Download
memory/1764-54-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1764-87-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1880-66-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download