1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77

Analysis

max time kernel
126s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 06:41 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77.exe
Size

53KB
MD5

004c937223d3357876056e18bae773a2
SHA1

f013c84574379dfe8af90f70e9385a6079ae384e
SHA256

1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77
SHA512

fa72670c5176e55aeb79e216ba158f324d0553b3e645607a2b6cea7e3ecec356ce9bd6201cc58cfd0b9c76a46951fd6f1194fc92faf04e67bf5af75be534d64f
SSDEEP

768:l8nT2FQDzQuBKp8JY5G+zNmzX8RtHTQOnM3w7mnttOHTxwha5B+2jvL:l8njDzQs2PtHxMg7mtVMDz

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4564	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 6 IoCs

evasion

pid	Process
3280	taskkill.exe
212	taskkill.exe
5088	taskkill.exe
3624	taskkill.exe
2704	taskkill.exe
4592	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	explorer.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	taskkill.exe
Token: SeDebugPrivilege	5088	taskkill.exe
Token: SeDebugPrivilege	3624	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeDebugPrivilege	3280	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 440	1900	1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77.exe	82
PID 1900 wrote to memory of 440	1900	1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77.exe	82
PID 1900 wrote to memory of 440	1900	1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77.exe	82
PID 440 wrote to memory of 212	440	cmd.exe	84
PID 440 wrote to memory of 212	440	cmd.exe	84
PID 440 wrote to memory of 212	440	cmd.exe	84
PID 440 wrote to memory of 3136	440	cmd.exe	85
PID 440 wrote to memory of 3136	440	cmd.exe	85
PID 440 wrote to memory of 3136	440	cmd.exe	85
PID 3136 wrote to memory of 1164	3136	net.exe	86
PID 3136 wrote to memory of 1164	3136	net.exe	86
PID 3136 wrote to memory of 1164	3136	net.exe	86
PID 440 wrote to memory of 5088	440	cmd.exe	87
PID 440 wrote to memory of 5088	440	cmd.exe	87
PID 440 wrote to memory of 5088	440	cmd.exe	87
PID 440 wrote to memory of 3624	440	cmd.exe	88
PID 440 wrote to memory of 3624	440	cmd.exe	88
PID 440 wrote to memory of 3624	440	cmd.exe	88
PID 440 wrote to memory of 2704	440	cmd.exe	89
PID 440 wrote to memory of 2704	440	cmd.exe	89
PID 440 wrote to memory of 2704	440	cmd.exe	89
PID 440 wrote to memory of 4592	440	cmd.exe	90
PID 440 wrote to memory of 4592	440	cmd.exe	90
PID 440 wrote to memory of 4592	440	cmd.exe	90
PID 440 wrote to memory of 3280	440	cmd.exe	91
PID 440 wrote to memory of 3280	440	cmd.exe	91
PID 440 wrote to memory of 3280	440	cmd.exe	91
PID 440 wrote to memory of 2772	440	cmd.exe	92
PID 440 wrote to memory of 2772	440	cmd.exe	92
PID 440 wrote to memory of 2772	440	cmd.exe	92
PID 440 wrote to memory of 5096	440	cmd.exe	93
PID 440 wrote to memory of 5096	440	cmd.exe	93
PID 440 wrote to memory of 5096	440	cmd.exe	93
PID 440 wrote to memory of 4564	440	cmd.exe	94
PID 440 wrote to memory of 4564	440	cmd.exe	94
PID 440 wrote to memory of 4564	440	cmd.exe	94
PID 440 wrote to memory of 400	440	cmd.exe	95
PID 440 wrote to memory of 400	440	cmd.exe	95
PID 440 wrote to memory of 400	440	cmd.exe	95
PID 440 wrote to memory of 4612	440	cmd.exe	96
PID 440 wrote to memory of 4612	440	cmd.exe	96
PID 440 wrote to memory of 4612	440	cmd.exe	96
PID 440 wrote to memory of 3132	440	cmd.exe	97
PID 440 wrote to memory of 3132	440	cmd.exe	97
PID 440 wrote to memory of 3132	440	cmd.exe	97
PID 440 wrote to memory of 3936	440	cmd.exe	98
PID 440 wrote to memory of 3936	440	cmd.exe	98
PID 440 wrote to memory of 3936	440	cmd.exe	98
PID 440 wrote to memory of 1428	440	cmd.exe	99
PID 440 wrote to memory of 1428	440	cmd.exe	99
PID 440 wrote to memory of 1428	440	cmd.exe	99
PID 440 wrote to memory of 3912	440	cmd.exe	100
PID 440 wrote to memory of 3912	440	cmd.exe	100
PID 440 wrote to memory of 3912	440	cmd.exe	100
PID 440 wrote to memory of 2508	440	cmd.exe	101
PID 440 wrote to memory of 2508	440	cmd.exe	101
PID 440 wrote to memory of 2508	440	cmd.exe	101
PID 440 wrote to memory of 2160	440	cmd.exe	102
PID 440 wrote to memory of 2160	440	cmd.exe	102
PID 440 wrote to memory of 2160	440	cmd.exe	102
PID 440 wrote to memory of 3752	440	cmd.exe	103
PID 440 wrote to memory of 3752	440	cmd.exe	103
PID 440 wrote to memory of 3752	440	cmd.exe	103
PID 440 wrote to memory of 3656	440	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77.exe
"C:\Users\Admin\AppData\Local\Temp\1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1909B2B.bat" "C:\Users\Admin\AppData\Local\Temp\1a97b7014e92543c349b0ba1f98ac62febf0f8eda5b3e00c77a153d13f5f7f77.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im nxprun.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:212
- - C:\Windows\SysWOW64\net.exe
    net stop AuxNxpSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AuxNxpSvc
      4⤵
      PID:1164
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im nxpauxsvc.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im iexplore.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im hxdrun.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im hxdsvc.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im gamemenu.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3280
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe /s /u ExMon.dll
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u ExMon.dll
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\sc.exe
    sc delete nzHxDSvc
    3⤵
    - Launches sc.exe
    PID:4564
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nznotify" /f
    3⤵
    PID:400
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hxdnotify" /f
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v hxdrun /f
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{757EDB13-4C5D-4E1E-958C-2D2C8E2D37F7}" /f
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{241AEB64-8376-4889-882D-349B03DEC7B8}" /f
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1ACF9575-81F6-478E-8186-651FE9668B40}" /f
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{757EDB13-4C5D-4E1E-958C-2D2C8E2D37F7}" /f
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{241AEB64-8376-4889-882D-349B03DEC7B8}" /f
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1ACF9575-81F6-478E-8186-651FE9668B40}" /f
    3⤵
    PID:3752
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{241AEB64-8376-4889-882D-349B03DEC7B8}" /f
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{757EDB13-4C5D-4E1E-958C-2D2C8E2D37F7}" /f
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\explorer.exe
    explorer
    3⤵
    - Modifies registry class
    PID:4024
- - C:\Windows\SysWOW64\net.exe
    net start AuxNxpSvc
    3⤵
    PID:2532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start AuxNxpSvc
      4⤵
      PID:4664

Network

DNS

97.97.242.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.97.242.52.in-addr.arpa

IN PTR

Response
DNS

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

Remote address:

8.8.8.8:53

Request

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

IN PTR

Response

93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

260 B
5
93.184.221.240:80

260 B
5
93.184.221.240:80

260 B
5
93.184.221.240:80

260 B
5
93.184.221.240:80

260 B
5
40.125.122.151:443

260 B
5
20.42.73.26:443

322 B
7
104.80.225.205:443

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
20.190.159.64:443

260 B
5

8.8.8.8:53

97.97.242.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.97.242.52.in-addr.arpa
8.8.8.8:53

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

dns

118 B
204 B
1
1

DNS Request

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1909B2B.bat

Filesize
3KB

MD5
be85dc04c72d3175369f3d492d214fb3

SHA1
eeec58a6fa04f5c05a03bfe92b4109e8469a80a2

SHA256
224ac49da3a388e4f1de42d19caa388d2d9517de0ecf4345bec3ff4ca9cb03d0

SHA512
05a246352190ffa0b2c00eb0ba4d0bca1174cf7c63c7c9a84283f8f57d62e425c58130ffada0f0360679925168b6a51ece35be5cf12c26105a6930cc8c27d32c

Download Submit
memory/1900-134-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1900-160-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download