cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674

Analysis

max time kernel
151s
max time network
168s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 07:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe
Size

637KB
MD5

96513715fb7a2bea6fe9c33f66ee93e6
SHA1

daf1231b7a959a73a7e4dd0ae27613a27de6cd5c
SHA256

cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674
SHA512

d8c398c923ab68d0dbc3fdc777a85a82fa99494caa9c9228f5e4ca1fba846a38ad49ef5f03022ad45d4e492225903b6895e693f03bd0d0f927625fed7f3215bb
SSDEEP

12288:6TOcCf6y0gE59We9WE7u7LW3q4/tDqOQGNgTPO1Z7+EzU9BnDy9vrhgj:6TOpsgE59WoP7uXW3NFDqOQGe6iEY9NB

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\31066 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mspwgrnc.cmd"	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
1168	claimcodeA2WQJJQQ .exe
1668	claimcodeA2WQJJQQ.exe
1120	claimcodeA2WQJJQQ.exe

Deletes itself 1 IoCs

pid	Process
668	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
2044	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe
1168	claimcodeA2WQJJQQ .exe
1168	claimcodeA2WQJJQQ .exe
1668	claimcodeA2WQJJQQ.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	claimcodeA2WQJJQQ.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	claimcodeA2WQJJQQ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 1120	1668	claimcodeA2WQJJQQ.exe	35

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\mspwgrnc.cmd	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1120	claimcodeA2WQJJQQ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1344	AcroRd32.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1668	claimcodeA2WQJJQQ.exe
1668	claimcodeA2WQJJQQ.exe
1120	claimcodeA2WQJJQQ.exe
1120	claimcodeA2WQJJQQ.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1344	AcroRd32.exe
1344	AcroRd32.exe
1344	AcroRd32.exe
1344	AcroRd32.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1168	2044	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	28
PID 2044 wrote to memory of 1168	2044	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	28
PID 2044 wrote to memory of 1168	2044	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	28
PID 2044 wrote to memory of 1168	2044	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	28
PID 2044 wrote to memory of 1168	2044	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	28
PID 2044 wrote to memory of 1168	2044	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	28
PID 2044 wrote to memory of 1168	2044	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	28
PID 2044 wrote to memory of 1344	2044	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	29
PID 2044 wrote to memory of 1344	2044	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	29
PID 2044 wrote to memory of 1344	2044	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	29
PID 2044 wrote to memory of 1344	2044	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	29
PID 2044 wrote to memory of 668	2044	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	30
PID 2044 wrote to memory of 668	2044	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	30
PID 2044 wrote to memory of 668	2044	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	30
PID 2044 wrote to memory of 668	2044	cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe	30
PID 1168 wrote to memory of 1668	1168	claimcodeA2WQJJQQ .exe	32
PID 1168 wrote to memory of 1668	1168	claimcodeA2WQJJQQ .exe	32
PID 1168 wrote to memory of 1668	1168	claimcodeA2WQJJQQ .exe	32
PID 1168 wrote to memory of 1668	1168	claimcodeA2WQJJQQ .exe	32
PID 1168 wrote to memory of 1288	1168	claimcodeA2WQJJQQ .exe	33
PID 1168 wrote to memory of 1288	1168	claimcodeA2WQJJQQ .exe	33
PID 1168 wrote to memory of 1288	1168	claimcodeA2WQJJQQ .exe	33
PID 1168 wrote to memory of 1288	1168	claimcodeA2WQJJQQ .exe	33
PID 1668 wrote to memory of 1120	1668	claimcodeA2WQJJQQ.exe	35
PID 1668 wrote to memory of 1120	1668	claimcodeA2WQJJQQ.exe	35
PID 1668 wrote to memory of 1120	1668	claimcodeA2WQJJQQ.exe	35
PID 1668 wrote to memory of 1120	1668	claimcodeA2WQJJQQ.exe	35
PID 1120 wrote to memory of 744	1120	claimcodeA2WQJJQQ.exe	36
PID 1120 wrote to memory of 744	1120	claimcodeA2WQJJQQ.exe	36
PID 1120 wrote to memory of 744	1120	claimcodeA2WQJJQQ.exe	36
PID 1120 wrote to memory of 744	1120	claimcodeA2WQJJQQ.exe	36

C:\Users\Admin\AppData\Local\Temp\cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe
"C:\Users\Admin\AppData\Local\Temp\cb41c95af78ed226a37b9e1381a7be91590086a86a6225f30c2c0522ca116674.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ .exe
  "C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ .exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.exe
    "C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.exe
      "C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.exe"
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Windows\syswow64\svchost.exe
        
        C:\Windows\syswow64\svchost.exe
        5⤵
        Adds policy Run key to start application
        Drops file in Program Files directory
        
        PID:744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
    3⤵
    PID:1288
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  - Deletes itself
  PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
a610329c8f1f9d4dc2658469867f0e4d

SHA1
21b4f3b011abd4444c2e26408f3697c5392182e8

SHA256
f7943de4303aadeaa77dd18c871d06f9a5e02258cf694476ac4da883a9281b26

SHA512
1226de2836e06192316bede29eac6811847313eaa1bc3b4555e0b0003781b7603ed981e32faf770e586d375f516bed65f7fcfe42514856e26c1e2a82264a83b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
208B

MD5
96de1380d77dc5b00ec8064d5f6d6d65

SHA1
16f6a16f8b43b339d087436dc1c2c98f4c9a5dd5

SHA256
25ad156506b3cc28248d49790e0b1006a66b262bcc1ccc57c931219edab518bb

SHA512
8496a6f067cc6c3e3318ca639258232522dd3076e0f1b2aa2ad58a5f6bda4c30498aa356afabf2a185a878bdd271f4dc157485d86c81b62fbfc89f5b11804b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ .exe

Filesize
382KB

MD5
70c95e309491bab951a37e404ea318e1

SHA1
dd0db1b297ee1eeaf8e21cafaaf71a19faec9761

SHA256
1f5d7ea129eed58d921d19155bde79ad8ad3eb588ca1473eefcdcc6b31d8a7ad

SHA512
787dee92614db5827441438bec6e08666bb4b476f419c18fe93c886217efe077e27f1b2cdc8bed8e49f42453137ce5e4a6b4392e752774ce2683d8c59bc7a1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ .exe

Filesize
382KB

MD5
70c95e309491bab951a37e404ea318e1

SHA1
dd0db1b297ee1eeaf8e21cafaaf71a19faec9761

SHA256
1f5d7ea129eed58d921d19155bde79ad8ad3eb588ca1473eefcdcc6b31d8a7ad

SHA512
787dee92614db5827441438bec6e08666bb4b476f419c18fe93c886217efe077e27f1b2cdc8bed8e49f42453137ce5e4a6b4392e752774ce2683d8c59bc7a1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.exe

Filesize
793KB

MD5
f6d6feaa568103785888fec8fc0695fa

SHA1
e8880ca1ad65279012e81a2d61aa0a427072e34e

SHA256
b5aa47d182db0e15465dfa8dce8fd579e89dff245af54ab5b2735432938b1e13

SHA512
72f87b8821211b07c8fa72b51c3d282aa668f675d7600d35d0d2c672868e53a82cb6fc81c2c85141679b26af7f596b551e6305845de7e83463ba9f3458d9d099

Download Submit
C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.exe

Filesize
793KB

MD5
f6d6feaa568103785888fec8fc0695fa

SHA1
e8880ca1ad65279012e81a2d61aa0a427072e34e

SHA256
b5aa47d182db0e15465dfa8dce8fd579e89dff245af54ab5b2735432938b1e13

SHA512
72f87b8821211b07c8fa72b51c3d282aa668f675d7600d35d0d2c672868e53a82cb6fc81c2c85141679b26af7f596b551e6305845de7e83463ba9f3458d9d099

Download Submit
C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.exe

Filesize
793KB

MD5
f6d6feaa568103785888fec8fc0695fa

SHA1
e8880ca1ad65279012e81a2d61aa0a427072e34e

SHA256
b5aa47d182db0e15465dfa8dce8fd579e89dff245af54ab5b2735432938b1e13

SHA512
72f87b8821211b07c8fa72b51c3d282aa668f675d7600d35d0d2c672868e53a82cb6fc81c2c85141679b26af7f596b551e6305845de7e83463ba9f3458d9d099

Download Submit
C:\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.pdf

Filesize
214KB

MD5
6846a7512960c54202273b0c64ee967c

SHA1
3c0ae1ddd1b95973106ee304389d00b327be390c

SHA256
de15835aa390235e0d44f338384608834ec3436eaabcae727760daef69d43e2f

SHA512
a97b2b3e73a2a3f89f3778cccb8027094631a77e04e172e25228e34df8bba93d9eff5568073bc406500e28fac494a7a647a422bd2894d536d11558e64ea1394d

Download Submit
\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ .exe

Filesize
382KB

MD5
70c95e309491bab951a37e404ea318e1

SHA1
dd0db1b297ee1eeaf8e21cafaaf71a19faec9761

SHA256
1f5d7ea129eed58d921d19155bde79ad8ad3eb588ca1473eefcdcc6b31d8a7ad

SHA512
787dee92614db5827441438bec6e08666bb4b476f419c18fe93c886217efe077e27f1b2cdc8bed8e49f42453137ce5e4a6b4392e752774ce2683d8c59bc7a1d2

Download Submit
\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.exe

Filesize
793KB

MD5
f6d6feaa568103785888fec8fc0695fa

SHA1
e8880ca1ad65279012e81a2d61aa0a427072e34e

SHA256
b5aa47d182db0e15465dfa8dce8fd579e89dff245af54ab5b2735432938b1e13

SHA512
72f87b8821211b07c8fa72b51c3d282aa668f675d7600d35d0d2c672868e53a82cb6fc81c2c85141679b26af7f596b551e6305845de7e83463ba9f3458d9d099

Download Submit
\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.exe

Filesize
793KB

MD5
f6d6feaa568103785888fec8fc0695fa

SHA1
e8880ca1ad65279012e81a2d61aa0a427072e34e

SHA256
b5aa47d182db0e15465dfa8dce8fd579e89dff245af54ab5b2735432938b1e13

SHA512
72f87b8821211b07c8fa72b51c3d282aa668f675d7600d35d0d2c672868e53a82cb6fc81c2c85141679b26af7f596b551e6305845de7e83463ba9f3458d9d099

Download Submit
\Users\Admin\AppData\Local\Temp\claimcodeA2WQJJQQ.exe

Filesize
793KB

MD5
f6d6feaa568103785888fec8fc0695fa

SHA1
e8880ca1ad65279012e81a2d61aa0a427072e34e

SHA256
b5aa47d182db0e15465dfa8dce8fd579e89dff245af54ab5b2735432938b1e13

SHA512
72f87b8821211b07c8fa72b51c3d282aa668f675d7600d35d0d2c672868e53a82cb6fc81c2c85141679b26af7f596b551e6305845de7e83463ba9f3458d9d099

Download Submit
memory/744-79-0x0000000000890000-0x0000000000898000-memory.dmp

Filesize
32KB

Download
memory/744-80-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/744-81-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/1120-77-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1668-76-0x0000000000250000-0x0000000000255000-memory.dmp

Filesize
20KB

Download
memory/2044-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download