77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce

Analysis

max time kernel
143s
max time network
142s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 08:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe
Size

782KB
MD5

2237dcb311626c0bf61fb777e98d810f
SHA1

58f32dded9b58f16169af2d606e33902c7f7771b
SHA256

77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce
SHA512

239234a683321dc97b0a03c7a22454b353e4b9d88e5f4c739c00d99874edd51028297c9cf55da5c72e41c7c961e459acf84d62e584bd158d36df8c07d79cb6a8
SSDEEP

12288:pwgeQ3o6x7+PbjocVfVNv1xwo1+ACsdgS4UfOvl3z8jupDqgwl:psjNhSXLgKpOl

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{02D608P5-3QY4-B47O-2GO8-75AI3810PDF6}	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02D608P5-3QY4-B47O-2GO8-75AI3810PDF6}\StubPath = "C:\\Windows\\system32\\System32\\list.exe.exe Restart"	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cerberus = "C:\\Windows\\system32\\System32\\list.exe.exe"	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cerberus = "C:\\Windows\\system32\\System32\\list.exe.exe"	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\System32\database.dat	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe
File created	C:\Windows\SysWOW64\System32\plugin.dat	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe
File created	C:\Windows\SysWOW64\System32\list.exe.exe	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe
File opened for modification	C:\Windows\SysWOW64\System32\list.exe.exe	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe
File created	C:\Windows\SysWOW64\List.exe.txt	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe
File created	C:\Windows\SysWOW64\System32\database.dat	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2508	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1200	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe
Token: SeDebugPrivilege	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe
Token: SeDebugPrivilege	1200	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe
Token: SeDebugPrivilege	1200	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28
PID 976 wrote to memory of 1200	976	77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe	28

C:\Users\Admin\AppData\Local\Temp\77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe
"C:\Users\Admin\AppData\Local\Temp\77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe
  C:\Users\Admin\AppData\Local\Temp\77a4ab12b20010252e2a3f29698383b9f81f7a5bd32c1d98de71a86df41978ce.exe
  2⤵
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\system32\List.exe.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\List.exe.txt

Filesize
214B

MD5
e3f9762b225abe533cd13280b91f3b12

SHA1
ea0c8736006284e2da44ebbbe1a6e7718a0f8323

SHA256
a966868636cb106a3895ac2e6fa58d2fbb52f3a4c56c10e240a79d7cf2f9727b

SHA512
fee413266fb60d6a2998e55564765c0f9ca4008a2518587e103de18ede127473c5f61c3187689d0f42a9d31bb47746623a7a330e455616e917d6c9260b4439db

Download Submit
memory/976-56-0x0000000001D60000-0x0000000001E1F000-memory.dmp

Filesize
764KB

Download
memory/976-63-0x0000000010410000-0x00000000104CF000-memory.dmp

Filesize
764KB

Download
memory/1200-79-0x0000000008940000-0x00000000089D4000-memory.dmp

Filesize
592KB

Download
memory/1200-69-0x0000000010410000-0x00000000104CF000-memory.dmp

Filesize
764KB

Download
memory/1200-74-0x0000000010410000-0x00000000104CF000-memory.dmp

Filesize
764KB

Download
memory/1200-75-0x0000000008210000-0x00000000082A4000-memory.dmp

Filesize
592KB

Download
memory/1200-76-0x0000000008460000-0x00000000084F4000-memory.dmp

Filesize
592KB

Download
memory/1200-77-0x0000000008600000-0x0000000008694000-memory.dmp

Filesize
592KB

Download
memory/1200-78-0x00000000087A0000-0x0000000008834000-memory.dmp

Filesize
592KB

Download
memory/1200-80-0x0000000008AE0000-0x0000000008B74000-memory.dmp

Filesize
592KB

Download
memory/1200-81-0x0000000008C80000-0x0000000008D14000-memory.dmp

Filesize
592KB

Download
memory/1200-82-0x0000000010410000-0x00000000104CF000-memory.dmp

Filesize
764KB

Download
memory/2508-72-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download