85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed | Triage

Analysis

max time kernel
148s
max time network
74s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 14:19 UTC

Sharing

Report Analysis Logs

General

Target

85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe
Size

419KB
MD5

08693e673d23ac2c0c78b9ef8dabe218
SHA1

b73cccfaf8b4f9ba7645eb8693124b637a8abf8d
SHA256

85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed
SHA512

007a302f0a2b64d13f408f3784beca07138b6e80ae464d50e2a43bd1771292e546a68f6a13ac243feaf956ab6d9bd152505ff6e6924f3116e9abfcbcc597cac2
SSDEEP

12288:VHMjpqaCqho40Vxl/RRAvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvf:dcN+Ll/RRw

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\_DefaultEx = "0"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 240 set thread context of 320	240	85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
1980	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	320	svchost.exe
Token: SeDebugPrivilege	320	svchost.exe
Token: SeTcbPrivilege	320	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
320	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 1980	240	85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe	28
PID 240 wrote to memory of 1980	240	85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe	28
PID 240 wrote to memory of 1980	240	85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe	28
PID 240 wrote to memory of 1980	240	85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe	28
PID 240 wrote to memory of 320	240	85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe	30
PID 240 wrote to memory of 320	240	85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe	30
PID 240 wrote to memory of 320	240	85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe	30
PID 240 wrote to memory of 320	240	85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe	30
PID 240 wrote to memory of 320	240	85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe	30
PID 240 wrote to memory of 320	240	85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe	30
PID 240 wrote to memory of 320	240	85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe	30
PID 240 wrote to memory of 320	240	85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe	30
PID 240 wrote to memory of 320	240	85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe	30
PID 240 wrote to memory of 320	240	85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe	30
PID 240 wrote to memory of 320	240	85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe	30

C:\Users\Admin\AppData\Local\Temp\85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe
"C:\Users\Admin\AppData\Local\Temp\85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:240
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Update\Google Update" /XML "C:\Users\Admin\AppData\Local\Temp\a44444.xml"
  2⤵
  - Creates scheduled task(s)
  PID:1980
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:320

Network

DNS

jagex1.crabdance.com

svchost.exe

Remote address:

8.8.8.8:53

Request

jagex1.crabdance.com

IN A

Response

jagex1.crabdance.com

IN A

127.0.0.2

127.0.0.2:17777

svchost.exe
127.0.0.2:17777

svchost.exe
127.0.0.2:17777

svchost.exe
127.0.0.2:17777

svchost.exe
127.0.0.2:17777

svchost.exe
127.0.0.2:17777

svchost.exe
127.0.0.2:17777

svchost.exe
127.0.0.2:17777

svchost.exe
127.0.0.2:17777

svchost.exe
127.0.0.2:17777

svchost.exe
127.0.0.2:17777

svchost.exe
127.0.0.2:17777

svchost.exe
127.0.0.2:17777

svchost.exe
127.0.0.2:17777

svchost.exe

8.8.8.8:53

jagex1.crabdance.com

dns

svchost.exe

66 B
82 B
1
1

DNS Request

jagex1.crabdance.com

DNS Response

127.0.0.2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a44444.xml

Filesize
1KB

MD5
b258c29c3afb1122b924b80ea38c343a

SHA1
99f89b3958ac33fa672485d5891b4bb9845d2ef0

SHA256
b38fa2612f36f7604ff4c6459805424101fca004922c76b67be5a886bfcba5e9

SHA512
7693712218a3807329352dc6d85359df614f0b820dd789da311d3a8abeb25c4b33dd6a9a9b50aaa68fb79af7b74e072ae25ead2c9285ac737c5f1d7b6677ad1c

Download Submit
memory/240-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/240-55-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/240-56-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/240-77-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/320-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/320-60-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/320-62-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/320-59-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/320-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/320-70-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/320-73-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/320-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/320-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/320-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download