c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04

Analysis

max time kernel
174s
max time network
200s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe
Size

312KB
MD5

60025213ff40b58d3a0bebdc575cf123
SHA1

e4c7167fd83ed11ab5b99ebe5be6a12206eddfb8
SHA256

c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04
SHA512

a67be089b8eb94ff340702cff3fe2701fc277fd9b787b5d386ac068217cdef2c244c0fae8f56c816f2b8623d89fcf1a2c3928d599ec2823401b50f9a4a817ba3
SSDEEP

6144:yZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876sa+g3NOUacHYh9DlZ/zq/A:0XmwRo+mv8QD4+0N46l+g3NXW9/rq/A

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1508	crypts.exe

Loads dropped DLL 5 IoCs

pid	Process
944	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe
1508	crypts.exe
1508	crypts.exe
1508	crypts.exe
1508	crypts.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	107.161.146.116

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Dorm = "C:\\Program Files (x86)\\House\\Dorm\\crypts.exe"	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\House\Dorm\3.txt	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe
File opened for modification	C:\Program Files (x86)\House\Dorm\crypts.exe	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe
File opened for modification	C:\Program Files (x86)\House\Dorm\bi2puk.vbs	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe
File opened for modification	C:\Program Files (x86)\House\Dorm\Uninstall.exe	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe
File created	C:\Program Files (x86)\House\Dorm\Uninstall.ini	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe
File opened for modification	C:\Program Files (x86)\House\Dorm\slonopotam.vbs	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe
File opened for modification	C:\Program Files (x86)\House\Dorm\instagramm.bat	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe
File opened for modification	C:\Program Files (x86)\House\Dorm\4.txt	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000012333-60.dat	nsis_installer_1
behavioral1/files/0x0008000000012333-60.dat	nsis_installer_2
behavioral1/files/0x0008000000012333-62.dat	nsis_installer_1
behavioral1/files/0x0008000000012333-62.dat	nsis_installer_2
behavioral1/files/0x0008000000012333-65.dat	nsis_installer_1
behavioral1/files/0x0008000000012333-65.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 336	944	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe	28
PID 944 wrote to memory of 336	944	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe	28
PID 944 wrote to memory of 336	944	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe	28
PID 944 wrote to memory of 336	944	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe	28
PID 944 wrote to memory of 1656	944	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe	30
PID 944 wrote to memory of 1656	944	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe	30
PID 944 wrote to memory of 1656	944	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe	30
PID 944 wrote to memory of 1656	944	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe	30
PID 944 wrote to memory of 1508	944	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe	31
PID 944 wrote to memory of 1508	944	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe	31
PID 944 wrote to memory of 1508	944	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe	31
PID 944 wrote to memory of 1508	944	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe	31
PID 944 wrote to memory of 900	944	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe	32
PID 944 wrote to memory of 900	944	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe	32
PID 944 wrote to memory of 900	944	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe	32
PID 944 wrote to memory of 900	944	c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe	32

C:\Users\Admin\AppData\Local\Temp\c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe
"C:\Users\Admin\AppData\Local\Temp\c0db32acbc77c43d13a187c50e034c9558b43339abccd02338c1cea24f5f0b04.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\House\Dorm\instagramm.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:336
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\House\Dorm\slonopotam.vbs"
  2⤵
  PID:1656
- C:\Program Files (x86)\House\Dorm\crypts.exe
  "C:\Program Files (x86)\House\Dorm\crypts.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1508
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\House\Dorm\bi2puk.vbs"
  2⤵
  PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\House\Dorm\3.txt

Filesize
16B

MD5
4b0c4eb1a85834e6e82da947fc821b2c

SHA1
f979b8ee7b9dc66b68ec6ead40dbe8c357d2295d

SHA256
14702b04b69c364a460187a3697eac3604b77f51d8b4e38cd34a0a020270d410

SHA512
a2f51c391e2130af73056ca7520327c2261274c62835af70a7b4f5e10b9c2f6c1fc7fffed1385578eccd63d8b4cbe4996d70ca0a76a7d7c22312617d6f7e8391

Download Submit
C:\Program Files (x86)\House\Dorm\4.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\House\Dorm\bi2puk.vbs

Filesize
856B

MD5
3721c9c66ff4013b3b03a977142ebe17

SHA1
90ba61182a6acaf5da268e7b666a00e030bb6aca

SHA256
53ea2cc87ed03c15a326be1c931543c74229b494cb75bc7bf9c3c45478efbf6a

SHA512
35634c1860e9e35fcc8c65d504aeaef343a193e4fe5c40412103962d04779cdb5451852fbf221f275d038b052545f1a1897d245cb577df5f190d59c18027e784

Download Submit
C:\Program Files (x86)\House\Dorm\crypts.exe

Filesize
89KB

MD5
765135511b517059e677c8adac7c5760

SHA1
c22b5ccd61d7a44940d83eb88044692807742eac

SHA256
e5bc031afe0abf76f62f73d269c27dae181c3b4d6145a9c4c891fd2eb2641c0d

SHA512
546c761bfef29c73fa75d0aef812a54dfafed56efc54a399eae019d7251a676f5ce575723c55c31799bb7c71180fb3b034efe946dbc975aad769314496cbce36

Download Submit
C:\Program Files (x86)\House\Dorm\crypts.exe

Filesize
89KB

MD5
765135511b517059e677c8adac7c5760

SHA1
c22b5ccd61d7a44940d83eb88044692807742eac

SHA256
e5bc031afe0abf76f62f73d269c27dae181c3b4d6145a9c4c891fd2eb2641c0d

SHA512
546c761bfef29c73fa75d0aef812a54dfafed56efc54a399eae019d7251a676f5ce575723c55c31799bb7c71180fb3b034efe946dbc975aad769314496cbce36

Download Submit
C:\Program Files (x86)\House\Dorm\instagramm.bat

Filesize
1KB

MD5
873f8020990afa229e1decbdbee6c507

SHA1
1e967a13dc139ae81dabb9dccf5835c64c1a3b14

SHA256
f2c691e7193547801302478642ba8affdc36dfda28d927ca251d43c71376094b

SHA512
140ab65a29c133ef129209db76c11582ee50f2866273bbe9018bee0775540173009f2b19e8e6e21a66a410b1791235a94b0ef7cdfbfa87858710ac11daa664c6

Download Submit
C:\Program Files (x86)\House\Dorm\slonopotam.vbs

Filesize
298B

MD5
22f2c58a1030d4d5f315caa9c948b3d8

SHA1
51324b22abe65f8c89b37caec31f6e7ce4c71055

SHA256
8fddde3a8a4a5c8bc7fe02ab8590b875053308d8853e9cb1b81f7efe1a0f40c5

SHA512
0f6927624236afe512d4fbadd590175cf842496f63a7acca46906d5bc3cd8550652afdb8899586ec153859c1c0cbc2b4c8c5507f21dab3c5d3440d6980418894

Download Submit
\Program Files (x86)\House\Dorm\crypts.exe

Filesize
89KB

MD5
765135511b517059e677c8adac7c5760

SHA1
c22b5ccd61d7a44940d83eb88044692807742eac

SHA256
e5bc031afe0abf76f62f73d269c27dae181c3b4d6145a9c4c891fd2eb2641c0d

SHA512
546c761bfef29c73fa75d0aef812a54dfafed56efc54a399eae019d7251a676f5ce575723c55c31799bb7c71180fb3b034efe946dbc975aad769314496cbce36

Download Submit
\Users\Admin\AppData\Local\Temp\nseD951.tmp\UserInfo.dll

Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nseD951.tmp\UserInfo.dll

Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nseD951.tmp\UserInfo.dll

Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nseD951.tmp\plasmosome.dll

Filesize
68KB

MD5
fb74073356891a3aca66eaef6ccf2dd3

SHA1
8ac1d6de89e3f25d4eec8426e9d5c7ad81259ece

SHA256
b19e082b135070a048dcb9875a4a012ee737cf724a683d24cc800e2527128119

SHA512
b0fe2d0830a835d9a8e6b74dc539944aa3c538832839a729c3b60b5b0ac3aeacb3bc1dffaadc752e6053f9dd86a2c95495ec41cc5794985ba6d2422c7a17fd4f

Download Submit
memory/944-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download