4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a

Analysis

max time kernel
265s
max time network
362s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 16:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe
Size

1.8MB
MD5

9936b39d4d84bd70a79d8cf2bc03fa32
SHA1

ed6b8dd72fdbca4e5528573bbdb25af8b9493d8f
SHA256

4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a
SHA512

00b6ffedac3b9e9146699e7a0b656bd1a59925aea929c5dd3e64cece2e80f621a63acd58ed19ead7784719a8b1c2510dfa8080fb172de4f3a924583f0d5967d3
SSDEEP

49152:AZzO43KtaISugRed1bVkanj8dV1LRwH6DaQtdvSkPkN:ptaDi8V9Rw6X6kPk

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
652	vvb.exe
556	Crack.exe
292	Crack.tmp
1908	server.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
240	netsh.exe

Loads dropped DLL 5 IoCs

pid	Process
556	Crack.exe
292	Crack.tmp
292	Crack.tmp
292	Crack.tmp
652	vvb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b4475219a86576eb3c91dfd665a538cb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\b4475219a86576eb3c91dfd665a538cb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
292	Crack.tmp

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	server.exe
Token: 33	1908	server.exe
Token: SeIncBasePriorityPrivilege	1908	server.exe
Token: 33	1908	server.exe
Token: SeIncBasePriorityPrivilege	1908	server.exe
Token: 33	1908	server.exe
Token: SeIncBasePriorityPrivilege	1908	server.exe
Token: 33	1908	server.exe
Token: SeIncBasePriorityPrivilege	1908	server.exe
Token: 33	1908	server.exe
Token: SeIncBasePriorityPrivilege	1908	server.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 652	1012	4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe	28
PID 1012 wrote to memory of 652	1012	4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe	28
PID 1012 wrote to memory of 652	1012	4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe	28
PID 1012 wrote to memory of 652	1012	4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe	28
PID 1012 wrote to memory of 556	1012	4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe	29
PID 1012 wrote to memory of 556	1012	4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe	29
PID 1012 wrote to memory of 556	1012	4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe	29
PID 1012 wrote to memory of 556	1012	4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe	29
PID 556 wrote to memory of 292	556	Crack.exe	30
PID 556 wrote to memory of 292	556	Crack.exe	30
PID 556 wrote to memory of 292	556	Crack.exe	30
PID 556 wrote to memory of 292	556	Crack.exe	30
PID 556 wrote to memory of 292	556	Crack.exe	30
PID 556 wrote to memory of 292	556	Crack.exe	30
PID 556 wrote to memory of 292	556	Crack.exe	30
PID 652 wrote to memory of 1908	652	vvb.exe	31
PID 652 wrote to memory of 1908	652	vvb.exe	31
PID 652 wrote to memory of 1908	652	vvb.exe	31
PID 652 wrote to memory of 1908	652	vvb.exe	31
PID 1908 wrote to memory of 240	1908	server.exe	32
PID 1908 wrote to memory of 240	1908	server.exe	32
PID 1908 wrote to memory of 240	1908	server.exe	32
PID 1908 wrote to memory of 240	1908	server.exe	32

C:\Users\Admin\AppData\Local\Temp\4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe
"C:\Users\Admin\AppData\Local\Temp\4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Users\Admin\AppData\Local\Temp\vvb.exe
  C:\Users\Admin\AppData\Local\Temp/vvb.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:240
- C:\Users\Admin\AppData\Local\Temp\Crack.exe
  C:\Users\Admin\AppData\Local\Temp/Crack.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\is-DTBVV.tmp\Crack.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-DTBVV.tmp\Crack.tmp" /SL5="$E0022,279271,145920,C:\Users\Admin\AppData\Local\Temp\Crack.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crack.exe

Filesize
769KB

MD5
2e7e4fa9fd865ac24ebed0d5f1aa0a72

SHA1
23c980c639a4e4efd6d3edf74c9099bff134bf79

SHA256
c01e5ab8410f4e448f181adb3a2f57324f60cf74d8e5c62aca10ed8447bfd38b

SHA512
2dd1bbcd59a77c05b242172261fc50a5f58d90e1edd1b8a0ff90d9a0a28fc0f1f5b4eb7eef21b300f152360618ac72a086ea3ac83641f349fae3754f55fdeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crack.exe

Filesize
769KB

MD5
2e7e4fa9fd865ac24ebed0d5f1aa0a72

SHA1
23c980c639a4e4efd6d3edf74c9099bff134bf79

SHA256
c01e5ab8410f4e448f181adb3a2f57324f60cf74d8e5c62aca10ed8447bfd38b

SHA512
2dd1bbcd59a77c05b242172261fc50a5f58d90e1edd1b8a0ff90d9a0a28fc0f1f5b4eb7eef21b300f152360618ac72a086ea3ac83641f349fae3754f55fdeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DTBVV.tmp\Crack.tmp

Filesize
1.1MB

MD5
ab0e68631055f355e3fa3a65f5cbb7a6

SHA1
acdfd7155dc6e09025c84f3c36b581e9aad2263c

SHA256
9a8b5b9746b22132903879b4ba5876bb9d3468177989f486c2e67f353b4a2928

SHA512
a1e58a283842c408bf9a399837ff3976930c817830d33845d8cb3838d3098b2b49f6b35d5b812d5b99170e5150fbcd2434914373346f7645362e9885aae04c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
409KB

MD5
12af50fe321b48ceeeae76f17f75f696

SHA1
3263e56879c4d33b6796530a8553b2d429ad3d87

SHA256
63761df5cc91b2f362f9ffc0764684aaecca787a24f749e07cf2994a64a9a3e9

SHA512
74350ce30d61340607f5c8b3c59f063ed962d16f7105712bc9a09febbbd005580b76170bb5878e6d6edfb6156384ec9962d3db8e8ca171d9d72fa4c79dc205a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
409KB

MD5
12af50fe321b48ceeeae76f17f75f696

SHA1
3263e56879c4d33b6796530a8553b2d429ad3d87

SHA256
63761df5cc91b2f362f9ffc0764684aaecca787a24f749e07cf2994a64a9a3e9

SHA512
74350ce30d61340607f5c8b3c59f063ed962d16f7105712bc9a09febbbd005580b76170bb5878e6d6edfb6156384ec9962d3db8e8ca171d9d72fa4c79dc205a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvb.exe

Filesize
409KB

MD5
12af50fe321b48ceeeae76f17f75f696

SHA1
3263e56879c4d33b6796530a8553b2d429ad3d87

SHA256
63761df5cc91b2f362f9ffc0764684aaecca787a24f749e07cf2994a64a9a3e9

SHA512
74350ce30d61340607f5c8b3c59f063ed962d16f7105712bc9a09febbbd005580b76170bb5878e6d6edfb6156384ec9962d3db8e8ca171d9d72fa4c79dc205a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvb.exe

Filesize
409KB

MD5
12af50fe321b48ceeeae76f17f75f696

SHA1
3263e56879c4d33b6796530a8553b2d429ad3d87

SHA256
63761df5cc91b2f362f9ffc0764684aaecca787a24f749e07cf2994a64a9a3e9

SHA512
74350ce30d61340607f5c8b3c59f063ed962d16f7105712bc9a09febbbd005580b76170bb5878e6d6edfb6156384ec9962d3db8e8ca171d9d72fa4c79dc205a5

Download Submit
\Users\Admin\AppData\Local\Temp\is-2P1E3.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-2P1E3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-2P1E3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-DTBVV.tmp\Crack.tmp

Filesize
1.1MB

MD5
ab0e68631055f355e3fa3a65f5cbb7a6

SHA1
acdfd7155dc6e09025c84f3c36b581e9aad2263c

SHA256
9a8b5b9746b22132903879b4ba5876bb9d3468177989f486c2e67f353b4a2928

SHA512
a1e58a283842c408bf9a399837ff3976930c817830d33845d8cb3838d3098b2b49f6b35d5b812d5b99170e5150fbcd2434914373346f7645362e9885aae04c5b

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
409KB

MD5
12af50fe321b48ceeeae76f17f75f696

SHA1
3263e56879c4d33b6796530a8553b2d429ad3d87

SHA256
63761df5cc91b2f362f9ffc0764684aaecca787a24f749e07cf2994a64a9a3e9

SHA512
74350ce30d61340607f5c8b3c59f063ed962d16f7105712bc9a09febbbd005580b76170bb5878e6d6edfb6156384ec9962d3db8e8ca171d9d72fa4c79dc205a5

Download Submit
memory/556-74-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/556-59-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

Filesize
8KB

Download
memory/556-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/556-65-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/652-66-0x0000000073F70000-0x000000007451B000-memory.dmp

Filesize
5.7MB

Download
memory/652-75-0x0000000073F70000-0x000000007451B000-memory.dmp

Filesize
5.7MB

Download
memory/652-81-0x0000000073F70000-0x000000007451B000-memory.dmp

Filesize
5.7MB

Download
memory/1012-54-0x000007FEFB691000-0x000007FEFB693000-memory.dmp

Filesize
8KB

Download
memory/1908-82-0x0000000073F70000-0x000000007451B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-84-0x0000000073F70000-0x000000007451B000-memory.dmp

Filesize
5.7MB

Download