Overview

overview

10

Static

static

9b07c26aa7...33.exe

windows7-x64

10

9b07c26aa7...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    45s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 16:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b07c26aa7f84239289f6ee34af8ffa568934edc8582cc1248d069ab59a80233.exe

  • Size

    1.0MB

  • MD5

    fd2aa92a71824996e8e1f9602732b671

  • SHA1

    03787461eb59034012d0ff215428ed91c143dc5b

  • SHA256

    9b07c26aa7f84239289f6ee34af8ffa568934edc8582cc1248d069ab59a80233

  • SHA512

    9e048cd92ec024f3a5ea8426790c2ef76872e63c5b24f56e580e459d7a6675c1269f6ce6f33147954b752f4bf3f096e192c4e0724ea6b458ba97df725d3c7447

  • SSDEEP

    24576:ohI98hBIkJSRRkVUz7bBAFuUWBxDaoFryHqhHab:ohIMBIkGkaziEUaPFryHqkb

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b07c26aa7f84239289f6ee34af8ffa568934edc8582cc1248d069ab59a80233.exe
    "C:\Users\Admin\AppData\Local\Temp\9b07c26aa7f84239289f6ee34af8ffa568934edc8582cc1248d069ab59a80233.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c convert d: /fs:ntfs /x
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Windows\SysWOW64\convert.exe
        convert d: /fs:ntfs /x
        3⤵
        • Enumerates system info in registry
        PID:1276
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cacls "d:\program files\tencent\qqgame\game" /d everyone /e
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:980
      • C:\Windows\SysWOW64\cacls.exe
        cacls "d:\program files\tencent\qqgame\game" /d everyone /e
        3⤵
        • Enumerates connected drives
        PID:1768
    • C:\Windows\SysWOW64\regini.exe
      regini c:\temp.txt
      2⤵
      • Modifies WinLogon for persistence
      PID:728
    • C:\Windows\SysWOW64\regini.exe
      regini c:\temp.txt
      2⤵
      • Modifies WinLogon for persistence
      PID:1432
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c convert d: /fs:ntfs /x
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:432
      • C:\Windows\SysWOW64\convert.exe
        convert d: /fs:ntfs /x
        3⤵
        • Enumerates system info in registry
        PID:536
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cacls "d:\program files\tencent\qqgame\game" /d everyone /e
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\cacls.exe
        cacls "d:\program files\tencent\qqgame\game" /d everyone /e
        3⤵
        • Enumerates connected drives
        PID:1816
    • C:\Windows\SysWOW64\regini.exe
      regini c:\temp.txt
      2⤵
      • Modifies WinLogon for persistence
      PID:1652
    • C:\Windows\SysWOW64\regini.exe
      regini c:\temp.txt
      2⤵
        PID:1884
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c temp.bat
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          3⤵
          • Runs ping.exe
          PID:1704
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x480
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1972

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\temp.bat
      Filesize

      137B

      MD5

      3eaf4e2e37e2b275c89551e416ff0ae0

      SHA1

      d8c0c99723ea2b200cb93c6c365244621f372cac

      SHA256

      31322c819ed30f00854b1cbf0f1074ecf29c69e0fb7eed86bf90429e0ab27540

      SHA512

      f142dd655da73b1851fed6f2b095c2a6f846ba23627231618f9cfb8547f37062df8837f4356e49f0c8094778df2105898408e0616979359407af1c863364c85a

      Download Submit

    • \??\c:\temp.txt
      Filesize

      88B

      MD5

      83742c94fb95d102e93fddf46d8ef6f2

      SHA1

      52dfc8917945fc55311dc84c5212f286114d550e

      SHA256

      5a5cf88d27c0e735ae2e5a979ac3fbcc6cd3773ab03af16dc591d3c74a7dc2d4

      SHA512

      6e5cb5de0c8d8f3312c73cc81e7b55df1d41ffbcc5056b96aadaad02b1c317f014e2f969e75b8efea25a28a6d5c545261ed5346464ffa1e9907e271b175e20e0

      Download Submit

    • \??\c:\temp.txt
      Filesize

      88B

      MD5

      83742c94fb95d102e93fddf46d8ef6f2

      SHA1

      52dfc8917945fc55311dc84c5212f286114d550e

      SHA256

      5a5cf88d27c0e735ae2e5a979ac3fbcc6cd3773ab03af16dc591d3c74a7dc2d4

      SHA512

      6e5cb5de0c8d8f3312c73cc81e7b55df1d41ffbcc5056b96aadaad02b1c317f014e2f969e75b8efea25a28a6d5c545261ed5346464ffa1e9907e271b175e20e0

      Download Submit

    • \??\c:\temp.txt
      Filesize

      88B

      MD5

      220d2e982564566aee034853d946bf8e

      SHA1

      28fd41417afbdd1a363efb6d3bd630093841dc6c

      SHA256

      c2a32f3d34886137ddc9936e325c0fd540bf5ab6394cf47cb52f837c8c9e4060

      SHA512

      9549459dfbcfe2fffc8ba8e0d137bb821b9bea0143c7e187c9a4c0ed6bd0f2088d514e6e3b3039cd15f08a90a36bf8a417704476385ab0b842afe882053e269d

      Download Submit

    • \Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr
      Filesize

      1.1MB

      MD5

      cf46bb62a1ba559ceb0fad7a5d642f28

      SHA1

      80b63dd193e84bfacbe535587dd38471b8ea2c24

      SHA256

      fe4bba1a99b332c8bbd196d3a2f3c78d9edc8f212842ff2efef17eba38427f67

      SHA512

      1f71f31fdc1ef7695d7a6e79218a9192804178bb2af80486de4f8ff3d7e176860813a61fa265bf78fe4ff722a85b72798938d715d8a2a034ac759505197a1058

      Download Submit

    • memory/1440-56-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/1440-55-0x0000000076181000-0x0000000076183000-memory.dmp

      Filesize

      8KB

      Download