8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d

Analysis

max time kernel
240s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe
Size

109KB
MD5

2cc89125f41c7f0b43a2270bab95f59b
SHA1

52872c01673f3de64f2abcb038bd2ad2f19c9b71
SHA256

8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d
SHA512

b7cbc407caf3a3ec10e73561c06daf1dd4af851d6e1c77d6fa7d6fab91c50bf3a3f1f7c10670d161c70ba5c84e9ac07ffd1263b298a9949c45321f22920a1dd9
SSDEEP

1536:onX6P2JU6nCbtEDbPjg5shQ/G1VyZJAVY53rfL8iL/3p5PKtOPc6BVWFyVsG:HOJU6n+irC8VyZGVw7L8iLBYtIHUyVd

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
528	regsvr32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\softpus.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\softpus.dll	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1496	tasklist.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1348	taskkill.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
976	PING.EXE
1820	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	tasklist.exe
Token: SeDebugPrivilege	1348	taskkill.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 1676	668	8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe	28
PID 668 wrote to memory of 1676	668	8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe	28
PID 668 wrote to memory of 1676	668	8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe	28
PID 668 wrote to memory of 1676	668	8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe	28
PID 668 wrote to memory of 1676	668	8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe	28
PID 668 wrote to memory of 1676	668	8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe	28
PID 668 wrote to memory of 1676	668	8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe	28
PID 1676 wrote to memory of 828	1676	WScript.exe	29
PID 1676 wrote to memory of 828	1676	WScript.exe	29
PID 1676 wrote to memory of 828	1676	WScript.exe	29
PID 1676 wrote to memory of 828	1676	WScript.exe	29
PID 1676 wrote to memory of 828	1676	WScript.exe	29
PID 1676 wrote to memory of 828	1676	WScript.exe	29
PID 1676 wrote to memory of 828	1676	WScript.exe	29
PID 828 wrote to memory of 528	828	cmd.exe	31
PID 828 wrote to memory of 528	828	cmd.exe	31
PID 828 wrote to memory of 528	828	cmd.exe	31
PID 828 wrote to memory of 528	828	cmd.exe	31
PID 828 wrote to memory of 528	828	cmd.exe	31
PID 828 wrote to memory of 528	828	cmd.exe	31
PID 828 wrote to memory of 528	828	cmd.exe	31
PID 828 wrote to memory of 976	828	cmd.exe	32
PID 828 wrote to memory of 976	828	cmd.exe	32
PID 828 wrote to memory of 976	828	cmd.exe	32
PID 828 wrote to memory of 976	828	cmd.exe	32
PID 828 wrote to memory of 976	828	cmd.exe	32
PID 828 wrote to memory of 976	828	cmd.exe	32
PID 828 wrote to memory of 976	828	cmd.exe	32
PID 828 wrote to memory of 1496	828	cmd.exe	33
PID 828 wrote to memory of 1496	828	cmd.exe	33
PID 828 wrote to memory of 1496	828	cmd.exe	33
PID 828 wrote to memory of 1496	828	cmd.exe	33
PID 828 wrote to memory of 1496	828	cmd.exe	33
PID 828 wrote to memory of 1496	828	cmd.exe	33
PID 828 wrote to memory of 1496	828	cmd.exe	33
PID 828 wrote to memory of 1820	828	cmd.exe	35
PID 828 wrote to memory of 1820	828	cmd.exe	35
PID 828 wrote to memory of 1820	828	cmd.exe	35
PID 828 wrote to memory of 1820	828	cmd.exe	35
PID 828 wrote to memory of 1820	828	cmd.exe	35
PID 828 wrote to memory of 1820	828	cmd.exe	35
PID 828 wrote to memory of 1820	828	cmd.exe	35
PID 828 wrote to memory of 1348	828	cmd.exe	36
PID 828 wrote to memory of 1348	828	cmd.exe	36
PID 828 wrote to memory of 1348	828	cmd.exe	36
PID 828 wrote to memory of 1348	828	cmd.exe	36
PID 828 wrote to memory of 1348	828	cmd.exe	36
PID 828 wrote to memory of 1348	828	cmd.exe	36
PID 828 wrote to memory of 1348	828	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe
"C:\Users\Admin\AppData\Local\Temp\8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hy.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c hy.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 hy.dll
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      PID:528
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:976
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1496
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im regsvr32.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hy.bat

Filesize
144B

MD5
f36b3892cd11fe578eadf0d4e49ebd70

SHA1
e25898f1e58ecac39b050c6461e0e95dbf9eb70e

SHA256
a4868b4d6a8bc27c4a4aee08bd04749dc37bdf24c43f036d9fde99c9542ca9e7

SHA512
900a1d0daead103b03e14927caf915d27d0a2b73148a18e5adb635366bded86442d8cf618f65eda63eb8ff255750541ae155a01710c1ed62e1294449f81c1e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\hy.dll

Filesize
63KB

MD5
dd61d349a7c099442135a102cbd342a4

SHA1
fb9d361235f1954abd1842971e6c3bbf6d8981e5

SHA256
86c9490bb84e0fdbf60cbd36eeda4390a810b0a92b3e33dac6679e27060a03c3

SHA512
54366ab8bafbe89bf58285f032a6ae84465731f6595d3a572271a3b6693c7204f39a1a10062df4f703f8292e2313fbad8cf933d7a280a4a67408c1290bce40cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hy.vbs

Filesize
51B

MD5
b622ecd01880270e1625c337249ba7d3

SHA1
f1dad85b2dfa56d2b3ae507765ec96c56e51eb9c

SHA256
d6d1f72224e9db4edbdf2bc900a816d3fe6aa95a9f547a10216a78d6ea722588

SHA512
1a36d8781dc3fdf55b520ace190fe14b8787432b27ffc3b99104a40feb0abf1128c200e977ceb27cf31e9c80edac97eb28e5f11e935d839869b2a8b7550ffde0

Download Submit
\Users\Admin\AppData\Local\Temp\hy.dll

Filesize
63KB

MD5
dd61d349a7c099442135a102cbd342a4

SHA1
fb9d361235f1954abd1842971e6c3bbf6d8981e5

SHA256
86c9490bb84e0fdbf60cbd36eeda4390a810b0a92b3e33dac6679e27060a03c3

SHA512
54366ab8bafbe89bf58285f032a6ae84465731f6595d3a572271a3b6693c7204f39a1a10062df4f703f8292e2313fbad8cf933d7a280a4a67408c1290bce40cf

Download Submit
memory/668-54-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download