Overview

overview

8

Static

static

8ac61b93f7...c0.exe

windows7-x64

8

8ac61b93f7...c0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 05:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe

  • Size

    356KB

  • MD5

    4858fb78c4c4129c8f90d5db7d212ae4

  • SHA1

    682d27589ebadc5cea5bb9a5a22b9bc70323fca7

  • SHA256

    8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0

  • SHA512

    130d5287ed44df8a1f6aac80c3eb4a905a55c55a3c63f547ac4f5810955824f0f8f2b3ef0ae1ca3bdc876c9064843281f688db3ad3b0853b899b0b84cbef63f4

  • SSDEEP

    3072:GUANCc//////YXTJNDNV3AqS3rm+D7KNB34y2ppFjFS3:zc//////yTJnV3ABr376j2ppFRY

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 7 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs .reg file with regedit 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe
    "C:\Users\Admin\AppData\Local\Temp\8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Users\Admin\AppData\Local\Temp\8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe
      C:\Users\Admin\AppData\Local\Temp\8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:548
      • C:\Windows\wuauclt.exe
        "C:\Windows\wuauclt.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:900
        • C:\Windows\wuauclt.exe
          C:\Windows\wuauclt.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1600
          • C:\Windows\SysWOW64\regedit.exe
            "C:\Windows\System32\regedit.exe" /s C:\Windows\noruns.reg
            5⤵
            • Runs .reg file with regedit
            PID:936
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\System32\net.exe" stop sharedaccess
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1460
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop sharedaccess
              6⤵
                PID:1144
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\System32\net.exe" stop KVWSC
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:396
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop KVWSC
                6⤵
                  PID:1456
              • C:\Windows\SysWOW64\sc.exe
                "C:\Windows\System32\sc.exe" config KVWSC start= disabled
                5⤵
                • Launches sc.exe
                PID:680
              • C:\Windows\SysWOW64\net.exe
                "C:\Windows\System32\net.exe" stop KVSrvXP
                5⤵
                  PID:1672
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop KVSrvXP
                    6⤵
                      PID:1956
                  • C:\Windows\SysWOW64\sc.exe
                    "C:\Windows\System32\sc.exe" config KVSrvXP start= disabled
                    5⤵
                    • Launches sc.exe
                    PID:1092
                  • C:\Windows\SysWOW64\net.exe
                    "C:\Windows\System32\net.exe" stop kavsvc
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1148
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop kavsvc
                      6⤵
                        PID:1936
                    • C:\Windows\SysWOW64\sc.exe
                      "C:\Windows\System32\sc.exe" config kavsvc start= disabled
                      5⤵
                      • Launches sc.exe
                      PID:472
                    • C:\Windows\SysWOW64\sc.exe
                      "C:\Windows\System32\sc.exe" config RsRavMon start= disabled
                      5⤵
                      • Launches sc.exe
                      PID:1244
                    • C:\Windows\SysWOW64\net.exe
                      "C:\Windows\System32\net.exe" stop RsCCenter
                      5⤵
                        PID:884
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop RsCCenter
                          6⤵
                            PID:1940
                        • C:\Windows\SysWOW64\net.exe
                          "C:\Windows\System32\net.exe" stop RsRavMon
                          5⤵
                            PID:1976
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop RsRavMon
                              6⤵
                                PID:996
                            • C:\Windows\SysWOW64\sc.exe
                              "C:\Windows\System32\sc.exe" config RsCCenter start= disabled
                              5⤵
                              • Launches sc.exe
                              PID:540

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Windows\noruns.reg
                      Filesize

                      122B

                      MD5

                      704f9f14e6c5b902de15f37bbb234bbc

                      SHA1

                      4e7bd14012b5fe1b07b9ed99a00565ed1d86348b

                      SHA256

                      69c8425b75d3be48f68c1abf33bb9d30688bbd9d28809d92f9dc537393a3d3b4

                      SHA512

                      02376153d198f415f53aabc67272c6042ee4f2c1048b3c5025200d8946f433669cd48295e1bfcd33d1fc8c24f4e1ff0dfb78e36926ad91a334e02718afa93042

                      Download Submit

                    • C:\Windows\noruns.reg
                      Filesize

                      122B

                      MD5

                      704f9f14e6c5b902de15f37bbb234bbc

                      SHA1

                      4e7bd14012b5fe1b07b9ed99a00565ed1d86348b

                      SHA256

                      69c8425b75d3be48f68c1abf33bb9d30688bbd9d28809d92f9dc537393a3d3b4

                      SHA512

                      02376153d198f415f53aabc67272c6042ee4f2c1048b3c5025200d8946f433669cd48295e1bfcd33d1fc8c24f4e1ff0dfb78e36926ad91a334e02718afa93042

                      Download Submit

                    • C:\Windows\wuauclt.exe
                      Filesize

                      356KB

                      MD5

                      4858fb78c4c4129c8f90d5db7d212ae4

                      SHA1

                      682d27589ebadc5cea5bb9a5a22b9bc70323fca7

                      SHA256

                      8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0

                      SHA512

                      130d5287ed44df8a1f6aac80c3eb4a905a55c55a3c63f547ac4f5810955824f0f8f2b3ef0ae1ca3bdc876c9064843281f688db3ad3b0853b899b0b84cbef63f4

                      Download Submit

                    • C:\Windows\wuauclt.exe
                      Filesize

                      356KB

                      MD5

                      4858fb78c4c4129c8f90d5db7d212ae4

                      SHA1

                      682d27589ebadc5cea5bb9a5a22b9bc70323fca7

                      SHA256

                      8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0

                      SHA512

                      130d5287ed44df8a1f6aac80c3eb4a905a55c55a3c63f547ac4f5810955824f0f8f2b3ef0ae1ca3bdc876c9064843281f688db3ad3b0853b899b0b84cbef63f4

                      Download Submit

                    • C:\Windows\wuauclt.exe
                      Filesize

                      356KB

                      MD5

                      4858fb78c4c4129c8f90d5db7d212ae4

                      SHA1

                      682d27589ebadc5cea5bb9a5a22b9bc70323fca7

                      SHA256

                      8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0

                      SHA512

                      130d5287ed44df8a1f6aac80c3eb4a905a55c55a3c63f547ac4f5810955824f0f8f2b3ef0ae1ca3bdc876c9064843281f688db3ad3b0853b899b0b84cbef63f4

                      Download Submit

                    • memory/396-81-0x0000000000000000-mapping.dmp

                      Download

                    • memory/472-89-0x0000000000000000-mapping.dmp

                      Download

                    • memory/540-94-0x0000000000000000-mapping.dmp

                      Download

                    • memory/548-67-0x0000000010000000-0x0000000010059000-memory.dmp

                      Filesize

                      356KB

                      Download

                    • memory/548-61-0x0000000000400000-0x0000000000438000-memory.dmp

                      Filesize

                      224KB

                      Download

                    • memory/548-64-0x0000000000400000-0x0000000000438000-memory.dmp

                      Filesize

                      224KB

                      Download

                    • memory/548-57-0x0000000000408BD4-mapping.dmp

                      Download

                    • memory/548-56-0x0000000000400000-0x0000000000438000-memory.dmp

                      Filesize

                      224KB

                      Download

                    • memory/548-54-0x0000000000400000-0x0000000000438000-memory.dmp

                      Filesize

                      224KB

                      Download

                    • memory/548-60-0x0000000076831000-0x0000000076833000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/680-82-0x0000000000000000-mapping.dmp

                      Download

                    • memory/864-59-0x0000000010000000-0x0000000010059000-memory.dmp

                      Filesize

                      356KB

                      Download

                    • memory/884-93-0x0000000000000000-mapping.dmp

                      Download

                    • memory/900-73-0x0000000010000000-0x0000000010059000-memory.dmp

                      Filesize

                      356KB

                      Download

                    • memory/900-62-0x0000000000000000-mapping.dmp

                      Download

                    • memory/936-78-0x0000000000000000-mapping.dmp

                      Download

                    • memory/996-97-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1092-87-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1144-85-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1148-88-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1244-91-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1456-86-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1460-80-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1600-77-0x0000000000400000-0x0000000000438000-memory.dmp

                      Filesize

                      224KB

                      Download

                    • memory/1600-70-0x0000000000408BD4-mapping.dmp

                      Download

                    • memory/1600-98-0x0000000000400000-0x0000000000438000-memory.dmp

                      Filesize

                      224KB

                      Download

                    • memory/1672-84-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1936-90-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1940-96-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1956-92-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1976-95-0x0000000000000000-mapping.dmp

                      Download