Analysis
-
max time kernel
204s -
max time network
211s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 06:15
Static task
static1
Behavioral task
behavioral1
Sample
57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe
Resource
win10v2004-20220812-en
General
-
Target
57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe
-
Size
298KB
-
MD5
dc604cc2ab66e0032438fc9fc5fac14a
-
SHA1
ec8cb465b71bb2996c62b4e61d2f854aa5f2e08a
-
SHA256
57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d
-
SHA512
15bc431ad3d83833740d12b3fabb0e63448538621680321becd8cf7a40739386b227f02d77c2c6e4589f2ecc65c616dacd876e4bec04fe18ba0edfb1faf7ef1b
-
SSDEEP
6144:F5cp5Xtlc5AOYKlJ8NdULIUxm6EEBtt4lA2d2WSwggC4H/uuH:F5W3l+hwUkiFEEBDlgAwlC4HfH
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" msiexec.exe -
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1380768984 = "C:\\ProgramData\\msrcgb.exe" msiexec.exe -
Blocklisted process makes network request 7 IoCs
Processes:
msiexec.exeflow pid process 4 1044 msiexec.exe 5 1044 msiexec.exe 7 1044 msiexec.exe 8 1044 msiexec.exe 39 1044 msiexec.exe 40 1044 msiexec.exe 43 1044 msiexec.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
F7E8.tmp25CC.tmppid process 1628 F7E8.tmp 668 25CC.tmp -
Drops startup file 1 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b6807533.exe explorer.exe -
Loads dropped DLL 4 IoCs
Processes:
57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exepid process 1380 57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe 1380 57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe 1380 57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe 1380 57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*680753 = "C:\\b6807533\\b6807533.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\b6807533 = "C:\\Users\\Admin\\AppData\\Roaming\\b6807533.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*6807533 = "C:\\Users\\Admin\\AppData\\Roaming\\b6807533.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\b680753 = "C:\\b6807533\\b6807533.exe" explorer.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-addr.es 13 myexternalip.com 15 myexternalip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2024 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
F7E8.tmpmsiexec.exepid process 1628 F7E8.tmp 1044 msiexec.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
F7E8.tmp25CC.tmpexplorer.exepid process 1628 F7E8.tmp 1628 F7E8.tmp 1628 F7E8.tmp 668 25CC.tmp 1824 explorer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
msiexec.exevssvc.exedescription pid process Token: SeDebugPrivilege 1044 msiexec.exe Token: SeBackupPrivilege 1752 vssvc.exe Token: SeRestorePrivilege 1752 vssvc.exe Token: SeAuditPrivilege 1752 vssvc.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exeF7E8.tmp25CC.tmpexplorer.exedescription pid process target process PID 1380 wrote to memory of 1628 1380 57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe F7E8.tmp PID 1380 wrote to memory of 1628 1380 57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe F7E8.tmp PID 1380 wrote to memory of 1628 1380 57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe F7E8.tmp PID 1380 wrote to memory of 1628 1380 57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe F7E8.tmp PID 1628 wrote to memory of 1876 1628 F7E8.tmp msiexec.exe PID 1628 wrote to memory of 1876 1628 F7E8.tmp msiexec.exe PID 1628 wrote to memory of 1876 1628 F7E8.tmp msiexec.exe PID 1628 wrote to memory of 1876 1628 F7E8.tmp msiexec.exe PID 1628 wrote to memory of 1876 1628 F7E8.tmp msiexec.exe PID 1628 wrote to memory of 1876 1628 F7E8.tmp msiexec.exe PID 1628 wrote to memory of 1876 1628 F7E8.tmp msiexec.exe PID 1380 wrote to memory of 668 1380 57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe 25CC.tmp PID 1380 wrote to memory of 668 1380 57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe 25CC.tmp PID 1380 wrote to memory of 668 1380 57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe 25CC.tmp PID 1380 wrote to memory of 668 1380 57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe 25CC.tmp PID 1628 wrote to memory of 1044 1628 F7E8.tmp msiexec.exe PID 1628 wrote to memory of 1044 1628 F7E8.tmp msiexec.exe PID 1628 wrote to memory of 1044 1628 F7E8.tmp msiexec.exe PID 1628 wrote to memory of 1044 1628 F7E8.tmp msiexec.exe PID 1628 wrote to memory of 1044 1628 F7E8.tmp msiexec.exe PID 1628 wrote to memory of 1044 1628 F7E8.tmp msiexec.exe PID 1628 wrote to memory of 1044 1628 F7E8.tmp msiexec.exe PID 668 wrote to memory of 1824 668 25CC.tmp explorer.exe PID 668 wrote to memory of 1824 668 25CC.tmp explorer.exe PID 668 wrote to memory of 1824 668 25CC.tmp explorer.exe PID 668 wrote to memory of 1824 668 25CC.tmp explorer.exe PID 1824 wrote to memory of 524 1824 explorer.exe svchost.exe PID 1824 wrote to memory of 524 1824 explorer.exe svchost.exe PID 1824 wrote to memory of 524 1824 explorer.exe svchost.exe PID 1824 wrote to memory of 524 1824 explorer.exe svchost.exe PID 1824 wrote to memory of 2024 1824 explorer.exe vssadmin.exe PID 1824 wrote to memory of 2024 1824 explorer.exe vssadmin.exe PID 1824 wrote to memory of 2024 1824 explorer.exe vssadmin.exe PID 1824 wrote to memory of 2024 1824 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe"C:\Users\Admin\AppData\Local\Temp\57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F7E8.tmpC:\Users\Admin\AppData\Local\Temp\F7E8.tmp2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe"3⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Adds policy Run key to start application
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\25CC.tmpC:\Users\Admin\AppData\Local\Temp\25CC.tmp2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\explorer.exe"C:\Windows\syswow64\explorer.exe"3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\svchost.exe-k netsvcs4⤵
-
C:\Windows\syswow64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\25CC.tmpFilesize
129KB
MD507b4592c97a1463e510c54dfc7397a32
SHA196b4c25879ede0a923f5cfead45ae1f5a75a40a6
SHA2567d3cb54f874eb54212f2f77fc6e8e9e0808b3a4c95584fdb18411583f01eb130
SHA512c906b35334b52ecf270a64b3b1ee7be9e5673bd19cd93f825440cd0c98c0cda402cd0ea1f5695f36dab175ba74293600bea8f8405d6178aee53873fbacbfb5f1
-
C:\Users\Admin\AppData\Local\Temp\25CC.tmpFilesize
129KB
MD507b4592c97a1463e510c54dfc7397a32
SHA196b4c25879ede0a923f5cfead45ae1f5a75a40a6
SHA2567d3cb54f874eb54212f2f77fc6e8e9e0808b3a4c95584fdb18411583f01eb130
SHA512c906b35334b52ecf270a64b3b1ee7be9e5673bd19cd93f825440cd0c98c0cda402cd0ea1f5695f36dab175ba74293600bea8f8405d6178aee53873fbacbfb5f1
-
C:\Users\Admin\AppData\Local\Temp\F7E8.tmpFilesize
16KB
MD5b5267674f2a52871b54bc2ba8e931fcf
SHA1ff6fa062e0dde9f50d6a430f4b360781c583f9d9
SHA256b6f74672c8b776125cfecc007e5a3eaf46fa64ea70df089f4c5997d303aad9dd
SHA51298a82ae906ea088cd9bda73fde871df2d55df13176387b0bc3cdd313824106bfd2e3647885987097b7e0d9e5f0e292feb19dfa9072020ffedf012e047b91293f
-
C:\Users\Admin\AppData\Local\Temp\F7E8.tmpFilesize
16KB
MD5b5267674f2a52871b54bc2ba8e931fcf
SHA1ff6fa062e0dde9f50d6a430f4b360781c583f9d9
SHA256b6f74672c8b776125cfecc007e5a3eaf46fa64ea70df089f4c5997d303aad9dd
SHA51298a82ae906ea088cd9bda73fde871df2d55df13176387b0bc3cdd313824106bfd2e3647885987097b7e0d9e5f0e292feb19dfa9072020ffedf012e047b91293f
-
\Users\Admin\AppData\Local\Temp\25CC.tmpFilesize
129KB
MD507b4592c97a1463e510c54dfc7397a32
SHA196b4c25879ede0a923f5cfead45ae1f5a75a40a6
SHA2567d3cb54f874eb54212f2f77fc6e8e9e0808b3a4c95584fdb18411583f01eb130
SHA512c906b35334b52ecf270a64b3b1ee7be9e5673bd19cd93f825440cd0c98c0cda402cd0ea1f5695f36dab175ba74293600bea8f8405d6178aee53873fbacbfb5f1
-
\Users\Admin\AppData\Local\Temp\25CC.tmpFilesize
129KB
MD507b4592c97a1463e510c54dfc7397a32
SHA196b4c25879ede0a923f5cfead45ae1f5a75a40a6
SHA2567d3cb54f874eb54212f2f77fc6e8e9e0808b3a4c95584fdb18411583f01eb130
SHA512c906b35334b52ecf270a64b3b1ee7be9e5673bd19cd93f825440cd0c98c0cda402cd0ea1f5695f36dab175ba74293600bea8f8405d6178aee53873fbacbfb5f1
-
\Users\Admin\AppData\Local\Temp\F7E8.tmpFilesize
16KB
MD5b5267674f2a52871b54bc2ba8e931fcf
SHA1ff6fa062e0dde9f50d6a430f4b360781c583f9d9
SHA256b6f74672c8b776125cfecc007e5a3eaf46fa64ea70df089f4c5997d303aad9dd
SHA51298a82ae906ea088cd9bda73fde871df2d55df13176387b0bc3cdd313824106bfd2e3647885987097b7e0d9e5f0e292feb19dfa9072020ffedf012e047b91293f
-
\Users\Admin\AppData\Local\Temp\F7E8.tmpFilesize
16KB
MD5b5267674f2a52871b54bc2ba8e931fcf
SHA1ff6fa062e0dde9f50d6a430f4b360781c583f9d9
SHA256b6f74672c8b776125cfecc007e5a3eaf46fa64ea70df089f4c5997d303aad9dd
SHA51298a82ae906ea088cd9bda73fde871df2d55df13176387b0bc3cdd313824106bfd2e3647885987097b7e0d9e5f0e292feb19dfa9072020ffedf012e047b91293f
-
memory/524-85-0x0000000000000000-mapping.dmp
-
memory/524-88-0x0000000000080000-0x00000000000A5000-memory.dmpFilesize
148KB
-
memory/668-69-0x0000000000000000-mapping.dmp
-
memory/1044-89-0x000000007EF90000-0x000000007EF97000-memory.dmpFilesize
28KB
-
memory/1044-83-0x000000007EF90000-0x000000007EF97000-memory.dmpFilesize
28KB
-
memory/1044-73-0x0000000000000000-mapping.dmp
-
memory/1380-65-0x0000000000400000-0x0000000002535000-memory.dmpFilesize
33.2MB
-
memory/1380-56-0x0000000000310000-0x0000000000332000-memory.dmpFilesize
136KB
-
memory/1380-54-0x0000000075611000-0x0000000075613000-memory.dmpFilesize
8KB
-
memory/1380-57-0x0000000000400000-0x0000000002535000-memory.dmpFilesize
33.2MB
-
memory/1380-91-0x00000000002F0000-0x00000000002F6000-memory.dmpFilesize
24KB
-
memory/1380-62-0x00000000002F0000-0x00000000002F6000-memory.dmpFilesize
24KB
-
memory/1380-90-0x00000000002F0000-0x00000000002F6000-memory.dmpFilesize
24KB
-
memory/1380-55-0x00000000746D1000-0x00000000746D3000-memory.dmpFilesize
8KB
-
memory/1380-63-0x00000000002F0000-0x00000000002F6000-memory.dmpFilesize
24KB
-
memory/1628-71-0x000000007EF90000-0x000000007EF97000-memory.dmpFilesize
28KB
-
memory/1628-64-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1628-60-0x0000000000000000-mapping.dmp
-
memory/1824-82-0x0000000000330000-0x0000000000355000-memory.dmpFilesize
148KB
-
memory/1824-80-0x0000000073E91000-0x0000000073E93000-memory.dmpFilesize
8KB
-
memory/1824-76-0x0000000000000000-mapping.dmp
-
memory/1876-78-0x0000000000090000-0x0000000000096000-memory.dmpFilesize
24KB
-
memory/1876-77-0x0000000000B00000-0x0000000000B14000-memory.dmpFilesize
80KB
-
memory/1876-72-0x0000000000000000-mapping.dmp
-
memory/2024-86-0x0000000000000000-mapping.dmp