Analysis
-
max time kernel
151s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 18:23
Static task
static1
Behavioral task
behavioral1
Sample
04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe
Resource
win7-20220901-en
General
-
Target
04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe
-
Size
725KB
-
MD5
9b221a5e407da5e59976cdd73e204425
-
SHA1
6e5c84a4e49d296b7d3ec4a377653895eb2f82b5
-
SHA256
04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783
-
SHA512
6670e5084e608e015d9c32372b20a5bf02e705bce2af8d434a383e7bf700940ff136a8070d6c2cd8d3fc0c4732e0fc101781943701953a24d7dfc705a6a8a9a3
-
SSDEEP
12288:mK2mhAMJ/cPl5LMA2jpy98h7UZYE82Y5UKUL4n4y3Xp3SbSlI:H2O/Gl5PM17g6zwm4m53Sb2I
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
adqpuilnekzd.exepid process 1464 adqpuilnekzd.exe -
Loads dropped DLL 4 IoCs
Processes:
04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exepid process 1552 04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe 1552 04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe 1552 04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe 1552 04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
adqpuilnekzd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce adqpuilnekzd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\TWQUDV~1 = "C:\\Users\\Admin\\TWQUDV~1\\ogsujmgnf.vbs" adqpuilnekzd.exe -
Processes:
adqpuilnekzd.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA adqpuilnekzd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
adqpuilnekzd.exedescription pid process target process PID 1464 set thread context of 1480 1464 adqpuilnekzd.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
adqpuilnekzd.exepid process 1464 adqpuilnekzd.exe 1464 adqpuilnekzd.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exeadqpuilnekzd.exedescription pid process target process PID 1552 wrote to memory of 1464 1552 04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe adqpuilnekzd.exe PID 1552 wrote to memory of 1464 1552 04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe adqpuilnekzd.exe PID 1552 wrote to memory of 1464 1552 04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe adqpuilnekzd.exe PID 1552 wrote to memory of 1464 1552 04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe adqpuilnekzd.exe PID 1552 wrote to memory of 1464 1552 04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe adqpuilnekzd.exe PID 1552 wrote to memory of 1464 1552 04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe adqpuilnekzd.exe PID 1552 wrote to memory of 1464 1552 04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe adqpuilnekzd.exe PID 1464 wrote to memory of 1480 1464 adqpuilnekzd.exe RegSvcs.exe PID 1464 wrote to memory of 1480 1464 adqpuilnekzd.exe RegSvcs.exe PID 1464 wrote to memory of 1480 1464 adqpuilnekzd.exe RegSvcs.exe PID 1464 wrote to memory of 1480 1464 adqpuilnekzd.exe RegSvcs.exe PID 1464 wrote to memory of 1480 1464 adqpuilnekzd.exe RegSvcs.exe PID 1464 wrote to memory of 1480 1464 adqpuilnekzd.exe RegSvcs.exe PID 1464 wrote to memory of 1480 1464 adqpuilnekzd.exe RegSvcs.exe PID 1464 wrote to memory of 1480 1464 adqpuilnekzd.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe"C:\Users\Admin\AppData\Local\Temp\04670a7a3b1e740d9019aa3ca77e4cd37bb08ad3fc25abd150c8d0b70784b783.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\twqudvq84\adqpuilnekzd.exe"C:\Users\Admin\twqudvq84\adqpuilnekzd.exe" kjlqavftrdkh2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\TWQUDV~1\YABAZX~1.UIWFilesize
81KB
MD5fc1d46c26757b6c9814ea66696a2915f
SHA1c2674cad0e17c2a1601d8bcd1518bd63636d8b55
SHA256dfd5ed1c31876c5a029916eed49ad3d00e14b50baadc425f91c997f636d5c7f6
SHA51215dc5b560ea68a18488a81d41728bc3338cf9be0d7b309d466c2918dbd8d9c2b308a3c996753fbff340ff5b2d6f0c815c8281b8fa3b93cd446ccdfb6864db870
-
C:\Users\Admin\TWQUDV~1\khficpndvn.FGTFilesize
86B
MD5f0fc2d3ab46d7b713255a0c05183e8be
SHA1b7368f65a730ba46b277329a0f7c7b53ccfbcf7e
SHA256b5673f6ec974623df0c1c01752cca07990bb8d70e6fa266ce8d4df2f58a18981
SHA512bb08e1ad7cab500c86f5e23cae9f265181cde52deb2ddef8e995100a4fba9f28f46543e7663f3c15eba6a9a1f657bcafd9d0b8c9f5f21d65b6f55e6a135d1ee7
-
C:\Users\Admin\twqudvq84\adqpuilnekzd.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\twqudvq84\kjlqavftrdkhFilesize
306.2MB
MD506af97aad260c8aef09b2a60990347d1
SHA1df53285455eacb91197cc06c709ae7f18a58eef9
SHA25692073be508678b847ae690b6f5a96f378eb4525b9f04a36ae9bf003848909eae
SHA512efd3c5f3b305f2923e6dec0cf312d754481cb65af7f685e353eba580acc38d8953a503decc72ab2032c8f8e1a69ea28b3ad3b89d9c5c9be2d249b8f8a72c4a53
-
\Users\Admin\twqudvq84\adqpuilnekzd.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
\Users\Admin\twqudvq84\adqpuilnekzd.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
\Users\Admin\twqudvq84\adqpuilnekzd.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
\Users\Admin\twqudvq84\adqpuilnekzd.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
memory/1464-59-0x0000000000000000-mapping.dmp
-
memory/1480-66-0x0000000000402196-mapping.dmp
-
memory/1552-54-0x0000000075681000-0x0000000075683000-memory.dmpFilesize
8KB