Analysis
-
max time kernel
151s -
max time network
81s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29/11/2022, 03:26
Static task
static1
Behavioral task
behavioral1
Sample
c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe
Resource
win10v2004-20220812-en
General
-
Target
c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe
-
Size
80KB
-
MD5
c5acbe75fc88475610ade31fa594a71b
-
SHA1
664b8032ba52aa926ba8f01a32dcf50fc1079df6
-
SHA256
c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19
-
SHA512
393be8ef508808d3738bc9a09ac531a1432b1078259b3d982bc4fe6ac4e1e6c720251b7da2a5059b64510309f8cabfe3aadf30baec9ea77889baa740bb450f12
-
SSDEEP
768:E4wqbVmf0fDUop1AShqG9jy1R2g7VnxPPB4qHfA5pcZdFveLuRQ1H2GBVI6Z:J4f8DRCST9XUZHfAUZ7yuRQ11VI6Z
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rcdaiw.exe -
Executes dropped EXE 1 IoCs
pid Process 1748 rcdaiw.exe -
Loads dropped DLL 2 IoCs
pid Process 1600 c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe 1600 c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /w" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /h" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /m" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /z" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /a" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /i" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /l" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /u" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /o" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /f" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /p" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /q" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /b" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /v" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /t" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /s" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /n" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /y" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /k" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /i" c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /e" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /g" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /j" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /r" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /d" rcdaiw.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /c" rcdaiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcdaiw = "C:\\Users\\Admin\\rcdaiw.exe /x" rcdaiw.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1600 c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe 1748 rcdaiw.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1600 c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe 1748 rcdaiw.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1600 wrote to memory of 1748 1600 c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe 27 PID 1600 wrote to memory of 1748 1600 c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe 27 PID 1600 wrote to memory of 1748 1600 c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe 27 PID 1600 wrote to memory of 1748 1600 c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe"C:\Users\Admin\AppData\Local\Temp\c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\rcdaiw.exe"C:\Users\Admin\rcdaiw.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1748
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD598b8fb6fb004f08926b0ec4252b16392
SHA1f090f3bc130a5e6c6182aa6af1be8cf10d3195c7
SHA256f9c2ec286e9f3ff66fbe80cccc7cdf315a5a51736fdb954418405102019387d2
SHA51254dda28e4e4bf826c2f5b433cfe7f1f823c81270c441aea9fde009e9b66115bdb2863e6c9c095afe7ca39117aea039055b27a6ed030aa9976f7fef8e05ad3660
-
Filesize
80KB
MD598b8fb6fb004f08926b0ec4252b16392
SHA1f090f3bc130a5e6c6182aa6af1be8cf10d3195c7
SHA256f9c2ec286e9f3ff66fbe80cccc7cdf315a5a51736fdb954418405102019387d2
SHA51254dda28e4e4bf826c2f5b433cfe7f1f823c81270c441aea9fde009e9b66115bdb2863e6c9c095afe7ca39117aea039055b27a6ed030aa9976f7fef8e05ad3660
-
Filesize
80KB
MD598b8fb6fb004f08926b0ec4252b16392
SHA1f090f3bc130a5e6c6182aa6af1be8cf10d3195c7
SHA256f9c2ec286e9f3ff66fbe80cccc7cdf315a5a51736fdb954418405102019387d2
SHA51254dda28e4e4bf826c2f5b433cfe7f1f823c81270c441aea9fde009e9b66115bdb2863e6c9c095afe7ca39117aea039055b27a6ed030aa9976f7fef8e05ad3660
-
Filesize
80KB
MD598b8fb6fb004f08926b0ec4252b16392
SHA1f090f3bc130a5e6c6182aa6af1be8cf10d3195c7
SHA256f9c2ec286e9f3ff66fbe80cccc7cdf315a5a51736fdb954418405102019387d2
SHA51254dda28e4e4bf826c2f5b433cfe7f1f823c81270c441aea9fde009e9b66115bdb2863e6c9c095afe7ca39117aea039055b27a6ed030aa9976f7fef8e05ad3660