93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767

Analysis

max time kernel
147s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe
Size

881KB
MD5

03afa7424847aec7883578cbc1a246f0
SHA1

b0ed280ecc216babecdfb5eaf3dcc7afbc974276
SHA256

93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767
SHA512

5dd8068b26e3458e62d1f1526825363b178b146a624ed46b4b335efeac4687242486f6e94ce219c984ad30682d97134819d6834272a8794efa7e5afc445e5b27
SSDEEP

24576:5aOP7OqX1twj3DR+sjdbjtr+uGCtNk0142FTwTOdb98rni:j7Ouqzd+eFKuGCw01HF8qki

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4392	svchost.exe
5076	93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe
3728	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
5076	93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe
5076	93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe
5076	93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe
5076	93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe
5076	93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe
5076	93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\!Free Easy CD DVD BurnerOnce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe"	93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe

Drops file in Program Files directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File created	C:\Program Files (x86)\Free Easy CD DVD Burner\log.log	93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe	93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe\IsHostApp	93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5076	93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 4392	1164	93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe	79
PID 1164 wrote to memory of 4392	1164	93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe	79
PID 1164 wrote to memory of 4392	1164	93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe	79
PID 4392 wrote to memory of 5076	4392	svchost.exe	80
PID 4392 wrote to memory of 5076	4392	svchost.exe	80
PID 4392 wrote to memory of 5076	4392	svchost.exe	80

C:\Users\Admin\AppData\Local\Temp\93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe
"C:\Users\Admin\AppData\Local\Temp\93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe
    "C:\Users\Admin\AppData\Local\Temp\93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:5076

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe

Filesize
845KB

MD5
c12b4138fdc212edefaab64eb65139b6

SHA1
5c3c82a2baeca5658f3f7805e13c4877ca775179

SHA256
5a024b79071e13865f0636d860af3880799366aceef988ca6501173de9b4c2e6

SHA512
07e30feba822394dfd2cad30284a8858347eff5440385e9752c53aaed301c154aa85c2f7c9de76991d5dd04542ea95c6be12b67a01b94c6482db14bcab559ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\93ac296586556acca2f6e334aeffb1a866f2a2522913c11e94bc5b161eb01767.exe

Filesize
845KB

MD5
c12b4138fdc212edefaab64eb65139b6

SHA1
5c3c82a2baeca5658f3f7805e13c4877ca775179

SHA256
5a024b79071e13865f0636d860af3880799366aceef988ca6501173de9b4c2e6

SHA512
07e30feba822394dfd2cad30284a8858347eff5440385e9752c53aaed301c154aa85c2f7c9de76991d5dd04542ea95c6be12b67a01b94c6482db14bcab559ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdEA46.tmp\Helper.dll

Filesize
1.6MB

MD5
c7249b6267fd8889bccb77221210bb4f

SHA1
bb490a18c6da889ca86bbb7c52fa4bcdb51e0a76

SHA256
eccee8596efa1bbad007e6552d0607540ff2f14a4fc4427ba92bcd1b107b2862

SHA512
c1fe321ccdd8e4a68c3664bbf9cf90bee4aeef90ffd14c2ae86696a7d39074e9beaca1d05a59a5d6aed215d67b54a25116bed034a257e3a5633c4bd38de9fe96

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdEA46.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdEA46.tmp\UAC.dll

Filesize
13KB

MD5
a88baad3461d2e9928a15753b1d93fd7

SHA1
bb826e35264968bbc3b981d8430ac55df1e6d4a6

SHA256
c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af

SHA512
5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdEA46.tmp\UAC.dll

Filesize
13KB

MD5
a88baad3461d2e9928a15753b1d93fd7

SHA1
bb826e35264968bbc3b981d8430ac55df1e6d4a6

SHA256
c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af

SHA512
5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdEA46.tmp\nsDialogs.dll

Filesize
9KB

MD5
f7b92b78f1a00a872c8a38f40afa7d65

SHA1
872522498f69ad49270190c74cf3af28862057f2

SHA256
2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e

SHA512
3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdEA46.tmp\nsDialogs.dll

Filesize
9KB

MD5
f7b92b78f1a00a872c8a38f40afa7d65

SHA1
872522498f69ad49270190c74cf3af28862057f2

SHA256
2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e

SHA512
3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/5076-142-0x0000000003D61000-0x0000000003D64000-memory.dmp

Filesize
12KB

Download
memory/5076-146-0x0000000003F01000-0x0000000003F03000-memory.dmp

Filesize
8KB

Download