250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3

Analysis

max time kernel
35s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe
Size

646KB
MD5

4f75a4f0e4223d49c9c1f83eda657087
SHA1

70f5045c407146676e55c2311f75adc52851b85b
SHA256

250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3
SHA512

87b92943e01ac3c3305ddc57d22984401b86577fd081d82d2fb1b102cb8ceb8bc1d2a267934d5c300db7a78fe1c8402844a8321cee0cfc9b727317caa6547f74
SSDEEP

12288:b1dlZo5y8E3k12MgGiFELWGgkeMzlELnqRs+gN/61XhhOzkoDQQyazsB3t:b1dlZo51HcKLvcMzlYTBS1Xhhkki6v

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1516	Hackweball.exe
1708	server.exe
568	server.exe

Loads dropped DLL 5 IoCs

pid	Process
1536	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe
1536	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe
1536	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe
1536	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe
1708	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
568	server.exe
568	server.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe
Token: 33	568	server.exe
Token: SeIncBasePriorityPrivilege	568	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1516	Hackweball.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 1516	1536	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe	27
PID 1536 wrote to memory of 1516	1536	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe	27
PID 1536 wrote to memory of 1516	1536	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe	27
PID 1536 wrote to memory of 1516	1536	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe	27
PID 1536 wrote to memory of 1708	1536	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe	28
PID 1536 wrote to memory of 1708	1536	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe	28
PID 1536 wrote to memory of 1708	1536	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe	28
PID 1536 wrote to memory of 1708	1536	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe	28
PID 1708 wrote to memory of 568	1708	server.exe	29
PID 1708 wrote to memory of 568	1708	server.exe	29
PID 1708 wrote to memory of 568	1708	server.exe	29
PID 1708 wrote to memory of 568	1708	server.exe	29
PID 568 wrote to memory of 1288	568	server.exe	20
PID 568 wrote to memory of 1288	568	server.exe	20
PID 568 wrote to memory of 1288	568	server.exe	20
PID 568 wrote to memory of 1288	568	server.exe	20
PID 568 wrote to memory of 1288	568	server.exe	20
PID 568 wrote to memory of 1288	568	server.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1288
- C:\Users\Admin\AppData\Local\Temp\250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe
  "C:\Users\Admin\AppData\Local\Temp\250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Extracted\Hackweball.exe
    "C:\Extracted\Hackweball.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1516
- - C:\Extracted\server.exe
    "C:\Extracted\server.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2010.08.28T11.10\Virtual\STUBEXE\8.0.1112\@APPDIR@\server.exe
      "C:\Extracted\server.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\Hackweball.exe

Filesize
224KB

MD5
c9741e5cf9c1e529f9777de1701f8375

SHA1
cd0e97823bb155f1724b134a929306be4ec536bf

SHA256
f72c799c6f71e09fb23a5a8d208537f03e86aca525a7455b6a508c65ac5004ae

SHA512
b5437fe7326f487c4a4f48f55a64b4758bc0a0fdc62bbc7336976ff328ad9222e2b32699f4f6121f4e87ed4afc2a26c86fe5b989f4791c7408ebc6b7d2b06f40

Download Submit
C:\Extracted\server.exe

Filesize
394KB

MD5
4564a9fcbd275eebde0ec8bcddf39561

SHA1
e61782d6214dfc59717db6229cdbc2f6b7a5c67b

SHA256
5a1d3b16641fbd535645e3e9713e125844d030d47ce621b87b4dcfe9329b123f

SHA512
d96e074444bc9ca412c30d2c33842540b24f1cdaa257c6fc057e4e464233d5dd7fc541c4feb4a8a8dc3b3ad0aded25f5ebf091738e2ff02ab04026cc3687899c

Download Submit
C:\Extracted\server.exe

Filesize
394KB

MD5
4564a9fcbd275eebde0ec8bcddf39561

SHA1
e61782d6214dfc59717db6229cdbc2f6b7a5c67b

SHA256
5a1d3b16641fbd535645e3e9713e125844d030d47ce621b87b4dcfe9329b123f

SHA512
d96e074444bc9ca412c30d2c33842540b24f1cdaa257c6fc057e4e464233d5dd7fc541c4feb4a8a8dc3b3ad0aded25f5ebf091738e2ff02ab04026cc3687899c

Download Submit
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2010.08.28T11.10\Virtual\STUBEXE\8.0.1112\@APPDIR@\server.exe

Filesize
17KB

MD5
e6361c7005b104dfa196e7bba3026a61

SHA1
645820b4f900b28b488e0de12df4e3e45aae55bc

SHA256
5015077f26651c8186111e79eac3abe04de303aa83e6b6c03526ec0e62c46a8d

SHA512
193a4410b729a1d0ac73cdcd5f20f68c6b86be079e3764d4671907f42870dbf0dae6707c0798324302cec972cb22f5f7c7692e57ac623141387839a6a2f82c8c

Download Submit
\Extracted\Hackweball.exe

Filesize
224KB

MD5
c9741e5cf9c1e529f9777de1701f8375

SHA1
cd0e97823bb155f1724b134a929306be4ec536bf

SHA256
f72c799c6f71e09fb23a5a8d208537f03e86aca525a7455b6a508c65ac5004ae

SHA512
b5437fe7326f487c4a4f48f55a64b4758bc0a0fdc62bbc7336976ff328ad9222e2b32699f4f6121f4e87ed4afc2a26c86fe5b989f4791c7408ebc6b7d2b06f40

Download Submit
\Extracted\Hackweball.exe

Filesize
224KB

MD5
c9741e5cf9c1e529f9777de1701f8375

SHA1
cd0e97823bb155f1724b134a929306be4ec536bf

SHA256
f72c799c6f71e09fb23a5a8d208537f03e86aca525a7455b6a508c65ac5004ae

SHA512
b5437fe7326f487c4a4f48f55a64b4758bc0a0fdc62bbc7336976ff328ad9222e2b32699f4f6121f4e87ed4afc2a26c86fe5b989f4791c7408ebc6b7d2b06f40

Download Submit
\Extracted\server.exe

Filesize
394KB

MD5
4564a9fcbd275eebde0ec8bcddf39561

SHA1
e61782d6214dfc59717db6229cdbc2f6b7a5c67b

SHA256
5a1d3b16641fbd535645e3e9713e125844d030d47ce621b87b4dcfe9329b123f

SHA512
d96e074444bc9ca412c30d2c33842540b24f1cdaa257c6fc057e4e464233d5dd7fc541c4feb4a8a8dc3b3ad0aded25f5ebf091738e2ff02ab04026cc3687899c

Download Submit
\Extracted\server.exe

Filesize
394KB

MD5
4564a9fcbd275eebde0ec8bcddf39561

SHA1
e61782d6214dfc59717db6229cdbc2f6b7a5c67b

SHA256
5a1d3b16641fbd535645e3e9713e125844d030d47ce621b87b4dcfe9329b123f

SHA512
d96e074444bc9ca412c30d2c33842540b24f1cdaa257c6fc057e4e464233d5dd7fc541c4feb4a8a8dc3b3ad0aded25f5ebf091738e2ff02ab04026cc3687899c

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2010.08.28T11.10\Virtual\STUBEXE\8.0.1112\@APPDIR@\server.exe

Filesize
17KB

MD5
e6361c7005b104dfa196e7bba3026a61

SHA1
645820b4f900b28b488e0de12df4e3e45aae55bc

SHA256
5015077f26651c8186111e79eac3abe04de303aa83e6b6c03526ec0e62c46a8d

SHA512
193a4410b729a1d0ac73cdcd5f20f68c6b86be079e3764d4671907f42870dbf0dae6707c0798324302cec972cb22f5f7c7692e57ac623141387839a6a2f82c8c

Download Submit
memory/568-80-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/568-78-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/568-87-0x0000000000480000-0x00000000004F2000-memory.dmp

Filesize
456KB

Download
memory/568-83-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/568-82-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/568-81-0x0000000000480000-0x00000000004F2000-memory.dmp

Filesize
456KB

Download
memory/568-79-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1288-84-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1536-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1708-68-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1708-73-0x0000000000350000-0x00000000003C2000-memory.dmp

Filesize
456KB

Download
memory/1708-72-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1708-71-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1708-70-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1708-69-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1708-88-0x0000000000350000-0x00000000003C2000-memory.dmp

Filesize
456KB

Download