893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a

Analysis

max time kernel
153s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 10:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe
Size

22.5MB
MD5

c125715cc082fe693f5efa39912837bb
SHA1

873369200aa459b19dfe0e1f825db7fcd4ec99f6
SHA256

893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a
SHA512

7978d8d18081fef9745919701e8070d5c27289498c9ea4efe69fc2d1bb1dd2283a201b81dee2cb4331aa9e67a0be082296664d015643422ee6af90627fafb8e3
SSDEEP

49152:Ycy52F1BTTWAXv7XnOMj5e1K7x6494Vlc2GXvJTijowTMfbGK:YcTbnw1K7x6i4Vlc2shU2bd

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
100	AdeptTck_setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdeptTck = "C:\\Program Files\\Bjil\\Zvga.exe /AdeptTck /{FAEA3561-DEA8-49F2-BEB4-E0675AD7E9B9}"	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Bjil\doscas\wucesv.dll	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe
File created	C:\Program Files\Bjil\huzoe.exe	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\MSPat.xml	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe
File created	C:\Program Files\Bjil\doscas\pat.xml	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe
File opened for modification	C:\Program Files\Bjil\doscas\pat.xml	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe
File created	C:\Program Files\Bjil\doscas\wucesv.dll	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe
File created	C:\Program Files\Bjil\hunoes.exe	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe
File opened for modification	C:\Program Files\Bjil\hunoes.exe	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe
File opened for modification	C:\Program Files\Bjil\huzoe.exe	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe
File created	C:\Program Files\Common Files\System\Ole DB\MSPat.xml	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\print\ddeexec	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\print\ddeexec\ = "[print(\"%1\")]"	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzc\ = "Project.lzc"	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86C37\\ADEPTT~1.EXE,6"	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AdeptTracker	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86C37\\ADEPTT~1.EXE /dde"	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86C37\\ADEPTT~1.EXE,7"	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\printto	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\open\ddeexec\ = "[open(\"%1\")]"	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\printto\ddeexec	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86C37\\ADEPTT~1.EXE,2"	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\open\ddeexec	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\open\command	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzc	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\DefaultIcon	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\ = "AdeptTracker Project Document"	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\print	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\print\command	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzc\ShellNew	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzc\ShellNew\NullFile	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86C37\\ADEPTT~1.EXE,4"	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\printto\command	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86C37\\ADEPTT~1.EXE /dde"	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86C37\\ADEPTT~1.EXE,3"	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86C37\\ADEPTT~1.EXE,5"	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86C37\\ADEPTT~1.EXE /dde"	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86C37\\ADEPTT~1.EXE,1"	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\open	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AdeptTracker\Website	AdeptTck_setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
100	AdeptTck_setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
100	AdeptTck_setup.exe
100	AdeptTck_setup.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 100	1204	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe	83
PID 1204 wrote to memory of 100	1204	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe	83
PID 1204 wrote to memory of 100	1204	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe	83
PID 100 wrote to memory of 2120	100	AdeptTck_setup.exe	84
PID 100 wrote to memory of 2120	100	AdeptTck_setup.exe	84

C:\Users\Admin\AppData\Local\Temp\893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe
"C:\Users\Admin\AppData\Local\Temp\893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\g86C37\AdeptTck_setup.exe
  C:\Users\Admin\AppData\Local\Temp\g86C37\AdeptTck_setup.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:100
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\g86C37\AdeptTck_setup.exe

Filesize
718KB

MD5
d0aa4e89e9c93b31af211348059139ba

SHA1
f04d2ecb6eaff92c751d6acae38735370c2f7b3c

SHA256
016891ffdbfee6cc5f7695eaf66ce066bed45f78e3642fd19213837567f94e39

SHA512
39d584cd6d501fdf70881fe2c8a385d11c4f7f98bd85fdc6445a4f6bb45f7c09f910619e9e24507181633e77870a6e839a38627a8e81123db2ba4647798c6617

Download Submit
C:\Users\Admin\AppData\Local\Temp\g86C37\AdeptTck_setup.exe

Filesize
718KB

MD5
d0aa4e89e9c93b31af211348059139ba

SHA1
f04d2ecb6eaff92c751d6acae38735370c2f7b3c

SHA256
016891ffdbfee6cc5f7695eaf66ce066bed45f78e3642fd19213837567f94e39

SHA512
39d584cd6d501fdf70881fe2c8a385d11c4f7f98bd85fdc6445a4f6bb45f7c09f910619e9e24507181633e77870a6e839a38627a8e81123db2ba4647798c6617

Download Submit
memory/100-135-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/100-137-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download