Analysis
-
max time kernel
90s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 19:56
Static task
static1
Behavioral task
behavioral1
Sample
a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe
Resource
win10v2004-20220812-en
General
-
Target
a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe
-
Size
426KB
-
MD5
d104ed6809cccf794135204478f634c2
-
SHA1
e05a1cdc30127dd38be0db9afe5828c0f91d99c2
-
SHA256
a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657
-
SHA512
9ef7b8fa820073dbe208bde9742395e8e660b0313cab137e898d4cc52dec0103b6ca0da76a248363690e96de3a768589ea235840886baccf1dc9a4da697013dd
-
SSDEEP
6144:SDhCdYx7WL5dNy0uewsL5iOjA+/g/vfV4xjhuoNiYQSRgJ7Ui71bhzYof:S8k7hZoL5iB+/g/VOsoxQ+871bR
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
a26Tj8V6.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a26Tj8V6.exe -
Executes dropped EXE 5 IoCs
Processes:
a26Tj8V6.exebob.exeboc.exeboc.exeteuxe.exepid process 1536 a26Tj8V6.exe 2044 bob.exe 1500 boc.exe 2000 boc.exe 820 teuxe.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 952 cmd.exe -
Loads dropped DLL 8 IoCs
Processes:
a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exea26Tj8V6.exepid process 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe 1536 a26Tj8V6.exe 1536 a26Tj8V6.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a26Tj8V6.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ a26Tj8V6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\teuxe = "C:\\Users\\Admin\\teuxe.exe /c" a26Tj8V6.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
bob.exedescription ioc process File opened for modification \??\physicaldrive0 bob.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
boc.exedescription pid process target process PID 1500 set thread context of 2000 1500 boc.exe boc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
boc.exea26Tj8V6.exepid process 2000 boc.exe 1536 a26Tj8V6.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe 2000 boc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bob.exedescription pid process Token: SeShutdownPrivilege 2044 bob.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
a26Tj8V6.exeteuxe.exepid process 1536 a26Tj8V6.exe 820 teuxe.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exeboc.exea26Tj8V6.execmd.exeteuxe.exedescription pid process target process PID 552 wrote to memory of 1536 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe a26Tj8V6.exe PID 552 wrote to memory of 1536 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe a26Tj8V6.exe PID 552 wrote to memory of 1536 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe a26Tj8V6.exe PID 552 wrote to memory of 1536 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe a26Tj8V6.exe PID 552 wrote to memory of 2044 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe bob.exe PID 552 wrote to memory of 2044 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe bob.exe PID 552 wrote to memory of 2044 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe bob.exe PID 552 wrote to memory of 2044 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe bob.exe PID 552 wrote to memory of 1500 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe boc.exe PID 552 wrote to memory of 1500 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe boc.exe PID 552 wrote to memory of 1500 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe boc.exe PID 552 wrote to memory of 1500 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe boc.exe PID 552 wrote to memory of 952 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe cmd.exe PID 552 wrote to memory of 952 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe cmd.exe PID 552 wrote to memory of 952 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe cmd.exe PID 552 wrote to memory of 952 552 a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe cmd.exe PID 1500 wrote to memory of 2000 1500 boc.exe boc.exe PID 1500 wrote to memory of 2000 1500 boc.exe boc.exe PID 1500 wrote to memory of 2000 1500 boc.exe boc.exe PID 1500 wrote to memory of 2000 1500 boc.exe boc.exe PID 1500 wrote to memory of 2000 1500 boc.exe boc.exe PID 1500 wrote to memory of 2000 1500 boc.exe boc.exe PID 1500 wrote to memory of 2000 1500 boc.exe boc.exe PID 1500 wrote to memory of 2000 1500 boc.exe boc.exe PID 1500 wrote to memory of 2000 1500 boc.exe boc.exe PID 1500 wrote to memory of 2000 1500 boc.exe boc.exe PID 1500 wrote to memory of 2000 1500 boc.exe boc.exe PID 1536 wrote to memory of 820 1536 a26Tj8V6.exe teuxe.exe PID 1536 wrote to memory of 820 1536 a26Tj8V6.exe teuxe.exe PID 1536 wrote to memory of 820 1536 a26Tj8V6.exe teuxe.exe PID 1536 wrote to memory of 820 1536 a26Tj8V6.exe teuxe.exe PID 1536 wrote to memory of 1160 1536 a26Tj8V6.exe cmd.exe PID 1536 wrote to memory of 1160 1536 a26Tj8V6.exe cmd.exe PID 1536 wrote to memory of 1160 1536 a26Tj8V6.exe cmd.exe PID 1536 wrote to memory of 1160 1536 a26Tj8V6.exe cmd.exe PID 1160 wrote to memory of 668 1160 cmd.exe tasklist.exe PID 1160 wrote to memory of 668 1160 cmd.exe tasklist.exe PID 1160 wrote to memory of 668 1160 cmd.exe tasklist.exe PID 1160 wrote to memory of 668 1160 cmd.exe tasklist.exe PID 820 wrote to memory of 668 820 teuxe.exe tasklist.exe PID 820 wrote to memory of 668 820 teuxe.exe tasklist.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe"C:\Users\Admin\AppData\Local\Temp\a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\a26Tj8V6.exea26Tj8V6.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\teuxe.exe"C:\Users\Admin\teuxe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del a26Tj8V6.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
-
C:\Users\Admin\bob.exebob.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\boc.exeboc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\boc.exeboc.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c del a7fd07dc0abb12be563200627164211884534fda523606ac5eb17572f64b3657.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\a26Tj8V6.exeFilesize
152KB
MD58cc33bea0a846510b2f0d0d7b350c564
SHA1115b10b8717ebabf66c358fd72b7709316e9a1dc
SHA25611d7b9cc464608898d69168dcd6f377b7fcb1c95083c6603e5dc45db2f4e423e
SHA512fcd4050fd2b42ec58f7a6a4d612e1186a02265d2da50d13ac70489cf714de066cf1b121157b6c3f616251bb629436f3a45b9fd1f65e8228188a09b9feb3b5bfd
-
C:\Users\Admin\a26Tj8V6.exeFilesize
152KB
MD58cc33bea0a846510b2f0d0d7b350c564
SHA1115b10b8717ebabf66c358fd72b7709316e9a1dc
SHA25611d7b9cc464608898d69168dcd6f377b7fcb1c95083c6603e5dc45db2f4e423e
SHA512fcd4050fd2b42ec58f7a6a4d612e1186a02265d2da50d13ac70489cf714de066cf1b121157b6c3f616251bb629436f3a45b9fd1f65e8228188a09b9feb3b5bfd
-
C:\Users\Admin\bob.exeFilesize
223KB
MD57f0f3f5ade2f14700f469d77142d2cc0
SHA14adbd5775ffc9b200d4c801b166476d1ddc1f7d6
SHA256f9c16abdffcf75ffec12e4d244f811f568764731260e5d2ff08deecd514c1f89
SHA512fe669cf66683935751c6df4321caf9c14efe82365a4fb3aa81e2293d00d6cb825812339d394706161e948482f619628a2e9a3db1c02960172773c8757315136c
-
C:\Users\Admin\bob.exeFilesize
223KB
MD57f0f3f5ade2f14700f469d77142d2cc0
SHA14adbd5775ffc9b200d4c801b166476d1ddc1f7d6
SHA256f9c16abdffcf75ffec12e4d244f811f568764731260e5d2ff08deecd514c1f89
SHA512fe669cf66683935751c6df4321caf9c14efe82365a4fb3aa81e2293d00d6cb825812339d394706161e948482f619628a2e9a3db1c02960172773c8757315136c
-
C:\Users\Admin\boc.exeFilesize
148KB
MD5ddecfba8af9f77d9f872d36860b7ef8d
SHA17f85f3433bcd538337bf7c41668aee9a7b005fcb
SHA2560c9b8ea62805169b46d5cfe06c2b402a54658577a272269279976f5cc3fdf6a4
SHA5124ab4f7c8eebe16f6e97b1121f9bef9e82a01d1079a04eb52ede4aeafb4fa7431a0861c0ce3f4f389bef0ba35090eef2f21b50712dba34dd66fa51f7d7f9371ca
-
C:\Users\Admin\boc.exeFilesize
148KB
MD5ddecfba8af9f77d9f872d36860b7ef8d
SHA17f85f3433bcd538337bf7c41668aee9a7b005fcb
SHA2560c9b8ea62805169b46d5cfe06c2b402a54658577a272269279976f5cc3fdf6a4
SHA5124ab4f7c8eebe16f6e97b1121f9bef9e82a01d1079a04eb52ede4aeafb4fa7431a0861c0ce3f4f389bef0ba35090eef2f21b50712dba34dd66fa51f7d7f9371ca
-
C:\Users\Admin\boc.exeFilesize
148KB
MD5ddecfba8af9f77d9f872d36860b7ef8d
SHA17f85f3433bcd538337bf7c41668aee9a7b005fcb
SHA2560c9b8ea62805169b46d5cfe06c2b402a54658577a272269279976f5cc3fdf6a4
SHA5124ab4f7c8eebe16f6e97b1121f9bef9e82a01d1079a04eb52ede4aeafb4fa7431a0861c0ce3f4f389bef0ba35090eef2f21b50712dba34dd66fa51f7d7f9371ca
-
C:\Users\Admin\teuxe.exeFilesize
152KB
MD54c90854792b86520de338edad1c9f368
SHA185ec3f14257472add898eaff83530bee400dbd5f
SHA256cfe04ccacac0f45c49747163bec740d0dd98efbb7badd850eec48829169a6bf7
SHA51218104f2110c7fe80ef11d4f692d9d02c12fdf81ba37047955eba6668e88ccf1bf8addcbe7ce7cd6c247019c2889d8091b6f64bb2d9cd416bd0ef082ee8420dd5
-
C:\Users\Admin\teuxe.exeFilesize
152KB
MD54c90854792b86520de338edad1c9f368
SHA185ec3f14257472add898eaff83530bee400dbd5f
SHA256cfe04ccacac0f45c49747163bec740d0dd98efbb7badd850eec48829169a6bf7
SHA51218104f2110c7fe80ef11d4f692d9d02c12fdf81ba37047955eba6668e88ccf1bf8addcbe7ce7cd6c247019c2889d8091b6f64bb2d9cd416bd0ef082ee8420dd5
-
\Users\Admin\a26Tj8V6.exeFilesize
152KB
MD58cc33bea0a846510b2f0d0d7b350c564
SHA1115b10b8717ebabf66c358fd72b7709316e9a1dc
SHA25611d7b9cc464608898d69168dcd6f377b7fcb1c95083c6603e5dc45db2f4e423e
SHA512fcd4050fd2b42ec58f7a6a4d612e1186a02265d2da50d13ac70489cf714de066cf1b121157b6c3f616251bb629436f3a45b9fd1f65e8228188a09b9feb3b5bfd
-
\Users\Admin\a26Tj8V6.exeFilesize
152KB
MD58cc33bea0a846510b2f0d0d7b350c564
SHA1115b10b8717ebabf66c358fd72b7709316e9a1dc
SHA25611d7b9cc464608898d69168dcd6f377b7fcb1c95083c6603e5dc45db2f4e423e
SHA512fcd4050fd2b42ec58f7a6a4d612e1186a02265d2da50d13ac70489cf714de066cf1b121157b6c3f616251bb629436f3a45b9fd1f65e8228188a09b9feb3b5bfd
-
\Users\Admin\bob.exeFilesize
223KB
MD57f0f3f5ade2f14700f469d77142d2cc0
SHA14adbd5775ffc9b200d4c801b166476d1ddc1f7d6
SHA256f9c16abdffcf75ffec12e4d244f811f568764731260e5d2ff08deecd514c1f89
SHA512fe669cf66683935751c6df4321caf9c14efe82365a4fb3aa81e2293d00d6cb825812339d394706161e948482f619628a2e9a3db1c02960172773c8757315136c
-
\Users\Admin\bob.exeFilesize
223KB
MD57f0f3f5ade2f14700f469d77142d2cc0
SHA14adbd5775ffc9b200d4c801b166476d1ddc1f7d6
SHA256f9c16abdffcf75ffec12e4d244f811f568764731260e5d2ff08deecd514c1f89
SHA512fe669cf66683935751c6df4321caf9c14efe82365a4fb3aa81e2293d00d6cb825812339d394706161e948482f619628a2e9a3db1c02960172773c8757315136c
-
\Users\Admin\boc.exeFilesize
148KB
MD5ddecfba8af9f77d9f872d36860b7ef8d
SHA17f85f3433bcd538337bf7c41668aee9a7b005fcb
SHA2560c9b8ea62805169b46d5cfe06c2b402a54658577a272269279976f5cc3fdf6a4
SHA5124ab4f7c8eebe16f6e97b1121f9bef9e82a01d1079a04eb52ede4aeafb4fa7431a0861c0ce3f4f389bef0ba35090eef2f21b50712dba34dd66fa51f7d7f9371ca
-
\Users\Admin\boc.exeFilesize
148KB
MD5ddecfba8af9f77d9f872d36860b7ef8d
SHA17f85f3433bcd538337bf7c41668aee9a7b005fcb
SHA2560c9b8ea62805169b46d5cfe06c2b402a54658577a272269279976f5cc3fdf6a4
SHA5124ab4f7c8eebe16f6e97b1121f9bef9e82a01d1079a04eb52ede4aeafb4fa7431a0861c0ce3f4f389bef0ba35090eef2f21b50712dba34dd66fa51f7d7f9371ca
-
\Users\Admin\teuxe.exeFilesize
152KB
MD54c90854792b86520de338edad1c9f368
SHA185ec3f14257472add898eaff83530bee400dbd5f
SHA256cfe04ccacac0f45c49747163bec740d0dd98efbb7badd850eec48829169a6bf7
SHA51218104f2110c7fe80ef11d4f692d9d02c12fdf81ba37047955eba6668e88ccf1bf8addcbe7ce7cd6c247019c2889d8091b6f64bb2d9cd416bd0ef082ee8420dd5
-
\Users\Admin\teuxe.exeFilesize
152KB
MD54c90854792b86520de338edad1c9f368
SHA185ec3f14257472add898eaff83530bee400dbd5f
SHA256cfe04ccacac0f45c49747163bec740d0dd98efbb7badd850eec48829169a6bf7
SHA51218104f2110c7fe80ef11d4f692d9d02c12fdf81ba37047955eba6668e88ccf1bf8addcbe7ce7cd6c247019c2889d8091b6f64bb2d9cd416bd0ef082ee8420dd5
-
memory/668-102-0x0000000000000000-mapping.dmp
-
memory/820-94-0x0000000000000000-mapping.dmp
-
memory/952-68-0x0000000000000000-mapping.dmp
-
memory/1160-101-0x0000000000000000-mapping.dmp
-
memory/1500-65-0x0000000000000000-mapping.dmp
-
memory/1536-56-0x0000000000000000-mapping.dmp
-
memory/2000-90-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2000-76-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2000-78-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2000-75-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2000-84-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2000-88-0x00000000004012A0-mapping.dmp
-
memory/2000-86-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2000-80-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2000-82-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2044-72-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2044-71-0x0000000075131000-0x0000000075133000-memory.dmpFilesize
8KB
-
memory/2044-70-0x0000000000230000-0x0000000000294000-memory.dmpFilesize
400KB
-
memory/2044-60-0x0000000000000000-mapping.dmp
-
memory/2044-73-0x0000000000230000-0x0000000000294000-memory.dmpFilesize
400KB