92c6df609046a60222cf050ad982a778923f809d5016c5f0cd09c565025d7c85

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92c6df609046a60222cf050ad982a778923f809d5016c5f0cd09c565025d7c85.exe
Size

508KB
MD5

a8afc13b00c336114156453e11efbad7
SHA1

b40287154894e9543e3423faa78f4d324a9ce3bb
SHA256

92c6df609046a60222cf050ad982a778923f809d5016c5f0cd09c565025d7c85
SHA512

84e65574389e33654efae2d77cc98888fe27b1e5586a9fc42afb09098b1b25057081a1054322c028f2bc1731bef6e5fbbeee8f13a86cfb346c08c19cf09527d0
SSDEEP

6144:zAffEg+7irp6u7BDMnP5LhhFxZJWnZ8j7wJkcuGzG8:kXR+irMu79ERLhhFVWnS7TcvG8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
944	7104410.tmp
1640	app.exe

Loads dropped DLL 5 IoCs

pid	Process
1408	92c6df609046a60222cf050ad982a778923f809d5016c5f0cd09c565025d7c85.exe
1408	92c6df609046a60222cf050ad982a778923f809d5016c5f0cd09c565025d7c85.exe
944	7104410.tmp
944	7104410.tmp
1640	app.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ms21032.log	7104410.tmp

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\c19582.vbs	7104410.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}\LocalServer32	app.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}\LocalServer32\ = "="	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}\	app.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe
1640	app.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	app.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
904	DllHost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 944	1408	92c6df609046a60222cf050ad982a778923f809d5016c5f0cd09c565025d7c85.exe	27
PID 1408 wrote to memory of 944	1408	92c6df609046a60222cf050ad982a778923f809d5016c5f0cd09c565025d7c85.exe	27
PID 1408 wrote to memory of 944	1408	92c6df609046a60222cf050ad982a778923f809d5016c5f0cd09c565025d7c85.exe	27
PID 1408 wrote to memory of 944	1408	92c6df609046a60222cf050ad982a778923f809d5016c5f0cd09c565025d7c85.exe	27
PID 944 wrote to memory of 1652	944	7104410.tmp	29
PID 944 wrote to memory of 1652	944	7104410.tmp	29
PID 944 wrote to memory of 1652	944	7104410.tmp	29
PID 944 wrote to memory of 1652	944	7104410.tmp	29
PID 944 wrote to memory of 308	944	7104410.tmp	30
PID 944 wrote to memory of 308	944	7104410.tmp	30
PID 944 wrote to memory of 308	944	7104410.tmp	30
PID 944 wrote to memory of 308	944	7104410.tmp	30
PID 944 wrote to memory of 1640	944	7104410.tmp	32
PID 944 wrote to memory of 1640	944	7104410.tmp	32
PID 944 wrote to memory of 1640	944	7104410.tmp	32
PID 944 wrote to memory of 1640	944	7104410.tmp	32
PID 308 wrote to memory of 564	308	cmd.exe	33
PID 308 wrote to memory of 564	308	cmd.exe	33
PID 308 wrote to memory of 564	308	cmd.exe	33
PID 308 wrote to memory of 564	308	cmd.exe	33
PID 308 wrote to memory of 1624	308	cmd.exe	34
PID 308 wrote to memory of 1624	308	cmd.exe	34
PID 308 wrote to memory of 1624	308	cmd.exe	34
PID 308 wrote to memory of 1624	308	cmd.exe	34

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
564	attrib.exe
1624	attrib.exe

C:\Users\Admin\AppData\Local\Temp\92c6df609046a60222cf050ad982a778923f809d5016c5f0cd09c565025d7c85.exe
"C:\Users\Admin\AppData\Local\Temp\92c6df609046a60222cf050ad982a778923f809d5016c5f0cd09c565025d7c85.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\7104410.tmp
  C:\Users\Admin\AppData\Local\Temp\7104410.tmp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe C:\PROGRA~1\c19582.vbs
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\6fRdt7E\978.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:308
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +H +R "C:\Users\Admin\AppData\Local\Temp\d030b2c967bf3c18f4a53a90c87c73f2.dat"
      4⤵
      Views/modifies file attributes
      PID:564
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +H +R "C:\6fRdt7E"
      4⤵
      Views/modifies file attributes
      PID:1624
- - C:\6fRdt7E\app.exe
    C:\6fRdt7E\app.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1640

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\6fRdt7E\978.bat

Filesize
155B

MD5
a62257fab317ddcfa6745ebc754a3466

SHA1
da354d68d3bf59e100375f0fa760007624322d2d

SHA256
f38ad6413041cb427a38a9b91e9f6ab8d4faa4d316d2b5908553d52e5e2522ed

SHA512
b0a6f7821cc8e7f7329aa9b016b27d6f0201eff408f16f0243c15c0e3e27df4b3246f733aab29f4c366e72d8f4220ebad9707c144d886e4393d857551f84b098

Download Submit
C:\6fRdt7E\Common\Utility.dll

Filesize
70.2MB

MD5
ae9f772c2528060ba5ffd57e97c03f0c

SHA1
415672fbcfb626d466fc5ecc01fd9f2a015d310e

SHA256
fc137959ed93f94a3b5fa02d1540a790b82eecddd4f44d59537483ae6c2a5e25

SHA512
e6e1c593e54ca1332378c580cd5a723554650b37fa8fbdab4a64b1543ab218d79708a714d7cef69bac1fc46e53d1b1880d55869781a89bfa5391af45e1974c64

Download Submit
C:\6fRdt7E\app.exe

Filesize
15KB

MD5
c8c7f7472e5c059cbcc99d1eedd0d1ae

SHA1
10013a17639887f8c8ee2b37ec111352b9102832

SHA256
066bd9a9e327df4422beb4922e49be328db8adc1b7c6fad7e4b5f1c47c5655c9

SHA512
82762abeade3df840095f95f0559a1a6164e62bae3ff74e547df22dc59034b3ac65a540065aba2434798a6d3a8915ac455d564e0ab885333601fffa32e3272d0

Download Submit
C:\PROGRA~1\c19582.vbs

Filesize
2.6MB

MD5
79274b2089282215f7db5cbfbed85a16

SHA1
5ef245528e1dbde1616630754ea67df8b0ab8462

SHA256
16ffd2ac230f118c1041de853b6d2a37d8a8ba4ea16b28c478b5fbcd700ecacd

SHA512
9737381d58180d80ccd89d7908ee8c4f6ef19ef5763b45db6609fd1b29ab36891689ffc71a33dece3672ce47457054abe735498d249bf6c095c7221464b500a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7104410.tmp

Filesize
74.3MB

MD5
4cebbcb292215a2104d7846c32d5a3dc

SHA1
650215efe86e97834da73580d770d4edbee594bd

SHA256
17866b7f400b0b1fc2e24c33a7ebcd6abf4097d1d720fcf82cedcda290613bcb

SHA512
74aadb7ba242fe95279678e36cb7911ffdda9e22e15e6366b1193ba2307b085b8fdaa960e81562ad493942f127b586de2fa75f96a26730b8b1e657e24985b08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7104410.tmp

Filesize
74.3MB

MD5
4cebbcb292215a2104d7846c32d5a3dc

SHA1
650215efe86e97834da73580d770d4edbee594bd

SHA256
17866b7f400b0b1fc2e24c33a7ebcd6abf4097d1d720fcf82cedcda290613bcb

SHA512
74aadb7ba242fe95279678e36cb7911ffdda9e22e15e6366b1193ba2307b085b8fdaa960e81562ad493942f127b586de2fa75f96a26730b8b1e657e24985b08b

Download Submit
C:\Windows\SysWOW64\ms21032.log

Filesize
45B

MD5
2ce452fbfac40d6f6f66f3a41e0c58d7

SHA1
09fa22595ce374c5475655049fdf9b7867233fbd

SHA256
9808f98b4431c7e6f124944d1357416d4d79d598e3180960ee986c9dbd0049e8

SHA512
1e5553fe46fb7d2e1d1433312b6ba367d58082dff6b5c5b6ba003a04d30515fad1e509049731982efd9410aa213b624c14665d7551f302821e03e7a83e5d2d79

Download Submit
C:\temp.jpg

Filesize
46KB

MD5
7741536911ac5c49d3eb9a86c423b10a

SHA1
1d5e9165335134c871043db16a5541eb9ab23a9a

SHA256
c342670f8c691ff050ffd13e5089a9885ff70f7d5e1a822e257240e0c1cdeabb

SHA512
332517d6d94fa8cdfc1ef75f057cd5254c90c0dc30e3d07767bcb46f26646a625e11b19602dbef04bcb57a3dabe086700ad62bc095b87fd9397e526aa090dd98

Download Submit
\6fRdt7E\app.exe

Filesize
15KB

MD5
c8c7f7472e5c059cbcc99d1eedd0d1ae

SHA1
10013a17639887f8c8ee2b37ec111352b9102832

SHA256
066bd9a9e327df4422beb4922e49be328db8adc1b7c6fad7e4b5f1c47c5655c9

SHA512
82762abeade3df840095f95f0559a1a6164e62bae3ff74e547df22dc59034b3ac65a540065aba2434798a6d3a8915ac455d564e0ab885333601fffa32e3272d0

Download Submit
\6fRdt7E\app.exe

Filesize
15KB

MD5
c8c7f7472e5c059cbcc99d1eedd0d1ae

SHA1
10013a17639887f8c8ee2b37ec111352b9102832

SHA256
066bd9a9e327df4422beb4922e49be328db8adc1b7c6fad7e4b5f1c47c5655c9

SHA512
82762abeade3df840095f95f0559a1a6164e62bae3ff74e547df22dc59034b3ac65a540065aba2434798a6d3a8915ac455d564e0ab885333601fffa32e3272d0

Download Submit
\6fRdt7E\common\Utility.dll

Filesize
70.2MB

MD5
ae9f772c2528060ba5ffd57e97c03f0c

SHA1
415672fbcfb626d466fc5ecc01fd9f2a015d310e

SHA256
fc137959ed93f94a3b5fa02d1540a790b82eecddd4f44d59537483ae6c2a5e25

SHA512
e6e1c593e54ca1332378c580cd5a723554650b37fa8fbdab4a64b1543ab218d79708a714d7cef69bac1fc46e53d1b1880d55869781a89bfa5391af45e1974c64

Download Submit
\Users\Admin\AppData\Local\Temp\7104410.tmp

Filesize
74.3MB

MD5
4cebbcb292215a2104d7846c32d5a3dc

SHA1
650215efe86e97834da73580d770d4edbee594bd

SHA256
17866b7f400b0b1fc2e24c33a7ebcd6abf4097d1d720fcf82cedcda290613bcb

SHA512
74aadb7ba242fe95279678e36cb7911ffdda9e22e15e6366b1193ba2307b085b8fdaa960e81562ad493942f127b586de2fa75f96a26730b8b1e657e24985b08b

Download Submit
\Users\Admin\AppData\Local\Temp\7104410.tmp

Filesize
74.3MB

MD5
4cebbcb292215a2104d7846c32d5a3dc

SHA1
650215efe86e97834da73580d770d4edbee594bd

SHA256
17866b7f400b0b1fc2e24c33a7ebcd6abf4097d1d720fcf82cedcda290613bcb

SHA512
74aadb7ba242fe95279678e36cb7911ffdda9e22e15e6366b1193ba2307b085b8fdaa960e81562ad493942f127b586de2fa75f96a26730b8b1e657e24985b08b

Download Submit
memory/308-64-0x0000000000000000-mapping.dmp

Download
memory/564-72-0x0000000000000000-mapping.dmp

Download
memory/944-58-0x0000000000000000-mapping.dmp

Download
memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1624-73-0x0000000000000000-mapping.dmp

Download
memory/1640-67-0x0000000000000000-mapping.dmp

Download
memory/1652-61-0x0000000000000000-mapping.dmp

Download