Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 22:17
Behavioral task
behavioral1
Sample
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe
Resource
win10v2004-20220901-en
General
-
Target
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe
-
Size
635KB
-
MD5
f9bb77131d91d3f78bbe5a3451774c5d
-
SHA1
8fc14ed6bdcee4ccc1371cd4a47a74caea3419f5
-
SHA256
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb
-
SHA512
05d157ed6295e96b42eaff1d74cd2c59d04f8f7b5b4a6aed272e8572212f45325ae42d0b0445ce7cdb0f43f68c34437952e32b463b04a21831a90cda0e0e21aa
-
SSDEEP
12288:bpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/bB:twAcu99lPzvxP+Bsz2XjWTRMQckkIXnl
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exesys.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Drivers\\sys.exe" 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Drivers\\sys.exe,C:\\Windows\\system32\\Drivers\\sys.exe" sys.exe -
Drops file in Drivers directory 6 IoCs
Processes:
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exesys.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Drivers\sys.exe 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe File opened for modification C:\Windows\SysWOW64\Drivers\ 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe File created C:\Windows\SysWOW64\Drivers\sys.exe sys.exe File opened for modification C:\Windows\SysWOW64\Drivers\sys.exe sys.exe File opened for modification C:\Windows\SysWOW64\Drivers\ sys.exe File created C:\Windows\SysWOW64\Drivers\sys.exe 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe -
Executes dropped EXE 1 IoCs
Processes:
sys.exepid process 3552 sys.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exesys.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate sys.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exesys.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys = "C:\\Windows\\system32\\Drivers\\sys.exe" 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run sys.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys = "C:\\Windows\\system32\\Drivers\\sys.exe" sys.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sys.exedescription pid process target process PID 3552 set thread context of 3304 3552 sys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
sys.exeexplorer.exe433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sys.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString sys.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier sys.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier sys.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exesys.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier sys.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Modifies registry class 1 IoCs
Processes:
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 3304 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exesys.exeexplorer.exedescription pid process Token: SeIncreaseQuotaPrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeSecurityPrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeTakeOwnershipPrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeLoadDriverPrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeSystemProfilePrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeSystemtimePrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeProfSingleProcessPrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeIncBasePriorityPrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeCreatePagefilePrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeBackupPrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeRestorePrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeShutdownPrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeDebugPrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeSystemEnvironmentPrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeChangeNotifyPrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeRemoteShutdownPrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeUndockPrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeManageVolumePrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeImpersonatePrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeCreateGlobalPrivilege 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: 33 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: 34 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: 35 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: 36 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeIncreaseQuotaPrivilege 3552 sys.exe Token: SeSecurityPrivilege 3552 sys.exe Token: SeTakeOwnershipPrivilege 3552 sys.exe Token: SeLoadDriverPrivilege 3552 sys.exe Token: SeSystemProfilePrivilege 3552 sys.exe Token: SeSystemtimePrivilege 3552 sys.exe Token: SeProfSingleProcessPrivilege 3552 sys.exe Token: SeIncBasePriorityPrivilege 3552 sys.exe Token: SeCreatePagefilePrivilege 3552 sys.exe Token: SeBackupPrivilege 3552 sys.exe Token: SeRestorePrivilege 3552 sys.exe Token: SeShutdownPrivilege 3552 sys.exe Token: SeDebugPrivilege 3552 sys.exe Token: SeSystemEnvironmentPrivilege 3552 sys.exe Token: SeChangeNotifyPrivilege 3552 sys.exe Token: SeRemoteShutdownPrivilege 3552 sys.exe Token: SeUndockPrivilege 3552 sys.exe Token: SeManageVolumePrivilege 3552 sys.exe Token: SeImpersonatePrivilege 3552 sys.exe Token: SeCreateGlobalPrivilege 3552 sys.exe Token: 33 3552 sys.exe Token: 34 3552 sys.exe Token: 35 3552 sys.exe Token: 36 3552 sys.exe Token: SeIncreaseQuotaPrivilege 3304 explorer.exe Token: SeSecurityPrivilege 3304 explorer.exe Token: SeTakeOwnershipPrivilege 3304 explorer.exe Token: SeLoadDriverPrivilege 3304 explorer.exe Token: SeSystemProfilePrivilege 3304 explorer.exe Token: SeSystemtimePrivilege 3304 explorer.exe Token: SeProfSingleProcessPrivilege 3304 explorer.exe Token: SeIncBasePriorityPrivilege 3304 explorer.exe Token: SeCreatePagefilePrivilege 3304 explorer.exe Token: SeBackupPrivilege 3304 explorer.exe Token: SeRestorePrivilege 3304 explorer.exe Token: SeShutdownPrivilege 3304 explorer.exe Token: SeDebugPrivilege 3304 explorer.exe Token: SeSystemEnvironmentPrivilege 3304 explorer.exe Token: SeChangeNotifyPrivilege 3304 explorer.exe Token: SeRemoteShutdownPrivilege 3304 explorer.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exesys.exedescription pid process target process PID 4396 wrote to memory of 4720 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe explorer.exe PID 4396 wrote to memory of 4720 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe explorer.exe PID 4396 wrote to memory of 4720 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe explorer.exe PID 4396 wrote to memory of 3552 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe sys.exe PID 4396 wrote to memory of 3552 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe sys.exe PID 4396 wrote to memory of 3552 4396 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe sys.exe PID 3552 wrote to memory of 3304 3552 sys.exe explorer.exe PID 3552 wrote to memory of 3304 3552 sys.exe explorer.exe PID 3552 wrote to memory of 3304 3552 sys.exe explorer.exe PID 3552 wrote to memory of 3304 3552 sys.exe explorer.exe PID 3552 wrote to memory of 3304 3552 sys.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe"C:\Users\Admin\AppData\Local\Temp\433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
-
C:\Windows\SysWOW64\Drivers\sys.exe"C:\Windows\system32\Drivers\sys.exe"2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Drivers\sys.exeFilesize
635KB
MD5f9bb77131d91d3f78bbe5a3451774c5d
SHA18fc14ed6bdcee4ccc1371cd4a47a74caea3419f5
SHA256433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb
SHA51205d157ed6295e96b42eaff1d74cd2c59d04f8f7b5b4a6aed272e8572212f45325ae42d0b0445ce7cdb0f43f68c34437952e32b463b04a21831a90cda0e0e21aa
-
C:\Windows\SysWOW64\drivers\sys.exeFilesize
635KB
MD5f9bb77131d91d3f78bbe5a3451774c5d
SHA18fc14ed6bdcee4ccc1371cd4a47a74caea3419f5
SHA256433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb
SHA51205d157ed6295e96b42eaff1d74cd2c59d04f8f7b5b4a6aed272e8572212f45325ae42d0b0445ce7cdb0f43f68c34437952e32b463b04a21831a90cda0e0e21aa
-
memory/3304-136-0x0000000000000000-mapping.dmp
-
memory/3304-137-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3304-138-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3304-139-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3304-140-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3304-141-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3552-133-0x0000000000000000-mapping.dmp
-
memory/4720-132-0x0000000000000000-mapping.dmp