Analysis
-
max time kernel
151s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/12/2022, 22:05
Static task
static1
Behavioral task
behavioral1
Sample
e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
Resource
win10v2004-20220812-en
General
-
Target
e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
-
Size
1.3MB
-
MD5
f60f1039d3d2edb2aac7114ad53c973b
-
SHA1
0f1a1f068b50726f1b31d32f2a848d89eff6fd57
-
SHA256
e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f
-
SHA512
03e321a7fbdea343f95ed47533fd30ad2955b714b8a6d494c00c556d5e178ef11e7e1052b0660fc7f75af523496121dc79006d792e1028c9065aae302bfa8428
-
SSDEEP
24576:gZusv/DwNLHPJH6pYCkeKW/8XwQmRtPF+mviWavPzGLgO2uptmh:vsv/GvtkHKW/8XwQUhahyLgwpt+
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" serverr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sqlserver.exe -
Executes dropped EXE 2 IoCs
pid Process 1224 serverr.exe 2032 sqlserver.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 520 netsh.exe 524 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\74b62a045122cbb3b8a2a67a7555083b.exe sqlserver.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\74b62a045122cbb3b8a2a67a7555083b.exe sqlserver.exe -
Loads dropped DLL 6 IoCs
pid Process 1992 e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe 1992 e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe 1992 e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe 1992 e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe 1224 serverr.exe 1224 serverr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\74b62a045122cbb3b8a2a67a7555083b = "\"C:\\Program Files (x86)\\sqlserver.exe\" .." sqlserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\74b62a045122cbb3b8a2a67a7555083b = "\"C:\\Program Files (x86)\\sqlserver.exe\" .." sqlserver.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sqlserver.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA serverr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" serverr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sqlserver.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\sqlserver.exe serverr.exe File opened for modification C:\Program Files (x86)\sqlserver.exe serverr.exe File opened for modification C:\Program Files (x86)\sqlserver.exe.log sqlserver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1992 e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe 1992 e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: 33 1984 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1984 AUDIODG.EXE Token: 33 1984 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1984 AUDIODG.EXE Token: SeDebugPrivilege 1224 serverr.exe Token: 33 1224 serverr.exe Token: SeIncBasePriorityPrivilege 1224 serverr.exe Token: SeDebugPrivilege 2032 sqlserver.exe Token: 33 2032 sqlserver.exe Token: SeIncBasePriorityPrivilege 2032 sqlserver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1776 DllHost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1992 e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe 1992 e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe 2032 sqlserver.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1992 wrote to memory of 1224 1992 e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe 27 PID 1992 wrote to memory of 1224 1992 e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe 27 PID 1992 wrote to memory of 1224 1992 e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe 27 PID 1992 wrote to memory of 1224 1992 e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe 27 PID 1224 wrote to memory of 2032 1224 serverr.exe 29 PID 1224 wrote to memory of 2032 1224 serverr.exe 29 PID 1224 wrote to memory of 2032 1224 serverr.exe 29 PID 1224 wrote to memory of 2032 1224 serverr.exe 29 PID 2032 wrote to memory of 520 2032 sqlserver.exe 30 PID 2032 wrote to memory of 520 2032 sqlserver.exe 30 PID 2032 wrote to memory of 520 2032 sqlserver.exe 30 PID 2032 wrote to memory of 520 2032 sqlserver.exe 30 PID 2032 wrote to memory of 524 2032 sqlserver.exe 31 PID 2032 wrote to memory of 524 2032 sqlserver.exe 31 PID 2032 wrote to memory of 524 2032 sqlserver.exe 31 PID 2032 wrote to memory of 524 2032 sqlserver.exe 31 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" serverr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sqlserver.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe"C:\Users\Admin\AppData\Local\Temp\e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\MMBPlayer\serverr.exe"C:\Users\Admin\AppData\Local\Temp\MMBPlayer\serverr.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1224 -
C:\Program Files (x86)\sqlserver.exe"C:\Program Files (x86)\sqlserver.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2032 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Program Files (x86)\sqlserver.exe" "sqlserver.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:520
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\SysWOW64\wscript.exe" "wscript.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:524
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4681⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1776
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD53edb0d68414bb303c7b1088f571519cd
SHA1f4f891f477a5b9ce6babb515cea7736f3b570c18
SHA25673f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240
SHA5120a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69
-
Filesize
62KB
MD53edb0d68414bb303c7b1088f571519cd
SHA1f4f891f477a5b9ce6babb515cea7736f3b570c18
SHA25673f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240
SHA5120a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69
-
Filesize
62KB
MD53edb0d68414bb303c7b1088f571519cd
SHA1f4f891f477a5b9ce6babb515cea7736f3b570c18
SHA25673f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240
SHA5120a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69
-
Filesize
62KB
MD53edb0d68414bb303c7b1088f571519cd
SHA1f4f891f477a5b9ce6babb515cea7736f3b570c18
SHA25673f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240
SHA5120a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69
-
Filesize
62KB
MD53edb0d68414bb303c7b1088f571519cd
SHA1f4f891f477a5b9ce6babb515cea7736f3b570c18
SHA25673f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240
SHA5120a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69
-
Filesize
62KB
MD53edb0d68414bb303c7b1088f571519cd
SHA1f4f891f477a5b9ce6babb515cea7736f3b570c18
SHA25673f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240
SHA5120a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69
-
Filesize
62KB
MD53edb0d68414bb303c7b1088f571519cd
SHA1f4f891f477a5b9ce6babb515cea7736f3b570c18
SHA25673f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240
SHA5120a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69
-
Filesize
62KB
MD53edb0d68414bb303c7b1088f571519cd
SHA1f4f891f477a5b9ce6babb515cea7736f3b570c18
SHA25673f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240
SHA5120a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69
-
Filesize
62KB
MD53edb0d68414bb303c7b1088f571519cd
SHA1f4f891f477a5b9ce6babb515cea7736f3b570c18
SHA25673f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240
SHA5120a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69
-
Filesize
62KB
MD53edb0d68414bb303c7b1088f571519cd
SHA1f4f891f477a5b9ce6babb515cea7736f3b570c18
SHA25673f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240
SHA5120a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69