e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f

Analysis

max time kernel
151s
max time network
104s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
Size

1.3MB
MD5

f60f1039d3d2edb2aac7114ad53c973b
SHA1

0f1a1f068b50726f1b31d32f2a848d89eff6fd57
SHA256

e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f
SHA512

03e321a7fbdea343f95ed47533fd30ad2955b714b8a6d494c00c556d5e178ef11e7e1052b0660fc7f75af523496121dc79006d792e1028c9065aae302bfa8428
SSDEEP

24576:gZusv/DwNLHPJH6pYCkeKW/8XwQmRtPF+mviWavPzGLgO2uptmh:vsv/GvtkHKW/8XwQUhahyLgwpt+

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	serverr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sqlserver.exe

Executes dropped EXE 2 IoCs

pid	Process
1224	serverr.exe
2032	sqlserver.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
520	netsh.exe
524	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\74b62a045122cbb3b8a2a67a7555083b.exe	sqlserver.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\74b62a045122cbb3b8a2a67a7555083b.exe	sqlserver.exe

Loads dropped DLL 6 IoCs

pid	Process
1992	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
1992	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
1992	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
1992	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
1224	serverr.exe
1224	serverr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\74b62a045122cbb3b8a2a67a7555083b = "\"C:\\Program Files (x86)\\sqlserver.exe\" .."	sqlserver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\74b62a045122cbb3b8a2a67a7555083b = "\"C:\\Program Files (x86)\\sqlserver.exe\" .."	sqlserver.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sqlserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	serverr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	serverr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sqlserver.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sqlserver.exe	serverr.exe
File opened for modification	C:\Program Files (x86)\sqlserver.exe	serverr.exe
File opened for modification	C:\Program Files (x86)\sqlserver.exe.log	sqlserver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1992	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
1992	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	1984	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1984	AUDIODG.EXE
Token: 33	1984	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1984	AUDIODG.EXE
Token: SeDebugPrivilege	1224	serverr.exe
Token: 33	1224	serverr.exe
Token: SeIncBasePriorityPrivilege	1224	serverr.exe
Token: SeDebugPrivilege	2032	sqlserver.exe
Token: 33	2032	sqlserver.exe
Token: SeIncBasePriorityPrivilege	2032	sqlserver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1776	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1992	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
1992	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
2032	sqlserver.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1224	1992	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe	27
PID 1992 wrote to memory of 1224	1992	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe	27
PID 1992 wrote to memory of 1224	1992	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe	27
PID 1992 wrote to memory of 1224	1992	e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe	27
PID 1224 wrote to memory of 2032	1224	serverr.exe	29
PID 1224 wrote to memory of 2032	1224	serverr.exe	29
PID 1224 wrote to memory of 2032	1224	serverr.exe	29
PID 1224 wrote to memory of 2032	1224	serverr.exe	29
PID 2032 wrote to memory of 520	2032	sqlserver.exe	30
PID 2032 wrote to memory of 520	2032	sqlserver.exe	30
PID 2032 wrote to memory of 520	2032	sqlserver.exe	30
PID 2032 wrote to memory of 520	2032	sqlserver.exe	30
PID 2032 wrote to memory of 524	2032	sqlserver.exe	31
PID 2032 wrote to memory of 524	2032	sqlserver.exe	31
PID 2032 wrote to memory of 524	2032	sqlserver.exe	31
PID 2032 wrote to memory of 524	2032	sqlserver.exe	31

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	serverr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sqlserver.exe

C:\Users\Admin\AppData\Local\Temp\e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe
"C:\Users\Admin\AppData\Local\Temp\e78b73e8cc52a754938328bc1975e0d4e7896577ba9a0f8ac8d50de9a3db7b4f.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\MMBPlayer\serverr.exe
  "C:\Users\Admin\AppData\Local\Temp\MMBPlayer\serverr.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1224
- - C:\Program Files (x86)\sqlserver.exe
    "C:\Program Files (x86)\sqlserver.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2032
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Program Files (x86)\sqlserver.exe" "sqlserver.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:520
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\SysWOW64\wscript.exe" "wscript.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:524

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sqlserver.exe

Filesize
62KB

MD5
3edb0d68414bb303c7b1088f571519cd

SHA1
f4f891f477a5b9ce6babb515cea7736f3b570c18

SHA256
73f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240

SHA512
0a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69

Download Submit
C:\Program Files (x86)\sqlserver.exe

Filesize
62KB

MD5
3edb0d68414bb303c7b1088f571519cd

SHA1
f4f891f477a5b9ce6babb515cea7736f3b570c18

SHA256
73f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240

SHA512
0a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMBPlayer\Serverr.exe

Filesize
62KB

MD5
3edb0d68414bb303c7b1088f571519cd

SHA1
f4f891f477a5b9ce6babb515cea7736f3b570c18

SHA256
73f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240

SHA512
0a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMBPlayer\serverr.exe

Filesize
62KB

MD5
3edb0d68414bb303c7b1088f571519cd

SHA1
f4f891f477a5b9ce6babb515cea7736f3b570c18

SHA256
73f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240

SHA512
0a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69

Download Submit
\Program Files (x86)\sqlserver.exe

Filesize
62KB

MD5
3edb0d68414bb303c7b1088f571519cd

SHA1
f4f891f477a5b9ce6babb515cea7736f3b570c18

SHA256
73f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240

SHA512
0a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69

Download Submit
\Program Files (x86)\sqlserver.exe

Filesize
62KB

MD5
3edb0d68414bb303c7b1088f571519cd

SHA1
f4f891f477a5b9ce6babb515cea7736f3b570c18

SHA256
73f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240

SHA512
0a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\Serverr.exe

Filesize
62KB

MD5
3edb0d68414bb303c7b1088f571519cd

SHA1
f4f891f477a5b9ce6babb515cea7736f3b570c18

SHA256
73f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240

SHA512
0a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\Serverr.exe

Filesize
62KB

MD5
3edb0d68414bb303c7b1088f571519cd

SHA1
f4f891f477a5b9ce6babb515cea7736f3b570c18

SHA256
73f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240

SHA512
0a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\Serverr.exe

Filesize
62KB

MD5
3edb0d68414bb303c7b1088f571519cd

SHA1
f4f891f477a5b9ce6babb515cea7736f3b570c18

SHA256
73f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240

SHA512
0a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\Serverr.exe

Filesize
62KB

MD5
3edb0d68414bb303c7b1088f571519cd

SHA1
f4f891f477a5b9ce6babb515cea7736f3b570c18

SHA256
73f44169a97696ce7701455ff4eb02677ca3eecace96f3597e4eefd3bfe6f240

SHA512
0a8cffb39df9d38d391f2035b0829b8aa926a5c536172fa1499d6352a8b07592f333cb5f7eeb1e72bc0817ac175807e38992a1982dbcc70cb222f4b6c22a5b69

Download Submit
memory/1224-65-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/1224-66-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/1224-73-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-54-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1992-55-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2032-76-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-79-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download