b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca

Analysis

max time kernel
150s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe
Size

116KB
MD5

524c27f6d056e45677f672609b1413c2
SHA1

5eef81612ac4a09aaa7376dd7e11e7b25cbac1a7
SHA256

b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca
SHA512

a702965cc804444ff10f07e2e4ff9bb3bd6da531abbb2dc1273d934e338b4b31f00bd0ecdd6f3ad05d2f7f46a07c00785d0615347821fa1f59b07c101491e0e3
SSDEEP

3072:EEfikWjjHN4uIBVG9JoiYdzpunPGQMC8LNdH:Jcjj2uIBVFRpgPpj8LNdH

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	sgcxcxxaspf080801.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\initnyuser = "C:\\Windows\\system32\\inf\\svchosd.exe C:\\Windows\\wftadfi16_080801a.dll tanlt88"	sgcxcxxaspf080801.exe

Executes dropped EXE 2 IoCs

pid	Process
1644	svchosd.exe
456	sgcxcxxaspf080801.exe

Deletes itself 1 IoCs

pid	Process
1644	svchosd.exe

Loads dropped DLL 3 IoCs

pid	Process
1752	b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe
1172	cmd.exe
1172	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\svchosd.exe	b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe
File opened for modification	C:\Windows\SysWOW64\inf\svchosd.exe	b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe
File created	C:\Windows\SysWOW64\inf\sppdcrs080801.scr	b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe
File created	C:\Windows\SysWOW64\inf\scsys16_080801.dll	b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tawisys.ini	sgcxcxxaspf080801.exe
File opened for modification	C:\Windows\tawisys.ini	b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe
File created	C:\Windows\system\sgcxcxxaspf080801.exe	b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe
File created	C:\Windows\dcbdcatys32_080801a.dll	b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe
File created	C:\Windows\wftadfi16_080801a.dll	b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe
File opened for modification	C:\Windows\tawisys.ini	svchosd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1752	b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe
1752	b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe
456	sgcxcxxaspf080801.exe
456	sgcxcxxaspf080801.exe
456	sgcxcxxaspf080801.exe
456	sgcxcxxaspf080801.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe
Token: SeDebugPrivilege	1752	b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe
Token: SeDebugPrivilege	456	sgcxcxxaspf080801.exe
Token: SeDebugPrivilege	456	sgcxcxxaspf080801.exe
Token: SeDebugPrivilege	456	sgcxcxxaspf080801.exe
Token: SeDebugPrivilege	456	sgcxcxxaspf080801.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1644	1752	b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe	28
PID 1752 wrote to memory of 1644	1752	b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe	28
PID 1752 wrote to memory of 1644	1752	b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe	28
PID 1752 wrote to memory of 1644	1752	b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe	28
PID 1644 wrote to memory of 1172	1644	svchosd.exe	29
PID 1644 wrote to memory of 1172	1644	svchosd.exe	29
PID 1644 wrote to memory of 1172	1644	svchosd.exe	29
PID 1644 wrote to memory of 1172	1644	svchosd.exe	29
PID 1172 wrote to memory of 456	1172	cmd.exe	31
PID 1172 wrote to memory of 456	1172	cmd.exe	31
PID 1172 wrote to memory of 456	1172	cmd.exe	31
PID 1172 wrote to memory of 456	1172	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe
"C:\Users\Admin\AppData\Local\Temp\b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\inf\svchosd.exe
  "C:\Windows\system32\inf\svchosd.exe" C:\Windows\wftadfi16_080801a.dll tanlt88
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\system\sgcxcxxaspf080801.exe
      "C:\Windows\system\sgcxcxxaspf080801.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\inf\svchosd.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\inf\svchosd.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\system\sgcxcxxaspf080801.exe

Filesize
116KB

MD5
524c27f6d056e45677f672609b1413c2

SHA1
5eef81612ac4a09aaa7376dd7e11e7b25cbac1a7

SHA256
b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca

SHA512
a702965cc804444ff10f07e2e4ff9bb3bd6da531abbb2dc1273d934e338b4b31f00bd0ecdd6f3ad05d2f7f46a07c00785d0615347821fa1f59b07c101491e0e3

Download Submit
C:\Windows\system\sgcxcxxaspf080801.exe

Filesize
116KB

MD5
524c27f6d056e45677f672609b1413c2

SHA1
5eef81612ac4a09aaa7376dd7e11e7b25cbac1a7

SHA256
b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca

SHA512
a702965cc804444ff10f07e2e4ff9bb3bd6da531abbb2dc1273d934e338b4b31f00bd0ecdd6f3ad05d2f7f46a07c00785d0615347821fa1f59b07c101491e0e3

Download Submit
C:\Windows\tawisys.ini

Filesize
480B

MD5
0b2fff2947429ee9c3e0d346e819f78b

SHA1
521fd9a24b991c3463f8d968ade82017c9d7a450

SHA256
3de4a5f3e39c99f27ff3d2a1b80559fc9a2b438d817e1ec57241323fd9d5929e

SHA512
45aaa421de3f7bba0e9c631a62cc3a11a268ae5a2d93dccf58daacd4ff967ea04ebf4ec439f9768412c68568cd7cdc20cb4c0d11e18d0597c76a3b4787e61b0b

Download Submit
C:\Windows\tawisys.ini

Filesize
378B

MD5
206fc50b14bc8e2cec36cfa64384c5af

SHA1
fd34fff5f36481bcee9e323bc812f1f8bda15981

SHA256
bda3405bbf6b7f82afe2acb3c97400d0b5c2af610ee2c22c4bc256ab6e5d1385

SHA512
4470448fa770889789030236efb16b8bae70e2c523c65669d94599cf5be7d61d1d93a11fe562e1da8e8bc3e4cb1e8bd6df5bd8b7d9651c7f2f322f8803951ad2

Download Submit
C:\Windows\tawisys.ini

Filesize
423B

MD5
067cfba3cf4a3fdb897cb0ac77fae022

SHA1
ecdc2ba31f3af0ca3cdf30aff2ea5e6098e8b881

SHA256
bc1c1acae1ac25bebc9b109cee434745afc454650314c5bb57e49507f0b32756

SHA512
818cdcc0e3db53e8496c603128de8e6adc37138e8bb84e58c905512c00fc782152be49ad0e00c7078ead7803ad8b5d3cc1b0eafec2eb09297f5292d925f7f263

Download Submit
C:\Windows\tawisys.ini

Filesize
429B

MD5
fb928322286be3bdf4e698a62e9903d6

SHA1
7fbc9d7e8dd794eec5492bf9dd15feb602c922a3

SHA256
7875b1671b3fd34a2805341d94885bf31896b6c0a2fd60e0020c6a9b40104b88

SHA512
b54703573bd581dba3a9bd35242f8521d2d3e7de57cd09d69920d2a28cdaa26495c2b67ef15473f9f4267c7ab7c0c14f43e86233ec0802c1146a20c118d5707d

Download Submit
C:\Windows\wftadfi16_080801a.dll

Filesize
34KB

MD5
8a00069f2701c7b2b48e624d74c331ae

SHA1
9632f6ead3c7560aa13d009607008d26c9908b87

SHA256
85e6f93b87b98c1525c1d6ed0dbc0577bea977a8b90b1b6b47f76ee82e0e5b87

SHA512
5226254f0846edaa5befaf98e9664d64a604a696c7433c94838cc2cb460b86443fc69e30e5630c2b27aa1c15d082678a60d2e5e7feb1eba46817bf308254eb42

Download Submit
\??\c:\mylstecj.bat

Filesize
53B

MD5
cab5d14e5e7384392fe3a55fafcf1fad

SHA1
be6e2870800118af7177fa7b8b9e8d9e10ed4e41

SHA256
4de6870daa065cbf56ad16d3c9d1a3de93db7405a75823599328ecb319612473

SHA512
da92286579add6dbd1b10fdd1bf0b4ad5ee29251128d10b253fa93a028490a6c564d8af70e4a6e7f0518c0f1718b8f781d10f09c674497845f28cbe58ba1b4f3

Download Submit
\Windows\SysWOW64\inf\svchosd.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\system\sgcxcxxaspf080801.exe

Filesize
116KB

MD5
524c27f6d056e45677f672609b1413c2

SHA1
5eef81612ac4a09aaa7376dd7e11e7b25cbac1a7

SHA256
b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca

SHA512
a702965cc804444ff10f07e2e4ff9bb3bd6da531abbb2dc1273d934e338b4b31f00bd0ecdd6f3ad05d2f7f46a07c00785d0615347821fa1f59b07c101491e0e3

Download Submit
\Windows\system\sgcxcxxaspf080801.exe

Filesize
116KB

MD5
524c27f6d056e45677f672609b1413c2

SHA1
5eef81612ac4a09aaa7376dd7e11e7b25cbac1a7

SHA256
b26b1a45929ca2f6097f0e34f1b1b176b25cde1146d09d329bdd799d15d91eca

SHA512
a702965cc804444ff10f07e2e4ff9bb3bd6da531abbb2dc1273d934e338b4b31f00bd0ecdd6f3ad05d2f7f46a07c00785d0615347821fa1f59b07c101491e0e3

Download Submit
memory/456-67-0x0000000000000000-mapping.dmp

Download
memory/1172-62-0x0000000000000000-mapping.dmp

Download
memory/1644-56-0x0000000000000000-mapping.dmp

Download
memory/1752-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download